Debian's reproducible-builds machinery has discovered a problem in the SSL tests: When building with SSL support, but /usr/bin/openssl missing (i.e "libssl-dev" installed, but "openssl" missing), the tests fail in subtle ways:
checking for openssl... no configure: using openssl: openssl not found checking for openssl/ssl.h... yes checking for openssl/err.h... yes build/src/test/ssl/tmp_check/log/regress_log_001_ssltests: Can't exec "x509": No such file or directory at t/001_ssltests.pl line 751. couldn't run " x509" to get client cert serialno at t/001_ssltests.pl line 775. build/src/test/ssl/tmp_check/log/regress_log_003_sslinfo: [08:42:02.209](0.029s) ok 11 - ssl_client_serial() compared with pg_stat_ssl psql:<stdin>:1: ERROR: invalid X.509 field name: "invalid" [08:42:02.238](0.029s) ok 12 - ssl_client_dn_field() for an invalid field Full build log: https://reproduce.debian.net/amd64-pull184/api/v1/builds/66623/log The problem does not show up on the normal Debian build daemons. While the build environment there is fairly minimal, it does have "openssl" preinstalled. So I cannot yet say if this problem is new in PG18, or just never got detected in older branches. While it is probably possible to skip the tests when the configure probe did not find the openssl binary, IMHO the configure check should already fail. That's more robust and easier. Attached is a WIP patch that implements that for autoconf. Christoph
>From c6146aba7f09df30f4effe304f45f27bcb9975ac Mon Sep 17 00:00:00 2001 From: Christoph Berg <[email protected]> Date: Wed, 24 Sep 2025 11:11:35 +0000 Subject: [PATCH v1] "openssl" should not be optional --- configure.ac | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e44943aa6fe..ac0dccdeab5 100644 --- a/configure.ac +++ b/configure.ac @@ -1576,10 +1576,13 @@ if test "$with_gssapi" = yes ; then [AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])]) fi -PGAC_PATH_PROGS(OPENSSL, openssl) -pgac_openssl_version="$($OPENSSL version 2> /dev/null || echo openssl not found)" -AC_MSG_NOTICE([using openssl: $pgac_openssl_version]) if test "$with_ssl" = openssl ; then + PGAC_PATH_PROGS(OPENSSL, openssl) + if test -z "$OPENSSL"; then + AC_MSG_ERROR([openssl not found]) + fi + pgac_openssl_version="$($OPENSSL version 2> /dev/null || echo openssl not found)" + AC_MSG_NOTICE([using openssl: $pgac_openssl_version]) AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file <openssl/ssl.h> is required for OpenSSL])]) AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])]) fi -- 2.51.0
