error: implicit declaration of function 'SSL_get1_peer_certificate'

[wlipa]

Describe the bug

When trying to bundle install in a clean .gem directory and fresh ruby 3.1 install:

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    current directory: /Users/wlipa/.gem/ruby/3.1/gems/puma-5.6.2/ext/puma_http11
/opt/local/bin/ruby3.1 -I /opt/local/lib/ruby3.1/3.1.0 -r ./siteconf20220303-44365-8je480.rb extconf.rb
using OpenSSL pkgconfig (openssl.pc)
checking for openssl/bio.h... yes
checking for DTLS_method() in openssl/ssl.h... yes
checking for TLS_server_method() in openssl/ssl.h... yes
checking for SSL_CTX_set_min_proto_version(NULL, 0) in openssl/ssl.h... yes
checking for X509_STORE_up_ref()... yes
checking for SSL_CTX_set_ecdh_auto(NULL, 0) in openssl/ssl.h... yes
checking for SSL_get1_peer_certificate() in openssl/ssl.h... yes
checking for Random.bytes... yes
creating Makefile

current directory: /Users/wlipa/.gem/ruby/3.1/gems/puma-5.6.2/ext/puma_http11
make DESTDIR\= clean

current directory: /Users/wlipa/.gem/ruby/3.1/gems/puma-5.6.2/ext/puma_http11
make DESTDIR\=
compiling http11_parser.c
compiling mini_ssl.c
mini_ssl.c:565:10: error: implicit declaration of function 'SSL_get1_peer_certificate' is invalid in C99
[-Werror,-Wimplicit-function-declaration]
  cert = SSL_get1_peer_certificate(conn->ssl);
         ^
mini_ssl.c:565:10: note: did you mean 'SSL_get_peer_certificate'?
/opt/local/libexec/openssl11/include/openssl/ssl.h:1678:14: note: 'SSL_get_peer_certificate' declared here
__owur X509 *SSL_get_peer_certificate(const SSL *s);
             ^
mini_ssl.c:565:8: warning: incompatible integer to pointer conversion assigning to 'X509 *' (aka 'struct x509_st *') from 'int'
[-Wint-conversion]
  cert = SSL_get1_peer_certificate(conn->ssl);
       ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning and 1 error generated.
make: *** [mini_ssl.o] Error 1

make failed, exit code 2

Gem files will remain installed in /Users/wlipa/.gem/ruby/3.1/gems/puma-5.6.2 for inspection.
Results logged to /Users/wlipa/.gem/ruby/3.1/extensions/arm64-darwin-21/3.1.0/puma-5.6.2/gem_make.out

  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:95:in `run'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:44:in `block in make'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:36:in `each'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:36:in `make'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/ext_conf_builder.rb:63:in `block in build'
  /opt/local/lib/ruby3.1/3.1.0/tempfile.rb:317:in `open'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/ext_conf_builder.rb:26:in `build'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:161:in `build_extension'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:195:in `block in build_extensions'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:192:in `each'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/ext/builder.rb:192:in `build_extensions'
  /opt/local/lib/ruby3.1/3.1.0/rubygems/installer.rb:853:in `build_extensions'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/rubygems_gem_installer.rb:71:in `build_extensions'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/rubygems_gem_installer.rb:28:in `install'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/source/rubygems.rb:204:in `install'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/installer/gem_installer.rb:54:in `install'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/installer/gem_installer.rb:16:in `install_from_spec'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/installer/parallel_installer.rb:186:in `do_install'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/installer/parallel_installer.rb:177:in `block in worker_pool'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/worker.rb:62:in `apply_func'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/worker.rb:57:in `block in process_queue'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/worker.rb:54:in `loop'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/worker.rb:54:in `process_queue'
  /Users/wlipa/.gem/ruby/3.1/gems/bundler-2.3.6/lib/bundler/worker.rb:91:in `block (2 levels) in create_threads'

An error occurred while installing puma (5.6.2), and Bundler cannot continue.

In Gemfile:
  puma

Desktop (please complete the following information):

• OS: macOS 12.2.1, M1 chip, macports 2.7.1
• Puma Version 5.6.2

[wlipa]

Workaround: downgrade to puma 5.5.2.

[MSP-Greg]

@wlipa See #2790. You may have an issue with multiple OpenSSL installs.

[wlipa]

Certainly possible, but I did nothing to install multiple ones intentionally - they are just indirect dependencies.

[wlipa]

More output:

$ ruby -ropenssl -e "puts %Q[\ \ \ Build: #{OpenSSL::OPENSSL_VERSION}\n Runtime: #{OpenSSL::OPENSSL_LIBRARY_VERSION}]"

   Build: OpenSSL 1.1.1m  14 Dec 2021
 Runtime: OpenSSL 1.1.1m  14 Dec 2021

$ ruby --version
ruby 3.1.1p18 (2022-02-18 revision 53f5fc4236) [arm64-darwin21]

[MSP-Greg]

@wlipa

Sorry, I should have probably mentioned this in the other issue. What does openssl version output?

[wlipa]

$ openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)

[MSP-Greg]

Thanks. Notice that Ruby is using OpenSSL 1.1.1 and the system OpenSSL is 3.0.1. I'm rather macOS challenged. With Ubuntu, I switched my system OpenSSL to 3.0.1, and also build Ruby and Puma with it. Re the compile error:

SSL_get1_peer_certificate    exists in 3.0.1, but not 1.1.1
SSL_get_peer_certificate     exists in 1.1.1, but not 3.0.1

[wlipa]

I've also got openssl11 @1.1.1m_0 installed, alongside openssl3 @3.0.1_0+legacy. (Those are the MacPorts versions.) Maybe there's some magic incantation that can point it to the right version when it builds the extension.

[MSP-Greg]

there's some magic incantation

With gem install, yes. I can't recall how to setup Bundler to do so. Probably something like:

bundle config build.puma --with-openssl-dir=/opt/local/libexec/openssl11

[wlipa]

I tried that, but it did not seem to make a difference. Also, in the previous output, there is already a reference to openssl11:

mini_ssl.c:565:10: note: did you mean 'SSL_get_peer_certificate'?
/opt/local/libexec/openssl11/include/openssl/ssl.h:1678:14: note: 'SSL_get_peer_certificate' declared here
__owur X509 *SSL_get_peer_certificate(const SSL *s);

[wlipa]

If I edit ext/puma_http11/Makefile to take out -DHAVE_SSL_GET1_PEER_CERTIFICATE from the CPP_FLAGS, it builds.

[wlipa]

It seems like the extconf step is picking up OpenSSL 3 but the C compiler is using OpenSSL 1.1. Is there a way to control what directories the extconf chooses?

current directory: /Users/wlipa/.gem/ruby/3.1.0/gems/puma-5.6.2/ext/puma_http11
/opt/local/bin/ruby3.1 -I /opt/local/lib/ruby3.1/3.1.0 -r ./siteconf20220304-57306-tcbt1b.rb extconf.rb
using OpenSSL pkgconfig (openssl.pc)
checking for openssl/bio.h... yes
checking for DTLS_method() in openssl/ssl.h... yes
checking for TLS_server_method() in openssl/ssl.h... yes
checking for SSL_CTX_set_min_proto_version(NULL, 0) in openssl/ssl.h... yes
checking for X509_STORE_up_ref()... yes
checking for SSL_CTX_set_ecdh_auto(NULL, 0) in openssl/ssl.h... yes
checking for SSL_get1_peer_certificate() in openssl/ssl.h... yes
checking for Random.bytes... yes
creating Makefile

[MSP-Greg]

Sorry for the delay. I've been trying to see if I can repo locally.

Is there a way to control what directories the extconf chooses?

That should be set via bundle config build.puma --with-openssl-dir=/opt/local/libexec/openssl11. Hence, not quite sure what's going on. We need to see:

checking for SSL_get1_peer_certificate() in openssl/ssl.h... no

Do you know if gem install puma -- --with-openssl-dir=/opt/local/libexec/openssl11 works?

[wlipa]

I deleted the gem directory and rebuilt with that bundle config. I can see the option on the line to extconf but no change.

Installing puma 5.6.2 (was 5.5.2) with native extensions
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    current directory: /Users/wlipa/.gem/ruby/3.1.0/gems/puma-5.6.2/ext/puma_http11
/opt/local/bin/ruby3.1 -I /opt/local/lib/ruby3.1/3.1.0 -r ./siteconf20220304-58039-sv2v5e.rb extconf.rb --with-openssl-dir\=/opt/local/libexec/openssl11
using OpenSSL pkgconfig (openssl.pc)
checking for openssl/bio.h... yes
checking for DTLS_method() in openssl/ssl.h... yes
checking for TLS_server_method() in openssl/ssl.h... yes
checking for SSL_CTX_set_min_proto_version(NULL, 0) in openssl/ssl.h... yes
checking for X509_STORE_up_ref()... yes
checking for SSL_CTX_set_ecdh_auto(NULL, 0) in openssl/ssl.h... yes
checking for SSL_get1_peer_certificate() in openssl/ssl.h... yes
checking for Random.bytes... yes
creating Makefile

I tried gem install puma -- --with-openssl-dir=/opt/local/libexec/openssl11 but same results.

[wlipa]

Digging though some mind boggling internals of mkmf.rb, I was able to narrow things down a little to this series of checked programs. The first one fails, as expected, but the second one succeeds somehow. Since the second one works, the check is regarded as passed.

fails, conftest.c:16:57: error: use of undeclared identifier 'SSL_get1_peer_certificate':
this is the part at the end of the conftest:

int t(void) { void ((*volatile p)()); p = (void ((*)()))SSL_get1_peer_certificate; return !p; }

Next try mkmf.rb does, with a different snippet at the end, works:

extern void SSL_get1_peer_certificate();
int t(void) { SSL_get1_peer_certificate(); return 0; }

Maybe the first one is checking for the header declaration and the second is checking if it can be linked against? There aren't any comments in here so it's a head-scratcher.

Log attached.
SSL_get1.txt

[MSP-Greg]

@wlipa

Did some more work with this. Try either:

gem install puma -- --with-openssl-dir=/opt/local/libexec/openssl11 --without-openssl-dir=/opt/local/libexec/<wherever OpenSSL 3 is>

or

bundle config build.puma --with-openssl-dir=/opt/local/libexec/openssl11 --without-openssl-dir=/opt/local/libexec/<wherever OpenSSL 3 is>

Not sure if the above needs quotes...

I've got Ruby master using OpenSSL 3.0.1, and that is the system default. Without the above, it works. I've got Ruby 3.1.1 built with OpenSSL 1.1.1, and with the above, it also works...

[wlipa]

Unfortunately, no change from adding that --without option. It doesn't seem to change any options on the low level compile command that's undesirably picking up openssl3.

[MSP-Greg]

Interesting. So, my system is not finding OpenSSL 3, but your system is.

I've got Ruby master and OpenSSL 3 in the same folder (/usr/local), and Ruby 3.1 and OpenSSL are in different folders. That may be the distinction?

Sorry for all the back and forth, but I suspect many people may want to work with both OpenSSL 1.1 and 3.0 for quite a while. Hence, it would helpful if we could get most configurations working...

[wlipa]

Thanks for the help! I will dig into it again tomorrow.

[wlipa]

Continuing to chip away at this, the mkmf config test executes this command to see if the following program can build:

#include "ruby.h"

#include <openssl/ssl.h>

/*top*/
extern int t(void);
int main(int argc, char **argv)
{
  if (argc > 1000000) {
    int (* volatile tp)(void)=(int (*)(void))&t;
    printf("%d", (*tp)());
  }

  return !!argv[argc];
}
extern void SSL_get1_peer_certificate();
int t(void) { SSL_get1_peer_certificate(); return 0; }

command:

DYLD_FALLBACK_LIBRARY_PATH=.:/opt/local/lib "/usr/bin/clang -o conftest -I/opt/local/include/ruby-3.1.1/arm64-darwin21 -I/opt/local/include/ruby-3.1.1/ruby/backward -I/opt/local/include/ruby-3.1.1 -I. -I/opt/local/libexec/openssl11/include -I/opt/local/libexec/openssl11/include -isystem/opt/local/include -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX12.sdk -I/opt/local/include -D_XOPEN_SOURCE -D_DARWIN_C_SOURCE -D_DARWIN_UNLIMITED_SELECT -D_REENTRANT   -pipe -I/opt/local/libexec/openssl11/include -Os -isysroot/Library/Developer/CommandLineTools/SDKs/MacOSX12.sdk -fdeclspec -O3 -fno-fast-math -ggdb3 -Wall -Wextra -Wdeprecated-declarations -Wdivision-by-zero -Wimplicit-function-declaration -Wimplicit-int -Wmisleading-indentation -Wpointer-arith -Wshorten-64-to-32 -Wwrite-strings -Wold-style-definition -Wmissing-noreturn -Wno-constant-logical-operand -Wno-long-long -Wno-missing-field-initializers -Wno-overlength-strings -Wno-parentheses-equality -Wno-self-assign -Wno-tautological-compare -Wno-unused-parameter -Wno-unused-value -Wunused-variable -Wextra-tokens -Wundef -fno-common  conftest.c  -L. -L/opt/local/lib -L/opt/local/libexec/openssl11/lib -L/opt/local/lib -L. -L/opt/local/libexec/openssl11/lib -L/opt/local/lib -Wl,-headerpad_max_install_names -Wl,-syslibroot,/Library/Developer/CommandLineTools/SDKs/MacOSX12.sdk -fstack-protector-strong -L/opt/local/lib -L/opt/local/libexec/openssl11/lib   -arch arm64   -lssl -lcrypto -lruby.3.1  -lssl -lcrypto  "

This command erroneously builds and links because of this section:

... conftest.c  -L. -L/opt/local/lib -L/opt/local/libexec/openssl11/lib -L/opt/local/lib ...

The first -L/opt/local/lib is picking up openssl3, I believe. Changing the command to this fails the link, as is desired:

... conftest.c  -L. -L/opt/local/libexec/openssl11/lib -L/opt/local/lib ...

[nate-at-gusto]

@wlipa Are you using Homebrew?

[wlipa]

No, I use MacPorts.

[dentarg]

@wlipa Does gem install puma -v '5.6.2' -- --with-cppflags=-I/opt/local/libexec/openssl11/include work? Can you share the the generated Makefile (in a gist)?

[dentarg]

Do we need to do something like this? Setting OPENSSL_PREFIX and PKG_CONFIG_PATH

https://github.com/oracle/truffleruby/blob/9a7fda9de5f96e343fe8d1e81ec0931614f8da97/lib/truffle/truffle/openssl-prefix.rb

[MSP-Greg]

@wlipa Thanks.

I wasn't sure what was where on your system. If you use
--without-openssl-dir=/opt/local
or maybe
--without-openssl-lib=/opt/local/lib
what happens?

[dentarg]

@wlipa Does this work? OPENSSL_PREFIX=/opt/local/libexec/openssl11 PKG_CONFIG_PATH=/opt/local/libexec/openssl11/lib/pkgconfig:$PKG_CONFIG_PATH gem install puma -v '5.6.2'

[wlipa]

@wlipa Does gem install puma -v '5.6.2' -- --with-cppflags=-I/opt/local/libexec/openssl11/include work? Can you share the the generated Makefile (in a gist)?

No, it does not work. Makefile: https://gist.github.com/wlipa/4b65aeefaba494cad992bac66e8ddcda

[wlipa]

@wlipa Thanks.

I wasn't sure what was where on your system. If you use --without-openssl-dir=/opt/local

No change with this.

or maybe --without-openssl-lib=/opt/local/lib what happens?

But here, it works!

[wlipa]

This looks like what I need for my setup:

bundle config build.puma --with-openssl-dir=/opt/local/libexec/openssl11 --without-openssl-lib=/opt/local/lib

[wlipa]

@wlipa Does this work? OPENSSL_PREFIX=/opt/local/libexec/openssl11 PKG_CONFIG_PATH=/opt/local/libexec/openssl11/lib/pkgconfig:$PKG_CONFIG_PATH gem install puma -v '5.6.2'

No luck with that one.

[nateberkopec]

I wonder if we could add a section to the README about pointing to the correct ssl location for various setups, especially since we're going to be getting more issues for quite some time re: openSSLv3 I think...

[MSP-Greg]

Maybe an Installation Wiki or Discussion? Agree about OpenSSL version issues...

[wlipa]

A “Troubleshooting” section in the Readme would be nice.

[wlipa]

Unfortunately, this one's back when trying to install puma 5.6.4, even with the bundler config that worked with 5.6.2.

$ cat ~/.bundle/config 
---
BUNDLE_BUILD__PUMA: "--with-openssl-dir=/opt/local/libexec/openssl11 --without-openssl-lib=/opt/local/lib"


Installing puma 5.6.4 (was 5.6.2) with native extensions
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    current directory: /Users/wlipa/.gem/ruby/3.1.0/gems/puma-5.6.4/ext/puma_http11
/opt/local/bin/ruby3.1 -I /opt/local/lib/ruby3.1/3.1.0 -r ./siteconf20220331-26270-uyegqb.rb extconf.rb
--with-openssl-dir\=/opt/local/libexec/openssl11 --without-openssl-lib\=/opt/local/lib
checking for BIO_read() in -lcrypto... yes
checking for SSL_CTX_new() in -lssl... yes
checking for openssl/bio.h... yes
checking for DTLS_method() in openssl/ssl.h... yes
checking for TLS_server_method() in openssl/ssl.h... yes
checking for SSL_CTX_set_min_proto_version(NULL, 0) in openssl/ssl.h... yes
checking for X509_STORE_up_ref()... yes
checking for SSL_CTX_set_ecdh_auto(NULL, 0) in openssl/ssl.h... yes
checking for SSL_get1_peer_certificate() in openssl/ssl.h... yes
checking for Random.bytes... yes
creating Makefile

current directory: /Users/wlipa/.gem/ruby/3.1.0/gems/puma-5.6.4/ext/puma_http11
make DESTDIR\= clean

current directory: /Users/wlipa/.gem/ruby/3.1.0/gems/puma-5.6.4/ext/puma_http11
make DESTDIR\=
compiling http11_parser.c
compiling mini_ssl.c
mini_ssl.c:565:10: error: implicit declaration of function 'SSL_get1_peer_certificate' is invalid in C99
[-Werror,-Wimplicit-function-declaration]
  cert = SSL_get1_peer_certificate(conn->ssl);
         ^
mini_ssl.c:565:10: note: did you mean 'SSL_get_peer_certificate'?
/opt/local/libexec/openssl11/include/openssl/ssl.h:1678:14: note: 'SSL_get_peer_certificate' declared here
__owur X509 *SSL_get_peer_certificate(const SSL *s);
             ^
mini_ssl.c:565:8: warning: incompatible integer to pointer conversion assigning to 'X509 *' (aka 'struct x509_st *') from
'int' [-Wint-conversion]
  cert = SSL_get1_peer_certificate(conn->ssl);
       ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning and 1 error generated.
make: *** [mini_ssl.o] Error 1

[dentarg]

Can't see that anything changed in Puma that would make 5.6.4 find OpenSSL 3.0 over 1.1. Did anything else change in your environment?

[wlipa]

I cannot think of anything other than the usual OS upgrades.

[dentarg]

@wlipa can you still install (build) 5.6.2?

[wlipa]

No, I get the same there, so this is not a 5.6.4 thing, but something with my env. What that might be is as mysterious as before...

[wlipa]

I do not need the SSL functionality of puma. Is there, or could there be, a flag to force puma to compile without SSL support?

[MSP-Greg]

@wlipa

I normally use and compile Ruby master with OpenSSL 3. I have OpenSSL 1.1 installed, along with Ruby 3.1. Can't get it to build Puma correctly, and it seems to use the OpenSSL 3 openssl.pc (pkgconfig) file no matter what I do. I'll work more on it this weekend.

I do not need the SSL functionality of puma. Is there, or could there be, a flag to force puma to compile without SSL support?

Yes. Set ENV['DISABLE_SSL'] to anything...

[wlipa]

Ah, that is great! Looks like this solves the problem (if you don't need SSL):

DISABLE_SSL=1 bundle install

[dentarg]

Oh we should probably prefix that ENV with PUMA_? Something for 6.0 perhaps

[dentarg]

@MSP-Greg did you see #2839 (comment)? TruffleRuby does some special things re: OpenSSL

[otavioschwanck]

https://gist.github.com/otavioschwanck/b16f7753d5e075eff94300cf37e85292

How i installed

[macarie]

I had this problem and couldn't find much information about it, even fewer possible fixes, and none of them worked. So I hope this helps someone.

I have Ruby v2.7.5 installed and it's using these OpenSSL versions:

$ ruby -ropenssl -e "puts %Q[\ \ \ Build: #{OpenSSL::OPENSSL_VERSION}\n Runtime: #{OpenSSL::OPENSSL_LIBRARY_VERSION}]"
   Build: OpenSSL 1.1.1n  15 Mar 2022
 Runtime: OpenSSL 1.1.1n  15 Mar 2022

I was getting the same error as the others; what fixed it for me was installing openssl@1.1:

brew install openssl@1.1

Running

PKG_CONFIG_PATH=`brew --prefix openssl@1.1`/lib/pkgconfig/ pkg-config openssl --cflags

Should return something like -I/opt/homebrew/Cellar/openssl@1.1/1.1.1o/include. If it does, install puma like this:

PKG_CONFIG_PATH=`brew --prefix openssl@1.1`/lib/pkgconfig/ gem install puma

Doing this solved the issue, and everything seems to be working fine so far.