[CDRIVER-941] 'openssl/bio.h' not found on OS X 10.11 Created: 18/Oct/15  Updated: 19/Oct/16  Resolved: 30/Oct/15

Status: Closed
Project: C Driver
Component/s: Build, libmongoc, tls
Affects Version/s: 1.2.0
Fix Version/s: 1.2.1

Type: Bug Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: A. Jesse Jiryu Davis
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-520 Add support for native TLS on OSX (Se... Closed

 Description   

Reported here:

https://groups.google.com/d/topic/mongodb-user/gQbFAOTLFvo/discussion

On a fresh Mac OS X 10.11 El Capitan, install the XCode command line tools (just type "gcc" and it guides you), install Homebrew and follow our Homebrew instructions:

brew install git automake autoconf libtool pkgconfig

Then ./autoconf.sh:

libmongoc was configured with the following options:
 
Build configuration:
  Enable debugging (slow)                          : no
  Compile with debug symbols (slow)                : no
  Enable GCC build optimization                    : yes
  Enable automatic binary hardening                : yes
  Code coverage support                            : no
  Cross Compiling                                  : no
  Fast counters                                    : no
  Shared memory performance counters               : yes
  SASL                                             : sasl2
  SSL                                              : yes
  Libbson                                          : bundled

But "make":

In file included from src/mongoc/mongoc-client.c:48:
./src/mongoc/mongoc-ssl-private.h:25:10: fatal error: 'openssl/bio.h' file not found
#include <openssl/bio.h>



 Comments   
Comment by Githook User [ 04/Nov/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-882 rearrange install guide

Remove redundant install instructions from README and combine all instructions
in installing.page. Improve the instructions (CDRIVER-722) especially for Open
SSL on El Capitan (CDRIVER-941).
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/c725c7e44e95c0d3762539caaffd715c66a1d42e

Comment by Githook User [ 30/Oct/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-882 rearrange install guide

Remove redundant install instructions from README and combine all instructions
in installing.page. Improve the instructions (CDRIVER-722) especially for Open
SSL on El Capitan (CDRIVER-941).
Branch: r1.2
https://github.com/mongodb/mongo-c-driver/commit/c725c7e44e95c0d3762539caaffd715c66a1d42e

Comment by A. Jesse Jiryu Davis [ 22/Oct/15 ]

To resolve this ticket:

  • Add to C Driver's build instructions a note that for Mac OS 10.11 El Capitan and later, must "brew install openssl".
  • Add "/usr/local/opt/openssl/include" to Automake's search itinerary for OpenSSL headers. (First? Last?) Verify that if it finds headers there it definitely links against the OpenSSL libraries in "/usr/local/opt/openssl/lib", not the incompatible system OpenSSL libraries still shipped with El Capitan.
Comment by A. Jesse Jiryu Davis [ 18/Oct/15 ]

I don't know if CMake is involved in the Google Groups complaint or not, I'm just debugging the Autotools build for now.

After long warning us about its deprecation, Apple stopped shipping OpenSSL headers with OS 10.11:

$ ls /usr/include/openssl
ls: /usr/include/openssl: No such file or directory

But homebrew's pkg-config, which we use to set our CFLAGS for OpenSSL, hasn't caught up:

$ pkg-config --variable=includedir openssl
/usr/include

Let's make a fully separate install of OpenSSL:

$ brew install openssl
This formula is keg-only, which means it was not symlinked into /usr/local.
 
Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries
 
Generally there are no consequences of this for you. If you build your
own software and it requires this formula, you'll need to add to your
build variables:
 
    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include

Following its advice, this builds the C Driver:

$ make CPPFLAGS="-I/usr/local/opt/openssl/include" LDFLAGS="-L/usr/local/opt/openssl/lib"

Another approach is, after "brew install openssl", to do "brew link openssl --force", which installs headers to /usr/local/include/openssl.

$ brew install openssl
$ brew link openssl --force

For some reason, Homebrew's own pkg-config knows that OpenSSL is homebrewed only once you run "link openssl --force":

$ pkg-config --variable=includedir openssl
/usr/local/Cellar/openssl/1.0.2d_1/include

I'm suspicious this may have broader consequences than are intended. Since Mac OS 10.11 does still contain the OpenSSL runtime libraries, the Homebrew developers warn that clang may include Homebrew's openssl headers but link to Apple's distribution of the OpenSSL library:

https://github.com/Homebrew/homebrew/issues/41613

I think this isn't a problem for the C Driver specifically because we use pkg-config, if available, to determine the exact location of the headers and runtime libraries.

So, once I've run "link openssl --force" and "./autogen.sh", autoconf writes this to config.status and all is well:

S["SSL_LIBS"]="-L/usr/local/Cellar/openssl/1.0.2d_1/lib -lssl -lcrypto "
S["SSL_CFLAGS"]="-I/usr/local/Cellar/openssl/1.0.2d_1/include"

It uses Homebrew's pkg-config and therefore writes the full include path and library path for the Homebrew OpenSSL:

S["SSL_LIBS"]="-L/usr/local/Cellar/openssl/1.0.2d_1/lib -lssl -lcrypto "
S["SSL_CFLAGS"]="-I/usr/local/Cellar/openssl/1.0.2d_1/include "

So it seems to specifically include the right header and the right library. But to avoid interference with other projects I'd prefer the former approach, specifying CPPFLAGS and LDFLAGS on the "make" line.

I am uncertain whether to consider this a Homebrew bug or a C Driver build bug. Either way it will be resolved with CDRIVER-520 when we stop using OpenSSL by default on OS X. But even then, users who want OpenSSL will need a reasonable way to build against it.

Generated at Wed Feb 07 21:11:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.