Bug Overview
I have been compiling nginx --with-openssl and removed 'no-ml-kmem' from the openssl configure options.
cc -Iproviders/common/include/prov -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DKECCAK1600_ASM -DOPENSSL_CPUID_OBJ -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -Wa,--noexecstack -Qunused-arguments -Wall -O3 -march=native -flto=thin -Werror=odr -Werror=strict-aliasing -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR=""/etc/ssl"" -DMODULESDIR=""/lib/ossl-modules"" -DNDEBUG -MMD -MF providers/implementations/keymgmt/libdefault-lib-ml_kem_kmgmt.d.tmp -c -o providers/implementations/keymgmt/libdefault-lib-ml_kem_kmgmt.o providers/implementations/keymgmt/ml_kem_kmgmt.c
providers/implementations/keymgmt/ml_kem_kmgmt.c:25:10: fatal error: 'prov/der_wrap.h' file not found
Expected Behavior
My work around is to edit, providers/implementations/keymgmt/build.info
adding der_wrap.h to,
DEPEND[ml_kem_kmgmt.o]=../../common/include/prov/der_hkdf.h ../../common/include/prov/der_wrap.h
Steps to Reproduce the Bug
--with-openssl-opt='--openssldir=/etc/ssl --libdir=/lib enable-ec_nistp_64_gcc_128 enable-tfo -march=native -flto=thin -Werror=odr -Werror=strict-aliasing no-pinshared no-sse2 no-module no-deprecated no-legacy no-integrity-only-ciphers no-nextprotoneg no-ssl-trace no-srtp no-gost no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dh no-dsa no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd160 no-seed no-sm2 no-sm3 no-sm4 no-whirlpool no-psk no-rfc3779 no-ec2m no-cms no-ts no-comp no-http no-docs no-ui-console no-dgram no-dso no-ml-dsa no-slh-dsa no-cmp no-ct no-tests no-hmac-drbg-kdf no-kbkdf no-krb5kdf no-pvkkdf no-snmpkdf no-sshkdf no-sskdf no-x942kdf no-x963kdf'
NGINX Configuration
# Your NGINX configuration
NGINX version and build configuration options
nginx version: nginx/1.30.2 (openssl-4.0.0)
built by clang 19.1.7 (https://github.com/llvm/llvm-project.git llvmorg-19.1.7-0-gcd708029e0b2)
built with OpenSSL 4.0.0 14 Apr 2026
TLS SNI support enabled
configure arguments: --with-cc-opt='-I/usr/local/include -march=native -flto=thin -Werror=odr -Werror=strict-aliasing' --with-ld-opt=-L/usr/local/lib --prefix=/var --sbin-path=/sbin/nginx --modules-path=/libexec --conf-path=/etc/nginx/nginx.conf --error-log-path=stderr --pid-path=/var/run/nginx.pid --lock-path=log/nginx.lock --http-log-path=log/access.log --user=www --group=www --without-http_limit_conn_module --without-http_limit_req_module --without-http_ssi_module --without-http_mirror_module --without-http_autoindex_module --without-http_split_clients_module --without-http_referer_module --without-http_proxy_module --without-http_uwsgi_module --without-http_scgi_module --without-http_grpc_module --without-http_empty_gif_module --without-http_memcached_module --without-http_browser_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_keepalive_module --without-http_upstream_zone_module --with-pcre=../pcre2-10.47 --with-pcre-opt='-Wall -O3 -march=native -flto=thin -Werror=odr -Werror=strict-aliasing' --with-pcre-jit --with-file-aio --with-http_ssl_module --with-http_v2_module --build=openssl-4.0.0 --with-openssl=../openssl-4.0.0 --with-openssl-opt='--openssldir=/etc/ssl --libdir=/lib enable-ec_nistp_64_gcc_128 enable-tfo -march=native -flto=thin -Werror=odr -Werror=strict-aliasing no-pinshared no-sse2 no-module no-deprecated no-legacy no-integrity-only-ciphers no-nextprotoneg no-ssl-trace no-srtp no-gost no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dh no-dsa no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd160 no-seed no-sm2 no-sm3 no-sm4 no-whirlpool no-psk no-rfc3779 no-ec2m no-cms no-ts no-comp no-http no-docs no-ui-console no-dgram no-dso no-ml-dsa no-slh-dsa no-cmp no-ct no-tests no-hmac-drbg-kdf no-kbkdf no-krb5kdf no-pvkkdf no-snmpkdf no-sshkdf no-sskdf no-x942kdf no-x963kdf' --add-module=../addon/ngx_http_geoip2_module-3.4
Environment where NGINX is being built and/or deployed
- Target deployment platform: FreeBSD jail
- Target OS: FreeBSD 13.5
Architecture where NGINX is being built and/or deployed
FreeBSD core-0-ccsa 13.5-RELEASE FreeBSD 13.5-RELEASE CORE amd64
NGINX Debug Log
No response
Additional Context
No response
Bug Overview
I have been compiling nginx --with-openssl and removed 'no-ml-kmem' from the openssl configure options.
cc -Iproviders/common/include/prov -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include -Iproviders/fips/include -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DKECCAK1600_ASM -DOPENSSL_CPUID_OBJ -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DX25519_ASM -fPIC -Wa,--noexecstack -Qunused-arguments -Wall -O3 -march=native -flto=thin -Werror=odr -Werror=strict-aliasing -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR=""/etc/ssl"" -DMODULESDIR=""/lib/ossl-modules"" -DNDEBUG -MMD -MF providers/implementations/keymgmt/libdefault-lib-ml_kem_kmgmt.d.tmp -c -o providers/implementations/keymgmt/libdefault-lib-ml_kem_kmgmt.o providers/implementations/keymgmt/ml_kem_kmgmt.c
providers/implementations/keymgmt/ml_kem_kmgmt.c:25:10: fatal error: 'prov/der_wrap.h' file not found
Expected Behavior
My work around is to edit, providers/implementations/keymgmt/build.info
adding der_wrap.h to,
DEPEND[ml_kem_kmgmt.o]=../../common/include/prov/der_hkdf.h ../../common/include/prov/der_wrap.h
Steps to Reproduce the Bug
--with-openssl-opt='--openssldir=/etc/ssl --libdir=/lib enable-ec_nistp_64_gcc_128 enable-tfo -march=native -flto=thin -Werror=odr -Werror=strict-aliasing no-pinshared no-sse2 no-module no-deprecated no-legacy no-integrity-only-ciphers no-nextprotoneg no-ssl-trace no-srtp no-gost no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dh no-dsa no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd160 no-seed no-sm2 no-sm3 no-sm4 no-whirlpool no-psk no-rfc3779 no-ec2m no-cms no-ts no-comp no-http no-docs no-ui-console no-dgram no-dso no-ml-dsa no-slh-dsa no-cmp no-ct no-tests no-hmac-drbg-kdf no-kbkdf no-krb5kdf no-pvkkdf no-snmpkdf no-sshkdf no-sskdf no-x942kdf no-x963kdf'NGINX Configuration
NGINX version and build configuration options
nginx version: nginx/1.30.2 (openssl-4.0.0)
built by clang 19.1.7 (https://github.com/llvm/llvm-project.git llvmorg-19.1.7-0-gcd708029e0b2)
built with OpenSSL 4.0.0 14 Apr 2026
TLS SNI support enabled
configure arguments: --with-cc-opt='-I/usr/local/include -march=native -flto=thin -Werror=odr -Werror=strict-aliasing' --with-ld-opt=-L/usr/local/lib --prefix=/var --sbin-path=/sbin/nginx --modules-path=/libexec --conf-path=/etc/nginx/nginx.conf --error-log-path=stderr --pid-path=/var/run/nginx.pid --lock-path=log/nginx.lock --http-log-path=log/access.log --user=www --group=www --without-http_limit_conn_module --without-http_limit_req_module --without-http_ssi_module --without-http_mirror_module --without-http_autoindex_module --without-http_split_clients_module --without-http_referer_module --without-http_proxy_module --without-http_uwsgi_module --without-http_scgi_module --without-http_grpc_module --without-http_empty_gif_module --without-http_memcached_module --without-http_browser_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_keepalive_module --without-http_upstream_zone_module --with-pcre=../pcre2-10.47 --with-pcre-opt='-Wall -O3 -march=native -flto=thin -Werror=odr -Werror=strict-aliasing' --with-pcre-jit --with-file-aio --with-http_ssl_module --with-http_v2_module --build=openssl-4.0.0 --with-openssl=../openssl-4.0.0 --with-openssl-opt='--openssldir=/etc/ssl --libdir=/lib enable-ec_nistp_64_gcc_128 enable-tfo -march=native -flto=thin -Werror=odr -Werror=strict-aliasing no-pinshared no-sse2 no-module no-deprecated no-legacy no-integrity-only-ciphers no-nextprotoneg no-ssl-trace no-srtp no-gost no-aria no-bf no-blake2 no-camellia no-cast no-cmac no-des no-dh no-dsa no-idea no-md4 no-mdc2 no-ocb no-rc2 no-rc4 no-rmd160 no-seed no-sm2 no-sm3 no-sm4 no-whirlpool no-psk no-rfc3779 no-ec2m no-cms no-ts no-comp no-http no-docs no-ui-console no-dgram no-dso no-ml-dsa no-slh-dsa no-cmp no-ct no-tests no-hmac-drbg-kdf no-kbkdf no-krb5kdf no-pvkkdf no-snmpkdf no-sshkdf no-sskdf no-x942kdf no-x963kdf' --add-module=../addon/ngx_http_geoip2_module-3.4
Environment where NGINX is being built and/or deployed
Architecture where NGINX is being built and/or deployed
FreeBSD core-0-ccsa 13.5-RELEASE FreeBSD 13.5-RELEASE CORE amd64
NGINX Debug Log
No response
Additional Context
No response