diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh
index 0f5d7a2635..d070410f80 100755
--- a/.github/workflows/build_test.sh
+++ b/.github/workflows/build_test.sh
@@ -11,7 +11,7 @@ success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
 
 ARGS=(
     "--optimization=0 -Dopenssl=disabled -Dtpm=true -Dtpm2=enabled"
-    "--optimization=s -Dutmp=false"
+    "--optimization=s -Dutmp=false -Dc_args='-DOPENSSL_NO_UI_CONSOLE=1'"
     "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
     "--optimization=3 -Db_lto=true -Ddns-over-tls=false"
     "--optimization=3 -Db_lto=false -Dtpm2=disabled -Dlibfido2=disabled -Dp11kit=disabled -Defi=false -Dbootloader=disabled"
diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 57b638596a..4b5c495df6 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -24,7 +24,9 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ENGINE*, ENGINE_free, NULL);
 REENABLE_WARNING;
 #  endif
 
+#ifndef OPENSSL_NO_UI_CONSOLE
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(UI_METHOD*, UI_destroy_method, NULL);
+#endif
 
 /* For each error in the OpenSSL thread error queue, log the provided message and the OpenSSL error
  * string. If there are no errors in the OpenSSL thread queue, this logs the message with "No OpenSSL
@@ -1467,6 +1469,7 @@ static int load_key_from_engine(const char *engine, const char *private_key_uri,
 #endif
 }
 
+#ifndef OPENSSL_NO_UI_CONSOLE
 static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
         int r;
 
@@ -1502,6 +1505,7 @@ static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
                 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
         }
 }
+#endif
 
 static int openssl_load_private_key_from_file(const char *path, EVP_PKEY **ret) {
         _cleanup_(erase_and_freep) char *rawkey = NULL;
@@ -1539,6 +1543,7 @@ static int openssl_load_private_key_from_file(const char *path, EVP_PKEY **ret)
 static int openssl_ask_password_ui_new(const AskPasswordRequest *request, OpenSSLAskPasswordUI **ret) {
         assert(ret);
 
+#ifndef OPENSSL_NO_UI_CONSOLE
         _cleanup_(UI_destroy_methodp) UI_METHOD *method = UI_create_method("systemd-ask-password");
         if (!method)
                 return log_openssl_errors("Failed to initialize openssl user interface");
@@ -1562,6 +1567,9 @@ static int openssl_ask_password_ui_new(const AskPasswordRequest *request, OpenSS
 
         *ret = TAKE_PTR(ui);
         return 0;
+#else
+        return -EOPNOTSUPP;
+#endif
 }
 
 static int load_x509_certificate_from_file(const char *path, X509 **ret) {
@@ -1640,7 +1648,7 @@ static int load_x509_certificate_from_provider(const char *provider, const char
 #endif
 
 OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
-#if HAVE_OPENSSL
+#if HAVE_OPENSSL && !defined(OPENSSL_NO_UI_CONSOLE)
         if (!ui)
                 return NULL;
 
diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h
index 6bcb16af31..f6c697672b 100644
--- a/src/shared/openssl-util.h
+++ b/src/shared/openssl-util.h
@@ -38,7 +38,9 @@ int parse_openssl_key_source_argument(const char *argument, char **private_key_s
 #  include <openssl/opensslv.h>         /* IWYU pragma: export */
 #  include <openssl/pkcs7.h>            /* IWYU pragma: export */
 #  include <openssl/ssl.h>              /* IWYU pragma: export */
-#  include <openssl/ui.h>               /* IWYU pragma: export */
+#  ifndef OPENSSL_NO_UI_CONSOLE
+#    include <openssl/ui.h>             /* IWYU pragma: export */
+#  endif
 #  include <openssl/x509v3.h>           /* IWYU pragma: export */
 #  ifndef OPENSSL_VERSION_MAJOR
 /* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist,  we must be before OpenSSL 3. */