From owner-freebsd-questions@FreeBSD.ORG Wed Nov 23 12:53:40 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C28C71065670 for ; Wed, 23 Nov 2011 12:53:40 +0000 (UTC) (envelope-from howard@leadmon.net) Received: from mail.leadmon.net (unknown [IPv6:2001:550:102:ff::b02]) by mx1.freebsd.org (Postfix) with ESMTP id 90D668FC17 for ; Wed, 23 Nov 2011 12:53:40 +0000 (UTC) Received: from HDLDESKTOP (hdl-desktop.leadmon.net [IPv6:2001:550:102:301::3]) (authenticated bits=0) by mail.leadmon.net (8.14.5/8.14.5/LNSG+SCOP+PSBL+LUBL+NJABL+SBL+DSBL+CBL+RHSBL) with ESMTP id pANCrddk079748 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 23 Nov 2011 07:53:39 -0500 (EST) (envelope-from howard@leadmon.net) X-DKIM: OpenDKIM Filter v2.4.1 mail.leadmon.net pANCrddk079748 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leadmon.net; s=default; t=1322052819; bh=jLZcarziTui9LOBQ8LKE9JUB+6jbJ0NC/logccjAQic=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=frsZ7q2t0o5jjYArnbz6EpRR1BvjgShZ90O3bp3utGIeRdwavMe90a3Saii/nrAIY X+Rd/WUHHfbLpe4h98aA7ImFAGm8hNrUFfXEwqdWz/lAQnxjsOLi0Z9gkf+b0Rtw8v TgtEhLacvTfM+exBMr7iSkv1up2xqnMlOhvmqyFg= From: "Howard Leadmon" To: Date: Wed, 23 Nov 2011 07:53:36 -0500 Message-ID: <014201cca9de$ec1429c0$c43c7d40$@leadmon.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: Acyp3TyfYP7l4ukQQ0y7oq2du6n0Wg== Content-Language: en-us X-Virus-Scanned: clamav-milter 0.97.3 at vorlon.leadmon.net X-Virus-Status: Clean Subject: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2011 12:53:40 -0000 I just ran through on one of my older FreeBSD servers, and updated from BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and after doing this bind crashes. I am seeing: Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named -u bind Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr/local' '--with-libxml2=/usr/local' '--with-idn=/usr/local' '--with-libiconv=/usr/local' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4' 'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe' Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads Nov 23 06:35:19 named[24537]: using up to 4096 sockets Nov 23 06:35:19 named[24537]: initializing DST: openssl failure Nov 23 06:35:19 named[24537]: exiting (due to fatal error) Now as I knew my this older machine (on my hitlist to be upgraded) and the supplied OpenSSL had issues of it's own, I also installed the current OpenSSL from the ports to use, which BIND is built against. After doing the update to the -P1 version, I now find that when trying to start it dies with the above error. So I fired up my google-fu and found refrences stating I needed to get the shared libs from the OpenSSL engines directory over into the chrooted /var/named directory, so this I did: /var/named/usr: local /var/named/usr/local: lib /var/named/usr/local/lib: engines /var/named/usr/local/lib/engines: lib4758cca.so libcapi.so libgmp.so libpadlock.so libaep.so libchil.so libgost.so libsureware.so libatalla.so libcswift.so libnuron.so libubsec.so Again I tried to start named, but no love. So I tried starting it without the chroot environment, and sure enough it worked fine! As another test, I backed out the OpenSSL 1.0.0 port, and recompiled bind98 and tried starting in a chroot under the OS supplied OpenSSL 0.9.7, and that also started up just fine! So at this point, I had to run without chroot, and have a current OpenSSL which I think I may need as I am doing DNSSEC, or I can back off to the OS supplied ancient version of SSL and then have a working chroot. Not sure what is up with this, but if anyone has any hints or tips on how to resolve this issue, I would sure be thankful for the pointers. Not sure why this all of a sudden decided to break, but it was sure driving me up a wall for a bit today.. --- Howard Leadmon