Date: Wed, 23 Nov 2011 13:18:45 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues.. Message-ID: <4ECCF2B5.3050704@infracaninophile.co.uk> In-Reply-To: <014201cca9de$ec1429c0$c43c7d40$@leadmon.net> References: <014201cca9de$ec1429c0$c43c7d40$@leadmon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig67AFD6838AD365DD938B5C08
Content-Type: multipart/mixed; boundary="------------000905050104050807060009"
This is a multi-part message in MIME format.
--------------000905050104050807060009
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 23/11/2011 12:53, Howard Leadmon wrote:
> I just ran through on one of my older FreeBSD servers, and updated fr=
om
> BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and=
> after doing this bind crashes.
>=20
> I am seeing:
>=20
>=20
> Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/na=
med
> -u bind
> Nov 23 06:35:19 named[24537]: built with '--localstatedir=3D/var'
> '--disable-linux-caps' '--disable-symtable' '--with-randomdev=3D/dev/ra=
ndom'
> '--with-openssl=3D/usr/local' '--with-libxml2=3D/usr/local'
> '--with-idn=3D/usr/local' '--with-libiconv=3D/usr/local'
> 'STD_CDEFINES=3D-DDIG_SIGCHASE=3D1' '--enable-ipv6' '--enable-threads'
> '--sysconfdir=3D/etc/namedb' '--prefix=3D/usr' '--mandir=3D/usr/share/m=
an'
> '--infodir=3D/usr/share/info/' '--build=3Di386-portbld-freebsd6.4'
> 'build_alias=3Di386-portbld-freebsd6.4' 'CC=3Dcc' 'CFLAGS=3D-O2
> -fno-strict-aliasing -pipe' 'LDFLAGS=3D -rpath=3D/usr/local/lib' 'CPPFL=
AGS=3D'
> 'CPP=3Dcpp' 'CXX=3Dc++' 'CXXFLAGS=3D-O2 -fno-strict-aliasing -pipe'
> Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads
> Nov 23 06:35:19 named[24537]: using up to 4096 sockets
> Nov 23 06:35:19 named[24537]: initializing DST: openssl failure
> Nov 23 06:35:19 named[24537]: exiting (due to fatal error)
>=20
>=20
> Now as I knew my this older machine (on my hitlist to be upgraded) and =
the
> supplied OpenSSL had issues of it's own, I also installed the current
> OpenSSL from the ports to use, which BIND is built against. After do=
ing
> the update to the -P1 version, I now find that when trying to start it =
dies
> with the above error.
I've been using the attached patch with the dns/bind98 port and
openssl-1.0.x from ports for months. This disables using the GOST
cipher plugins -- which is no big deal as far as I'm concerned. GOST
ciphers are only supplied as plugin modules unlike all other ciphers in
openssl, which is a new thing with version 1.0.0 in ports. It's that
libgost.so plugin shlib not playing well with chroot that apparently
causes named to crash.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------000905050104050807060009
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
name="Makefile.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="Makefile.diff"
--- Makefile.orig 2011-05-05 22:40:37.198878075 +0100
+++ Makefile 2011-05-05 22:46:57.116962017 +0100
@@ -209,6 +209,11 @@
${WRKSRC}/bin/named/Makefile.in.Dist > \
${WRKSRC}/bin/named/Makefile.in
=20
+.if defined(WITH_OPENSSL_PORT)
+post-configure:
+ ${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef HAVE_OPENSSL_GO=
ST */:' ${WRKSRC}/config.h
+.endif
+
PKGMESSAGE=3D ${.CURDIR}/../bind97/pkg-message
PKGINSTALL=3D ${.CURDIR}/../bind97/pkg-install
post-install:
--------------000905050104050807060009--
--------------enig67AFD6838AD365DD938B5C08
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7M8rwACgkQ8Mjk52CukIw65gCeN5wnkYtsfgR6JcKMbVWzzArI
IM0AnjMtRZu80isfmXILXi/cW31fQUa2
=iYw3
-----END PGP SIGNATURE-----
--------------enig67AFD6838AD365DD938B5C08--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ECCF2B5.3050704>