Date: Wed, 23 Nov 2011 07:53:36 -0500 From: "Howard Leadmon" <howard@leadmon.net> To: <freebsd-questions@freebsd.org> Subject: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues.. Message-ID: <014201cca9de$ec1429c0$c43c7d40$@leadmon.net>
next in thread | raw e-mail | index | archive | help
I just ran through on one of my older FreeBSD servers, and updated from BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and after doing this bind crashes. I am seeing: Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named -u bind Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr/local' '--with-libxml2=/usr/local' '--with-idn=/usr/local' '--with-libiconv=/usr/local' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4' 'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe' Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads Nov 23 06:35:19 named[24537]: using up to 4096 sockets Nov 23 06:35:19 named[24537]: initializing DST: openssl failure Nov 23 06:35:19 named[24537]: exiting (due to fatal error) Now as I knew my this older machine (on my hitlist to be upgraded) and the supplied OpenSSL had issues of it's own, I also installed the current OpenSSL from the ports to use, which BIND is built against. After doing the update to the -P1 version, I now find that when trying to start it dies with the above error. So I fired up my google-fu and found refrences stating I needed to get the shared libs from the OpenSSL engines directory over into the chrooted /var/named directory, so this I did: /var/named/usr: local /var/named/usr/local: lib /var/named/usr/local/lib: engines /var/named/usr/local/lib/engines: lib4758cca.so libcapi.so libgmp.so libpadlock.so libaep.so libchil.so libgost.so libsureware.so libatalla.so libcswift.so libnuron.so libubsec.so Again I tried to start named, but no love. So I tried starting it without the chroot environment, and sure enough it worked fine! As another test, I backed out the OpenSSL 1.0.0 port, and recompiled bind98 and tried starting in a chroot under the OS supplied OpenSSL 0.9.7, and that also started up just fine! So at this point, I had to run without chroot, and have a current OpenSSL which I think I may need as I am doing DNSSEC, or I can back off to the OS supplied ancient version of SSL and then have a working chroot. Not sure what is up with this, but if anyone has any hints or tips on how to resolve this issue, I would sure be thankful for the pointers. Not sure why this all of a sudden decided to break, but it was sure driving me up a wall for a bit today.. --- Howard Leadmon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014201cca9de$ec1429c0$c43c7d40$>