On Oct 10 2012, Evan Hunt wrote:
BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error logging.
Unfortunately, our logs are now filling up with "RSA_verify failed"
messages.
Yeah, oops, we made that one too noisy. You're not the first one
who's noticed. :/
Also, without any indication of what was trying to be verified, rather
useless.
With 9.8.4 we also see lots of "RSA_public_decrypt failed" as well, e.g.
Oct 10 20:15:24 general: warning: RSA_verify failed
Oct 10 20:15:27 last message repeated 6 times
Oct 10 20:16:57 general: warning: RSA_verify failed
Oct 10 20:17:50 last message repeated 13 times
Oct 10 20:18:04 general: warning: RSA_public_decrypt failed
Oct 10 20:18:05 last message repeated 17 times
Oct 10 20:18:09 general: warning: RSA_verify failed
Oct 10 20:23:16 last message repeated 39 times
Oct 10 20:23:38 general: warning: RSA_verify failed
Oct 10 20:25:57 last message repeated 13 times
Oct 10 20:26:12 general: warning: RSA_public_decrypt failed
Oct 10 20:26:12 last message repeated 1 time
etc.
How does one go about tracking down the source of these failures and
correcting them? (We are running OpenSSL 1.0.1c.)
In BIND9, in lib/dns/opensslrsa_link.c, change this:
return (dst__openssl_toresult2("RSA_verify",
DST_R_VERIFYFAILURE));
to this:
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
Presumably we need to change this code
return (dst__openssl_toresult2(
"RSA_public_decrypt",
DST_R_VERIFYFAILURE));
similarly?
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users