Re: OpenSSL problem: bind98-base FreeBSD port
On 9 Jul 2012, at 20:05, Matthew Pounsett m...@conundrum.com wrote: On 2012/07/08, at 22:25, Barry Margolin wrote: In article mailman. So to answer my earlier question, what file were you talking about copying into the chroot environment for BIND? The shared library. When you link dynamically, all the libraries have to be in $chroot/usr/lib. No, they don't. Shared libraries are picked up at runtime. Chrooting happens after that, once the libraries have already been read. Except that GOST is implemented as an engine which is dynamically loaded after startup. Called lib/engines/libgost.so I seem to remember that early versions of BIND's GOST support could not be disabled by the configure script - my build script hacked BIND's Makefile to disable it rather than put code in the chroot. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 09/07/2012 01:40, Doug Barton wrote: On 07/08/2012 17:33, Matthew Pounsett wrote: On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers. I wouldn't accept it anyway. For better or worse, GOST is part of the protocol. GOST is not available in the version of OpenSSL in the FreeBSD base. Here's a patch to turn off GOST from the dns/bind99 port when used with openssl 1.0.x also from ports: cvs diff: Diffing . Index: Makefile === RCS file: /home/ncvs/ports/dns/bind99/Makefile,v retrieving revision 1.9 diff -u -u -r1.9 Makefile --- Makefile4 Jun 2012 21:51:34 - 1.9 +++ Makefile9 Jun 2012 08:59:45 - @@ -209,6 +209,11 @@ ${WRKSRC}/bin/named/Makefile.in.Dist \ ${WRKSRC}/bin/named/Makefile.in +.if defined(WITH_OPENSSL_PORT) +post-configure: + ${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef HAVE_OPENSSL_GOST */:' ${WRKSRC}/config.h +.endif + PORTDOCS= * PKGMESSAGE=${.CURDIR}/../bind97/pkg-message PKGINSTALL=${.CURDIR}/../bind97/pkg-install The equivalent for dns/bind98 is almost identical. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/09/2012 00:23, Matthew Seaman wrote: GOST is not available in the version of OpenSSL in the FreeBSD base. And soon, neither will BIND at all. :) I already said that I'm not going to alter the behavior of the port. The problem only comes into play when the user chooses to install OpenSSL from the ports, and there is already a workaround (copying the gost engine into the chroot). There is also another alternative which is to compile OpenSSL static (admittedly, not ideal). As I've said before, the real solution is to ask the OpenSSL folks to make GOST a library instead of an engine. Doug - -- If you're never wrong, you're not trying hard enough -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBCAAGBQJP+onjAAoJEFzGhvEaGryEVjMH/j4qw8BGU2HuHZZmjGVSVi7Z HBzLRaJmBBmQ8u7DFarVsw/gTrf5CxJ6ZUHf2nzRyZOAOAG5oosNlRXG0mIAUcL9 99V/xMLjeDDKNsl6cXltPYwhML7O0VVIqLk2HZqCADapIOvUi/kMICU17oz3Rqqy K7BerbrFDPqEH6NkQyf2WnwSFVj+4dL6meCpvDDyqRp680r0DXZSAV2skzN5C68J pLBCNRfLvYLqMP5dTf1DWj4bh3C4C0b1zQzSCBKnfHJx9bh1j7UxgXDG//tAxMd7 IDv9d0zB2tAjN2hAFZulfeygwNyNHmhtju4zFWwPV6nCyG0feD2thNJPcw+xH9k= =nzaP -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 22:25, Barry Margolin wrote: In article mailman.Okay. So to answer my earlier question, what file were you talking about copying into the chroot environment for BIND? The shared library. When you link dynamically, all the libraries have to be in $chroot/usr/lib. No, they don't. Shared libraries are picked up at runtime. Chrooting happens after that, once the libraries have already been read. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
OpenSSL problem: bind98-base FreeBSD port
I upgraded my OpenSSL and BIND ports on one of my machines yesterday afternoon, and ended up with BIND being unable to start due to some problem with OpenSSL. Unfortunately, it's not giving me any real information to go on about what the problem is. openssl version WARNING: can't open config file: /usr/local/openssl/openssl.cnf OpenSSL 1.0.1c 10 May 2012 sudo named -g -t /var/named/authoritative/ -u bind -d 100 08-Jul-2012 16:45:00.347 starting BIND 9.8.3-P1 -g -t /var/named/authoritative/ -u bind -d 100 08-Jul-2012 16:45:00.347 built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr/local' '--with-libxml2=/usr/local' '--with-idn=/usr/local' '--with-libiconv=/usr/local' '--enable-largefile' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd8.2' 'build_alias=x86_64-portbld-freebsd8.2' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fno-strict-aliasing' 08-Jul-2012 16:45:00.347 08-Jul-2012 16:45:00.347 BIND 9 is maintained by Internet Systems Consortium, 08-Jul-2012 16:45:00.347 Inc. (ISC), a non-profit 501(c)(3) public-benefit 08-Jul-2012 16:45:00.347 corporation. Support and training for BIND 9 are 08-Jul-2012 16:45:00.347 available at https://www.isc.org/support 08-Jul-2012 16:45:00.347 08-Jul-2012 16:45:00.347 found 4 CPUs, using 4 worker threads 08-Jul-2012 16:45:00.349 using up to 4096 sockets 08-Jul-2012 16:45:00.349 Registering DLZ_dlopen driver 08-Jul-2012 16:45:00.349 Registering SDLZ driver 'dlopen' 08-Jul-2012 16:45:00.349 Registering DLZ driver 'dlopen' 08-Jul-2012 16:45:00.351 decrement_reference: delete from rbt: 0x802467058 . 08-Jul-2012 16:45:00.352 initializing DST: openssl failure 08-Jul-2012 16:45:00.352 exiting (due to fatal error) I found multiple versions of libgcrypt installed, which was generating some compile warnings, but cleaning that up didn't help. There is only one version of openssl installed, so no conflicts there.. ls -d /var/db/pkg/*ssl* /var/db/pkg/openssl-1.0.1_3 I can recompile without SSL to get my name servers running again, but that's not really sustainable. Does anyone have any suggestions for how to get more information out of BIND about what exactly is failing? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 07/08/12 09:54, Matthew Pounsett wrote: 08-Jul-2012 16:45:00.352 initializing DST: openssl failure 08-Jul-2012 16:45:00.352 exiting (due to fatal error) In particular the logs above suggest that named is unable to find the necessary openssl libraries. In the case where openssl 1.x.x is compiled with shared libraries enabled, named can't see the openssl engines (necessary for GOST crypto support) in its chrooted environment. What makes me doubt what I just said is that this has been an issue for more than a year now, so I am not sure why you have escaped it for so long. I assume you had openssl 1.0.x installed before you upgraded it--or was it an earlier version? At any rate, if you run make config in /usr/ports/security/openssl, it gives you the option of compiling the libraries statically. I have successfully done this in the past and it has worked. However, anything else that is currently depending on the openssl shared library from ports (as opposed to the bundled system) will need to be recompiled before it will work, as will bind 9.8. Doug Barton may have some better ideas as to how best to make it all work. michael ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 15:04, Michael Sinatra wrote: What makes me doubt what I just said is that this has been an issue for more than a year now, so I am not sure why you have escaped it for so long. I assume you had openssl 1.0.x installed before you upgraded it--or was it an earlier version? I keep things pretty up to date, and this machine isn't that old anyway. It's possible that due to order of operations when I was building things that bind was previously linked against the system openssl libraries, rather than the ports version. At any rate, if you run make config in /usr/ports/security/openssl, it gives you the option of compiling the libraries statically. I have successfully done this in the past and it has worked. However, anything else that is currently depending on the openssl shared library from ports (as opposed to the bundled system) will need to be recompiled before it will work, as will bind 9.8. I'll give that a shot.. thanks, it sounds promising. Doug Barton may have some better ideas as to how best to make it all work. Yeah, I have to wonder if there's something that can be done in ports to prevent this from being an issue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 07/08/2012 13:40, Matthew Pounsett wrote: Yeah, I have to wonder if there's something that can be done in ports to prevent this from being an issue. You need to ask the nice openssl people to turn gost into a library instead of an engine. Meanwhile, copying the file into the chroot will patch over the problem. -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 17:46, Doug Barton wrote: On 07/08/2012 13:40, Matthew Pounsett wrote: Yeah, I have to wonder if there's something that can be done in ports to prevent this from being an issue. You need to ask the nice openssl people to turn gost into a library instead of an engine. Meanwhile, copying the file into the chroot will patch over the problem. Statically linking openssl seems to have fixed it. But, what file are you talking about? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
In message d70930b5-78d5-4f33-b814-28811b885...@conundrum.com, Matthew Pounse tt writes: On 2012/07/08, at 17:46, Doug Barton wrote: On 07/08/2012 13:40, Matthew Pounsett wrote: Yeah, I have to wonder if there's something that can be done in ports to p revent this from being an issue. You need to ask the nice openssl people to turn gost into a library instead of an engine. Meanwhile, copying the file into the chroot will patch over the problem. Statically linking openssl seems to have fixed it. But, what file are you talking about? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 07/08/2012 17:33, Matthew Pounsett wrote: On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers. I wouldn't accept it anyway. For better or worse, GOST is part of the protocol. Doug -- If you're never wrong, you're not trying hard enough ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
In message 6a477852-8c67-421a-850c-7144a37b8...@conundrum.com, Matthew Pounse tt writes: On 2012/07/08, at 20:29, Matthew Pounsett wrote: =20 On 2012/07/08, at 20:26, Mark Andrews wrote: =20 =20 One can also build named w/o GOST support if one wants. We = statically link all the engines when building named on Windows. =20 Unfortunately the port doesn't provide the config hooks to disable = GOST support. Actually.. how do you go about doing that anyway? I was just taking a = look at writing a patch for the port to allow GOST to be turned off, but = BIND's configure script doesn't have any information in it about = disabling individual ciphers. All the other ciphers are built into OpenSSL so they don't need configure options. ./configure --with-gost=no One can disable individual DNSSEC key algorithms at runtime via named.conf. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
On 2012/07/08, at 20:40, Doug Barton wrote: On 07/08/2012 17:33, Matthew Pounsett wrote: On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers. I wouldn't accept it anyway. For better or worse, GOST is part of the protocol. Okay. So to answer my earlier question, what file were you talking about copying into the chroot environment for BIND? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OpenSSL problem: bind98-base FreeBSD port
In message 4ffa2871.2020...@dougbarton.us, Doug Barton writes: On 07/08/2012 17:33, Matthew Pounsett wrote: On 2012/07/08, at 20:29, Matthew Pounsett wrote: On 2012/07/08, at 20:26, Mark Andrews wrote: One can also build named w/o GOST support if one wants. We statically link all the engines when building named on Windows. Unfortunately the port doesn't provide the config hooks to disable GOST support. Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers. I wouldn't accept it anyway. For better or worse, GOST is part of the protocol. Doug GOST is not a manditory part of DNSSEC. It is entirely optional whether a site supports it or not. If a site doesn't support GOST then the zone is treated as insecure. It doesn't break anything to disable GOST support. This is no worse that deciding whether to link with OpenSSL or not. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users