Re: Improved SSL Error Logging [RT #29932]
Noel, On Thursday, 2012-12-06 11:03:24 +1000, Noel Butler noel.but...@ausics.net wrote: Hi Shane, Mark, Evan On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote: These changes are in our review queue now, so will go in future releases. I guess this was not pushed in? After update to 9.9.2-p1 the old logging returned, eg: Our security releases only include the specific fix, to insure that they provide the least impact on administrators. We'll be coming out with a beta for 9.9.3 next week or so which will include the changes, along with a number of other non-security fixes and (minor) features. Cheers, -- Shane signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Thanks Shane, I have re-applied previous changes to source files and that has silenced them again in meantime. Cheers Noel On Thu, 2012-12-06 at 17:05 +0100, Shane Kerr wrote: Noel, On Thursday, 2012-12-06 11:03:24 +1000, Noel Butler noel.but...@ausics.net wrote: Hi Shane, Mark, Evan On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote: These changes are in our review queue now, so will go in future releases. I guess this was not pushed in? After update to 9.9.2-p1 the old logging returned, eg: Our security releases only include the specific fix, to insure that they provide the least impact on administrators. We'll be coming out with a beta for 9.9.3 next week or so which will include the changes, along with a number of other non-security fixes and (minor) features. Cheers, -- Shane signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Hi Shane, Mark, Evan On Tue, 2012-10-16 at 08:22 +0200, Shane Kerr wrote: Noel, These changes are in our review queue now, so will go in future releases. Cheers, I guess this was not pushed in? After update to 9.9.2-p1 the old logging returned, eg: huge snip Dec 6 10:47:30 ns1 named[9671]: RSA_verify failed Dec 6 10:47:30 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:47:30 ns1 named[9671]: sucessfully validated after lower casing signer 'US' Dec 6 10:47:30 ns1 named[9671]: RSA_verify failed Dec 6 10:47:30 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:47:30 ns1 named[9671]: sucessfully validated after lower casing signer 'US' Dec 6 10:50:09 ns1 named[9671]: RSA_verify failed Dec 6 10:50:09 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:50:09 ns1 named[9671]: sucessfully validated after lower casing signer 'CO' Dec 6 10:50:09 ns1 named[9671]: RSA_verify failed Dec 6 10:50:09 ns1 named[9671]: error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:263: Dec 6 10:50:09 ns1 named[9671]: sucessfully validated after lower casing signer 'CO' snip -- Shane Kerr ISC On Saturday, 2012-10-13 11:07:01 +1000, Noel Butler noel.but...@ausics.net wrote: Thanks Mark, These changes have been committed for future patch releases? Cheers On Fri, 2012-10-12 at 12:16 +1100, Mark Andrews wrote: Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Noel, These changes are in our review queue now, so will go in future releases. Cheers, -- Shane Kerr ISC On Saturday, 2012-10-13 11:07:01 +1000, Noel Butler noel.but...@ausics.net wrote: Thanks Mark, These changes have been committed for future patch releases? Cheers On Fri, 2012-10-12 at 12:16 +1100, Mark Andrews wrote: Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
Thanks Mark, These changes have been committed for future patch releases? Cheers On Fri, 2012-10-12 at 12:16 +1100, Mark Andrews wrote: Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
On Wed, 2012-10-10 at 18:44 +, Evan Hunt wrote: BIND 9.7.7, 9.8.4 and 9.9.2 have improved OpenSSL error logging. Unfortunately, our logs are now filling up with RSA_verify failed messages. Yeah, oops, we made that one too noisy. You're not the first one who's noticed. :/ How does one go about tracking down the source of these failures and correcting them? (We are running OpenSSL 1.0.1c.) In BIND9, in lib/dns/opensslrsa_link.c, change this: return (dst__openssl_toresult2(RSA_verify, DST_R_VERIFYFAILURE)); to this: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); Evan, After applying this change the logs still fill up with some crud (9.9.2) now still fills up with Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower casing signer 'US' Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower casing signer 'CO' Oct 12 04:36:35 ns1 last message repeated 4 times ... any method to disable this? Is it in its own category we can null out without affecting any other logging? Cheers signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
In message 135602.4741.10.camel@tardis, Noel Butler writes: On Wed, 2012-10-10 at 18:44 +, Evan Hunt wrote: BIND 9.7.7, 9.8.4 and 9.9.2 have improved OpenSSL error logging. Unfortunately, our logs are now filling up with RSA_verify failed messages. =20 Yeah, oops, we made that one too noisy. You're not the first one who's noticed. :/ =20 How does one go about tracking down the source of these failures and correcting them? (We are running OpenSSL 1.0.1c.) =20 In BIND9, in lib/dns/opensslrsa_link.c, change this: =20 return (dst__openssl_toresult2(RSA_verify, DST_R_VERIFYFAILURE)); =20 to this: =20 return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); =20 Evan, After applying this change the logs still fill up with some crud (9.9.2) now still fills up with=20 Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower casing signer 'US' Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower casing signer 'CO' Oct 12 04:36:35 ns1 last message repeated 4 times ... Just drop the log level to ISC_LOG_DEBUG(1) and recompile. Search for sucessfully validated after lower casing in lib/dns/dnssec.c any method to disable this? Is it in its own category we can null out without affecting any other logging? Cheers --=-AyuHzrnm272okD0wrLMC Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 TRANSITIONAL//EN HTML HEAD META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; CHARSET=3DUTF-8 META NAME=3DGENERATOR CONTENT=3DGtkHTML/3.28.3 /HEAD BODY On Wed, 2012-10-10 at 18:44 +, Evan Hunt wrote: BLOCKQUOTE TYPE=3DCITE PRE gt; BIND 9.7.7, 9.8.4 and 9.9.2 have quot;improvedquot; OpenSSL error lo= gging. gt; Unfortunately, our logs are now filling up with quot;RSA_verify faile= dquot; gt; messages. Yeah, oops, we made that one too noisy. You're not the first one who's noticed. :/ gt; How does one go about tracking down the source of these failures and gt; correcting them? (We are running OpenSSL 1.0.1c.) In BIND9, in lib/dns/opensslrsa_link.c, change this: return (dst__openssl_toresult2(quot;RSA_verifyquot;, DST_R_VERIFYFAILURE)); to this: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); /PRE /BLOCKQUOTE BR Evan, After applying this change the logs still fill up with some crudnbsp= ; (9.9.2)BR BR now still fills up with BR BR Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower casing = signer 'US'BR Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower casing = signer 'CO'BR Oct 12 04:36:35 ns1 last message repeated 4 timesBR ...BR BR BR any method to disable this? Is it in its own category we can null out witho= ut affectingnbsp; any other logging?BR BR CheersBR BR /BODY /HTML --=-AyuHzrnm272okD0wrLMC-- --=-rzSsBjcPf+kQEds4PID0 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAABAgAGBQJQd1/VAAoJECg/hgl/0DbHn8UIAJadMzruG+U2FJNxbImd+1ap 9kRAwQSWTCoOIXO5uMpwWnLjE9yCE99SAmyzc1bvB7a5zWsfNP1ikAFRCYU6VwZQ fggc9giR61F8uoOkCrkBvIDBeHaEpPxAShZDfdpDvIKTD+eHmKQ1SUXmSMEqZHM5 VYMzDGIOp3p6P7CF2LFLoIh4C+4nbnKabp9wVCIfFCeLKABR5EC92TSFU5GzX1yR N4Yih4JoVnTPjKvi54EWQhph6qYTb8VwsP+3lWTMs+/MkgtpShcK+Cb3TPjJRVyC 0CU3lm45OM967Yk1+8bg6qnmvJZNvrtXVA4Ijr+rcrsBJW6Z8IkhSpjHf84Ud2M= =CS5c -END PGP SIGNATURE- --=-rzSsBjcPf+kQEds4PID0-- --===7738493491241320234== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===7738493491241320234==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
BIND 9.7.7, 9.8.4 and 9.9.2 have improved OpenSSL error logging. Unfortunately, our logs are now filling up with RSA_verify failed messages. Yeah, oops, we made that one too noisy. You're not the first one who's noticed. :/ How does one go about tracking down the source of these failures and correcting them? (We are running OpenSSL 1.0.1c.) In BIND9, in lib/dns/opensslrsa_link.c, change this: return (dst__openssl_toresult2(RSA_verify, DST_R_VERIFYFAILURE)); to this: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users