On 23/11/2011 12:53, Howard Leadmon wrote: > I just ran through on one of my older FreeBSD servers, and updated from > BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and > after doing this bind crashes. > > I am seeing: > > > Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named > -u bind > Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var' > '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' > '--with-openssl=/usr/local' '--with-libxml2=/usr/local' > '--with-idn=/usr/local' '--with-libiconv=/usr/local' > 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads' > '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' > '--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4' > 'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2 > -fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' > 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe' > Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads > Nov 23 06:35:19 named[24537]: using up to 4096 sockets > Nov 23 06:35:19 named[24537]: initializing DST: openssl failure > Nov 23 06:35:19 named[24537]: exiting (due to fatal error) > > > Now as I knew my this older machine (on my hitlist to be upgraded) and the > supplied OpenSSL had issues of it's own, I also installed the current > OpenSSL from the ports to use, which BIND is built against. After doing > the update to the -P1 version, I now find that when trying to start it dies > with the above error.
I've been using the attached patch with the dns/bind98 port and
openssl-1.0.x from ports for months. This disables using the GOST
cipher plugins -- which is no big deal as far as I'm concerned. GOST
ciphers are only supplied as plugin modules unlike all other ciphers in
openssl, which is a new thing with version 1.0.0 in ports. It's that
libgost.so plugin shlib not playing well with chroot that apparently
causes named to crash.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
--- Makefile.orig 2011-05-05 22:40:37.198878075 +0100
+++ Makefile 2011-05-05 22:46:57.116962017 +0100
@@ -209,6 +209,11 @@
${WRKSRC}/bin/named/Makefile.in.Dist > \
${WRKSRC}/bin/named/Makefile.in
+.if defined(WITH_OPENSSL_PORT)
+post-configure:
+ ${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef
HAVE_OPENSSL_GOST */:' ${WRKSRC}/config.h
+.endif
+
PKGMESSAGE= ${.CURDIR}/../bind97/pkg-message
PKGINSTALL= ${.CURDIR}/../bind97/pkg-install
post-install:
signature.asc
Description: OpenPGP digital signature
