From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 23 13:19:00 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4FF86106566B
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Nov 2011 13:19:00 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id A98368FC13
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Nov 2011 13:18:59 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	pANDIq7f096092
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>; Wed, 23 Nov 2011 13:18:52 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk pANDIq7f096092
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1322054332;
	bh=KXGpQNZs3FAubzWBhJmtB03ABD7dUO69F/xsQOQZuRk=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	In-Reply-To:Content-Type:Cc;
	b=u+Z4Gwq2o35q5TFH+xsNfi+tBkmtPZfyWeuzlNFj7A7P3M66oHtpXQjK9w6MflK/Q
	WlM1h+pLokwG/kg+IDD2BepPWeCKhgLpEekRFlTCeH6OxBJJjvEcypFDNSzBRkoG9n
	sYCr3gcEba9QLvXheprxWfY6Z4JZvFb4lNjzgpTs=
Message-ID: <4ECCF2B5.3050704@infracaninophile.co.uk>
Date: Wed, 23 Nov 2011 13:18:45 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <014201cca9de$ec1429c0$c43c7d40$@leadmon.net>
In-Reply-To: <014201cca9de$ec1429c0$c43c7d40$@leadmon.net>
X-Enigmail-Version: 1.3.3
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig67AFD6838AD365DD938B5C08"
X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2011 13:19:00 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig67AFD6838AD365DD938B5C08
Content-Type: multipart/mixed; boundary="------------000905050104050807060009"

This is a multi-part message in MIME format.
--------------000905050104050807060009
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 23/11/2011 12:53, Howard Leadmon wrote:
>   I just ran through on one of my older FreeBSD servers, and updated fr=
om
> BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and=

> after doing this bind crashes.
>=20
> I am seeing:
>=20
>=20
> Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/na=
med
> -u bind
> Nov 23 06:35:19 named[24537]: built with '--localstatedir=3D/var'
> '--disable-linux-caps' '--disable-symtable' '--with-randomdev=3D/dev/ra=
ndom'
> '--with-openssl=3D/usr/local' '--with-libxml2=3D/usr/local'
> '--with-idn=3D/usr/local' '--with-libiconv=3D/usr/local'
> 'STD_CDEFINES=3D-DDIG_SIGCHASE=3D1' '--enable-ipv6' '--enable-threads'
> '--sysconfdir=3D/etc/namedb' '--prefix=3D/usr' '--mandir=3D/usr/share/m=
an'
> '--infodir=3D/usr/share/info/' '--build=3Di386-portbld-freebsd6.4'
> 'build_alias=3Di386-portbld-freebsd6.4' 'CC=3Dcc' 'CFLAGS=3D-O2
> -fno-strict-aliasing -pipe' 'LDFLAGS=3D -rpath=3D/usr/local/lib' 'CPPFL=
AGS=3D'
> 'CPP=3Dcpp' 'CXX=3Dc++' 'CXXFLAGS=3D-O2 -fno-strict-aliasing -pipe'
> Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads
> Nov 23 06:35:19 named[24537]: using up to 4096 sockets
> Nov 23 06:35:19 named[24537]: initializing DST: openssl failure
> Nov 23 06:35:19 named[24537]: exiting (due to fatal error)
>=20
>=20
> Now as I knew my this older machine (on my hitlist to be upgraded) and =
the
> supplied OpenSSL had issues of it's own, I also installed the current
> OpenSSL from the ports to use, which BIND is built against.    After do=
ing
> the update to the -P1 version, I now find that when trying to start it =
dies
> with the above error.

I've been using the attached patch with the dns/bind98 port and
openssl-1.0.x from ports for months.  This disables using the GOST
cipher plugins -- which is no big deal as far as I'm concerned.  GOST
ciphers are only supplied as plugin modules unlike all other ciphers in
openssl, which is a new thing with version 1.0.0 in ports.  It's that
libgost.so plugin shlib not playing well with chroot that apparently
causes named to crash.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW

--------------000905050104050807060009
Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
	name="Makefile.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename="Makefile.diff"

--- Makefile.orig	2011-05-05 22:40:37.198878075 +0100
+++ Makefile	2011-05-05 22:46:57.116962017 +0100
@@ -209,6 +209,11 @@
 		${WRKSRC}/bin/named/Makefile.in.Dist > \
 		${WRKSRC}/bin/named/Makefile.in
=20
+.if defined(WITH_OPENSSL_PORT)
+post-configure:
+	${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef HAVE_OPENSSL_GO=
ST */:' ${WRKSRC}/config.h
+.endif
+
 PKGMESSAGE=3D	${.CURDIR}/../bind97/pkg-message
 PKGINSTALL=3D	${.CURDIR}/../bind97/pkg-install
 post-install:

--------------000905050104050807060009--

--------------enig67AFD6838AD365DD938B5C08
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7M8rwACgkQ8Mjk52CukIw65gCeN5wnkYtsfgR6JcKMbVWzzArI
IM0AnjMtRZu80isfmXILXi/cW31fQUa2
=iYw3
-----END PGP SIGNATURE-----

--------------enig67AFD6838AD365DD938B5C08--