Re: BIND 9.8.0 + openssl 1.0.0d + chroot == issues
On 04/19/2011 17:11, Mark Andrews wrote: In message4dadfb29.6080...@dougbarton.us, Doug Barton writes: I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled against openssl 1.0.0d not being able to chroot unless they copy $PREFIX/lib/engines/libgost.so into the chroot environment. Traditionally, copying libs into the chroot directory has not been necessary, so I'm curious. Building 9.8 against the default openssl in the FreeBSD base (0.9.8q) I have not experienced this problem. I haven't actually tried this with 1.0.0d myself yet, so I thought I'd ask about it here first before filing a bug report. Could this be a (previously unknown form of) user error? Or is it an actual BIND bug (or an openssl bug for that matter)? It's a matter of how OpenSSL is built. You can build openssl with gost as a dynamically loaded engine or you can build openssl with the engines already linked in. Gost, unlike the rest of the crypto, is implemented as a engine. I finally had a chance to test this, and using the enable-static-engine build option didn't have any effect. That was the only relevant-looking option I was able to find after a non-trivial amount of time looking through the openssl code and web-searching, do you have any other suggestions? :) Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.0 + openssl 1.0.0d + chroot == issues
I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled against openssl 1.0.0d not being able to chroot unless they copy $PREFIX/lib/engines/libgost.so into the chroot environment. Traditionally, copying libs into the chroot directory has not been necessary, so I'm curious. Building 9.8 against the default openssl in the FreeBSD base (0.9.8q) I have not experienced this problem. I haven't actually tried this with 1.0.0d myself yet, so I thought I'd ask about it here first before filing a bug report. Could this be a (previously unknown form of) user error? Or is it an actual BIND bug (or an openssl bug for that matter)? Thanks, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.0 + openssl 1.0.0d + chroot == issues
On Tue, 19 Apr 2011, Doug Barton wrote: I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled against openssl 1.0.0d not being able to chroot unless they copy $PREFIX/lib/engines/libgost.so into the chroot environment. Traditionally, copying libs into the chroot directory has not been necessary, so I'm curious. Building 9.8 against the default openssl in the FreeBSD base (0.9.8q) I have not experienced this problem. 0.9.8 did not support gost, so I'm not sure if you can compare this as you do. Paul (not on freebsd) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.0 + openssl 1.0.0d + chroot == issues
In message 4dadfb29.6080...@dougbarton.us, Doug Barton writes: I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled against openssl 1.0.0d not being able to chroot unless they copy $PREFIX/lib/engines/libgost.so into the chroot environment. Traditionally, copying libs into the chroot directory has not been necessary, so I'm curious. Building 9.8 against the default openssl in the FreeBSD base (0.9.8q) I have not experienced this problem. I haven't actually tried this with 1.0.0d myself yet, so I thought I'd ask about it here first before filing a bug report. Could this be a (previously unknown form of) user error? Or is it an actual BIND bug (or an openssl bug for that matter)? It's a matter of how OpenSSL is built. You can build openssl with gost as a dynamically loaded engine or you can build openssl with the engines already linked in. Gost, unlike the rest of the crypto, is implemented as a engine. Thanks, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.0 + openssl 1.0.0d + chroot == issues
On 20 Apr 2011, at 01:11, Mark Andrews ma...@isc.org wrote: In message 4dadfb29.6080...@dougbarton.us, Doug Barton writes: I have had 2 reports now of people using BIND 9.8.0 on FreeBSD compiled against openssl 1.0.0d not being able to chroot unless they copy $PREFIX/lib/engines/libgost.so into the chroot environment. It's a matter of how OpenSSL is built. You can build openssl with gost as a dynamically loaded engine or you can build openssl with the engines already linked in. Gost, unlike the rest of the crypto, is implemented as a engine. I have encountered exactly the problem Doug described. I'll have to have a closer look at my OpenSSL build. I sent a message to bind9-bugs asking for a bit more flexibility in BIND's build configuration for GOST support, so it can be turned off easily in BIND even if OpenSSL supports it. (At the moment I bodge config.h to do this.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
