Mantis - libssl1_0_0
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
5237 packaging major always 2015-03-22 17:12 2015-06-03 10:38
Reporter: dam Platform:  
Assigned To: jh OS:  
Priority: normal OS Version:  
Status: closed Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version:  
Summary: 0005237: Upgrade of OpenSSL to 1.0.1m breaks named
Description: After the OpenSSL update to 1.0.1m BIND fails to start:

root@web [web]:/root > Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] starting BIND 9.9.6-P2 -u named
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] built with '--prefix=/opt/csw' '--exec_prefix=/opt/csw' '--bindir=/opt/csw/bin' '--sbindir=/opt/csw/sbin' '--libexecdir=/opt/csw/libexec' '--datadir=/opt/csw/share' '--sharedstatedir=/opt/csw/share' '--localstatedir=/var/opt/csw' '--libdir=/opt/csw/lib' '--infodir=/opt/csw/share/info' '--includedir=/opt/csw/include' '--mandir=/opt/csw/share/man' '--with-libtool' '--with-openssl=/opt/csw' '--enable-threads' '--enable-largefile' '--sysconfdir=/etc/opt/csw' '--localstatedir=/var/opt/csw/named' '--enable-rrl' 'CC=/opt/csw/bin/gcc-4.9' 'CFLAGS=-O2 -pipe -mcpu=v9 -Wa,-xarch=v8plus' 'LDFLAGS=-mcpu=v9 -Wa,-xarch=v8plus -L/opt/csw/lib' 'CPPFLAGS=-I/opt/csw/include'
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] ----------------------------------------------------
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] BIND 9 is maintained by Internet Systems Consortium,
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] corporation. Support and training for BIND 9 are
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] available at https://www.isc.org/support [^]
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.notice] ----------------------------------------------------
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.warning] ENGINE_by_id failed (crypto failure)
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.crit] initializing DST: crypto failure
Mar 22 17:07:49 web named[29863]: [ID 873579 daemon.crit] exiting (due to fatal error)
Mar 22 17:07:49 web svc.startd[19839]: [ID 652011 daemon.warning] svc:/network/cswnamed:default: Method "/var/opt/csw/svc/method/svc-cswnamed stop" failed with exit status 1.
Mar 22 17:07:49 web last message repeated 2 times
Mar 22 17:07:49 web svc.startd[19839]: [ID 748625 daemon.error] network/cswnamed:default failed: transitioned to maintenance (see 'svcs -xv' for details)

After downgrading to 1.0.1l it works again.
Probably a recompile of BIND is needed.
Steps To Reproduce:
Additional Information:
Relationships
Attached Files:
Issue History
Date Modified Username Field Change
2015-03-22 17:12 dam New Issue
2015-03-23 10:37 bonivart Note Added: 0011028
2015-03-23 10:41 bonivart Status new => assigned
2015-03-23 10:41 bonivart Assigned To => bonivart
2015-03-24 11:34 dam Note Added: 0011029
2015-03-24 11:37 dam Note Added: 0011030
2015-04-02 13:45 yann Project bind => libssl1_0_0
2015-04-02 13:48 yann Note Added: 0011031
2015-04-02 13:48 yann Assigned To bonivart => yann
2015-04-02 13:48 yann Severity minor => major
2015-04-02 16:33 bonivart Note Added: 0011032
2015-04-02 19:07 johnthurston Issue Monitored: johnthurston
2015-04-02 19:18 johnthurston Note Added: 0011033
2015-04-02 19:20 johnthurston Note Edited: 0011033
2015-06-03 10:36 jh Note Added: 0011035
2015-06-03 10:36 jh Assigned To yann => jh
2015-06-03 10:37 jh Note Edited: 0011035
2015-06-03 10:38 jh Status assigned => closed
2015-06-03 10:38 jh Resolution open => fixed

Notes
(0011028)
bonivart   
2015-03-23 10:37   
That's not the latest release of BIND, 9.9.7 is in unstable and it works for me. Can you please verify if you have the same problem with that version?
(0011029)
dam   
2015-03-24 11:34   
I just retried, same issue:

root@web [web]:/root > Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] starting BIND 9.9.7 -u named
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] built with '--prefix=/opt/csw' '--exec_prefix=/opt/csw' '--bindir=/opt/csw/bin' '--sbindir=/opt/csw/sbin' '--libexecdir=/opt/csw/libexec' '--datadir=/opt/csw/share' '--sharedstatedir=/opt/csw/share' '--localstatedir=/var/opt/csw' '--libdir=/opt/csw/lib' '--infodir=/opt/csw/share/info' '--includedir=/opt/csw/include' '--mandir=/opt/csw/share/man' '--with-libtool' '--with-openssl=/opt/csw' '--enable-threads' '--enable-largefile' '--sysconfdir=/etc/opt/csw' '--localstatedir=/var/opt/csw/named' '--enable-rrl' 'CC=/opt/csw/bin/gcc-4.9' 'CFLAGS=-O2 -pipe -mcpu=v9 -Wa,-xarch=v8plus' 'LDFLAGS=-mcpu=v9 -Wa,-xarch=v8plus -L/opt/csw/lib' 'CPPFLAGS=-I/opt/csw/include'
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] ----------------------------------------------------
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] BIND 9 is maintained by Internet Systems Consortium,
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] corporation. Support and training for BIND 9 are
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] available at https://www.isc.org/support [^]
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.notice] ----------------------------------------------------
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.warning] ENGINE_by_id failed (crypto failure)
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.crit] initializing DST: crypto failure
Mar 24 11:33:07 web named[17738]: [ID 873579 daemon.crit] exiting (due to fatal error)
Mar 24 11:33:08 web svc.startd[19839]: [ID 652011 daemon.warning] svc:/network/cswnamed:default: Method "/var/opt/csw/svc/method/svc-cswnamed stop" failed with exit status 1.
Mar 24 11:33:08 web last message repeated 2 times
Mar 24 11:33:08 web svc.startd[19839]: [ID 748625 daemon.error] network/cswnamed:default failed: transitioned to maintenance (see 'svcs -xv' for details)

root@web [web]:/root > pkginfo -x CSWbind CSWlibbind CSWlibssl1-0-0
CSWbind bind - ISC BIND DNS main package
                (sparc) 9.9.7,REV=2015.02.26
CSWlibbind libbind - ISC BIND DNS library package
                (sparc) 9.9.7,REV=2015.02.26
CSWlibssl1-0-0 libssl1_0_0 - Openssl 1.0 runtime libraries
                (sparc) 1.0.1m,REV=2015.03.21
(0011030)
dam   
2015-03-24 11:37   
BIND 9.9.7 works fine after downgrading just OpenSSL to 1.0.1l
(0011031)
yann   
2015-04-02 13:48   
As this bug is more likely caused by openssl, I am moving this bug to libssl1_0_0.
A security update shouldn't break any software.

Could you tell me if this bug happens only on sparc 5.11
(0011032)
bonivart   
2015-04-02 16:33   
I have installed a new Solaris 10 Sparc server and it fails there too. On i386 it works. I re-spun the Bind packages after hearing about the problem and it didn't help. Glad you're taking a look at it, tell me if you need me to test anything for you.
(0011033)
johnthurston   
2015-04-02 19:18   
(edited on: 2015-04-02 19:20)
I have reproduced the results with the following packages on Solaris SPARC 10:

root@nstest:~> pkginfo -x CSWbind CSWbindutils CSWlibssl1-0-0 CSWopenssl-utils
CSWbind bind - ISC BIND DNS main package
                  (sparc) 9.9.7,REV=2015.02.26
CSWbindutils bind_utils - ISC BIND DNS utilities package
                  (sparc) 9.9.7,REV=2015.02.26
CSWlibssl1-0-0 libssl1_0_0 - Openssl 1.0 runtime libraries
                  (sparc) 1.0.1m,REV=2015.03.21
CSWopenssl-utils openssl_utils - Openssl 1.0 binaries and related tools
                  (sparc) 1.0.1m,REV=2015.03.21

"uname -a" on my system returns:
  SunOS nstest 5.10 Generic_150400-17 sun4v sparc sun4v

Against "unstable", there are no differences shown for bind or openssl packages with "/opt/csw/bin/pkgutil -C"
Against "testing", openssl packages are 1.0.1l rather than m. There are no differences shown for bind.

BIND exits with:

root@nstest:~> /opt/csw/sbin/named -g -u named
02-Apr-2015 09:13:46.168 starting BIND 9.9.7 -g -u named
02-Apr-2015 09:13:46.169 built with '--prefix=/opt/csw' '--exec_prefix=/opt/csw' '--bindir=/opt/csw/bin' '--sbindir=/opt/csw/sbin' '--libexecdir=/opt/csw/libexec' '--datadir=/opt/csw/share' '--sharedstatedir=/opt/csw/share' '--localstatedir=/var/opt/csw' '--libdir=/opt/csw/lib' '--infodir=/opt/csw/share/info' '--includedir=/opt/csw/include' '--mandir=/opt/csw/share/man' '--with-libtool' '--with-openssl=/opt/csw' '--enable-threads' '--enable-largefile' '--sysconfdir=/etc/opt/csw' '--localstatedir=/var/opt/csw/named' '--enable-rrl' 'CC=/opt/csw/bin/gcc-4.9' 'CFLAGS=-O2 -pipe -mcpu=v9 -Wa,-xarch=v8plus' 'LDFLAGS=-mcpu=v9 -Wa,-xarch=v8plus -L/opt/csw/lib' 'CPPFLAGS=-I/opt/csw/include'
02-Apr-2015 09:13:46.169 ----------------------------------------------------
02-Apr-2015 09:13:46.169 BIND 9 is maintained by Internet Systems Consortium,
02-Apr-2015 09:13:46.169 Inc. (ISC), a non-profit 501(c)(3) public-benefit
02-Apr-2015 09:13:46.169 corporation. Support and training for BIND 9 are
02-Apr-2015 09:13:46.169 available at https://www.isc.org/support [^]
02-Apr-2015 09:13:46.169 ----------------------------------------------------
02-Apr-2015 09:13:46.169 found 128 CPUs, using 128 worker threads
02-Apr-2015 09:13:46.169 using 64 UDP listeners per interface
02-Apr-2015 09:13:46.188 using up to 4096 sockets
02-Apr-2015 09:13:46.238 ENGINE_by_id failed (crypto failure)
02-Apr-2015 09:13:46.238 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:389:id=gost
02-Apr-2015 09:13:46.240 initializing DST: crypto failure
02-Apr-2015 09:13:46.240 exiting (due to fatal error)
(0011035)
jh   
2015-06-03 10:36   
(edited on: 2015-06-03 10:37)
all problems seems to be fixed now with libssl1_0_0-1.0.1m,REV=2015.06.02