oss-sec mailing list archives

Re: The Bind incident

From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 06 Jul 2011 21:16:51 +0200

* Mike O'Connor:

Note that the BIND 9.4 ESV formally EOLed just last month:

http://www.isc.org/softwaresupportpolicy

So, if you are distributing an older rev of BIND and some new security
issue comes up that you are prone to, it _might_ not be quite as easy to
backport the fixes.


If you move from 9.4 or 9.5 to 9.6, your users might hit an issue in
the OpenSSL initialization function:

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584911>

We've applied the kludge below to our 9.6 version, which seems to
address the most common cause of a silently dying named process.
(There are others, but those are more difficult to check.)

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 2dc7d7e..80e6e00 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -48,12 +48,16 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
+#include <dns/log.h>
+
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
 
+#include <unistd.h>
+
 #if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER >= 0x0090707f)
 #define USE_ENGINE 1
 #endif
@@ -188,7 +192,19 @@ dst__openssl_init() {
        rm->pseudorand = entropy_getpseudo;
        rm->status = entropy_status;
 #ifdef USE_ENGINE
+       const char *cnf_path = "/usr/lib/ssl/openssl.cnf";
+       if (access(cnf_path, R_OK) == -1 && errno != ENOENT) {
+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                             DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+                             "The OpenSSL configuration file %s exists, "
+                             "but it is not readable.", cnf_path);
+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                             DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+                             "The process may terminate without further "
+                             "notice.");
+       }
        OPENSSL_config(NULL);
+
 #ifdef USE_PKCS11
 #ifndef PKCS11_SO_PATH
 #define PKCS11_SO_PATH         "/usr/local/lib/engines/engine_pkcs11.so"

Current thread:

The Bind incident Eugene Teo (Jul 05)
- Re: The Bind incident Eugene Teo (Jul 05)
  - Re: The Bind incident Barry Greene (Jul 06)
    - Re: The Bind incident Eugene Teo (Jul 07)
- Re: The Bind incident Solar Designer (Jul 05)
  - Re: The Bind incident Mike O'Connor (Jul 06)
    - Re: The Bind incident Florian Weimer (Jul 06)