Improved SSL Error Logging [RT #29932]
Chris Thompson
cet1 at cam.ac.uk
Wed Oct 10 20:54:11 UTC 2012
On Oct 10 2012, Evan Hunt wrote:
>> BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error logging.
>> Unfortunately, our logs are now filling up with "RSA_verify failed"
>> messages.
>
>Yeah, oops, we made that one too noisy. You're not the first one
>who's noticed. :/
Also, without any indication of what was trying to be verified, rather
useless.
With 9.8.4 we also see lots of "RSA_public_decrypt failed" as well, e.g.
Oct 10 20:15:24 general: warning: RSA_verify failed
Oct 10 20:15:27 last message repeated 6 times
Oct 10 20:16:57 general: warning: RSA_verify failed
Oct 10 20:17:50 last message repeated 13 times
Oct 10 20:18:04 general: warning: RSA_public_decrypt failed
Oct 10 20:18:05 last message repeated 17 times
Oct 10 20:18:09 general: warning: RSA_verify failed
Oct 10 20:23:16 last message repeated 39 times
Oct 10 20:23:38 general: warning: RSA_verify failed
Oct 10 20:25:57 last message repeated 13 times
Oct 10 20:26:12 general: warning: RSA_public_decrypt failed
Oct 10 20:26:12 last message repeated 1 time
etc.
>> How does one go about tracking down the source of these failures and
>> correcting them? (We are running OpenSSL 1.0.1c.)
>
>In BIND9, in lib/dns/opensslrsa_link.c, change this:
>
> return (dst__openssl_toresult2("RSA_verify",
> DST_R_VERIFYFAILURE));
>
>to this:
>
> return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
Presumably we need to change this code
return (dst__openssl_toresult2(
"RSA_public_decrypt",
DST_R_VERIFYFAILURE));
similarly?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list