Improved SSL Error Logging [RT #29932]

Noel Butler noel.butler at ausics.net
Fri Oct 12 00:10:02 UTC 2012


On Wed, 2012-10-10 at 18:44 +0000, Evan Hunt wrote:

> > BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error logging.
> > Unfortunately, our logs are now filling up with "RSA_verify failed"
> > messages.
> 
> Yeah, oops, we made that one too noisy.  You're not the first one
> who's noticed. :/
> 
> > How does one go about tracking down the source of these failures and
> > correcting them? (We are running OpenSSL 1.0.1c.)
> 
> In BIND9, in lib/dns/opensslrsa_link.c, change this:
> 
>                 return (dst__openssl_toresult2("RSA_verify",
>                                                DST_R_VERIFYFAILURE));
> 
> to this:
> 
>                 return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
> 


Evan, After applying this change the logs still fill up with some crud
(9.9.2)

now still fills up with 

Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower
casing signer 'US'
Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower
casing signer 'CO'
Oct 12 04:36:35 ns1 last message repeated 4 times
...


any method to disable this? Is it in its own category we can null out
without affecting  any other logging?

Cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121012/add31137/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121012/add31137/attachment.bin>


More information about the bind-users mailing list