Improved SSL Error Logging [RT #29932]

Mark Andrews marka at isc.org
Fri Oct 12 01:16:32 UTC 2012


In message <1350000602.4741.10.camel at tardis>, Noel Butler writes:
> On Wed, 2012-10-10 at 18:44 +0000, Evan Hunt wrote:
> 
> > > BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error logging.
> > > Unfortunately, our logs are now filling up with "RSA_verify failed"
> > > messages.
> >=20
> > Yeah, oops, we made that one too noisy.  You're not the first one
> > who's noticed. :/
> >=20
> > > How does one go about tracking down the source of these failures and
> > > correcting them? (We are running OpenSSL 1.0.1c.)
> >=20
> > In BIND9, in lib/dns/opensslrsa_link.c, change this:
> >=20
> >                 return (dst__openssl_toresult2("RSA_verify",
> >                                                DST_R_VERIFYFAILURE));
> >=20
> > to this:
> >=20
> >                 return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
> >=20
> 
> 
> Evan, After applying this change the logs still fill up with some crud
> (9.9.2)
> 
> now still fills up with=20
> 
> Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower
> casing signer 'US'
> Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower
> casing signer 'CO'
> Oct 12 04:36:35 ns1 last message repeated 4 times
> ...

Just drop the log level to ISC_LOG_DEBUG(1) and recompile.

Search for "sucessfully validated after lower casing" in lib/dns/dnssec.c
 
> any method to disable this? Is it in its own category we can null out
> without affecting  any other logging?
> 
> Cheers
> 
> 
> --=-AyuHzrnm272okD0wrLMC
> Content-Type: text/html; charset="utf-8"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
> <HTML>
> <HEAD>
>   <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; CHARSET=3DUTF-8">
>   <META NAME=3D"GENERATOR" CONTENT=3D"GtkHTML/3.28.3">
> </HEAD>
> <BODY>
> On Wed, 2012-10-10 at 18:44 +0000, Evan Hunt wrote:
> <BLOCKQUOTE TYPE=3DCITE>
> <PRE>
> > BIND 9.7.7, 9.8.4 and 9.9.2 have "improved" OpenSSL error lo=
> gging.
> > Unfortunately, our logs are now filling up with "RSA_verify faile=
> d"
> > messages.
> 
> Yeah, oops, we made that one too noisy.  You're not the first one
> who's noticed. :/
> 
> > How does one go about tracking down the source of these failures and
> > correcting them? (We are running OpenSSL 1.0.1c.)
> 
> In BIND9, in lib/dns/opensslrsa_link.c, change this:
> 
>                 return (dst__openssl_toresult2("RSA_verify",
>                                                DST_R_VERIFYFAILURE));
> 
> to this:
> 
>                 return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
> 
> </PRE>
> </BLOCKQUOTE>
> <BR>
> Evan, After applying this change the logs still fill up with some crud&nbsp=
> ; (9.9.2)<BR>
> <BR>
> now still fills up with <BR>
> <BR>
> Oct 12 04:13:46 ns1 named[18293]: sucessfully validated after lower casing =
> signer 'US'<BR>
> Oct 12 04:36:35 ns1 named[18293]: sucessfully validated after lower casing =
> signer 'CO'<BR>
> Oct 12 04:36:35 ns1 last message repeated 4 times<BR>
> ...<BR>
> <BR>
> <BR>
> any method to disable this? Is it in its own category we can null out witho=
> ut affecting  any other logging?<BR>
> <BR>
> Cheers<BR>
> <BR>
> </BODY>
> </HTML>
> 
> --=-AyuHzrnm272okD0wrLMC--
> 
> --=-rzSsBjcPf+kQEds4PID0
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: This is a digitally signed message part
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQEcBAABAgAGBQJQd1/VAAoJECg/hgl/0DbHn8UIAJadMzruG+U2FJNxbImd+1ap
> 9kRAwQSWTCoOIXO5uMpwWnLjE9yCE99SAmyzc1bvB7a5zWsfNP1ikAFRCYU6VwZQ
> fggc9giR61F8uoOkCrkBvIDBeHaEpPxAShZDfdpDvIKTD+eHmKQ1SUXmSMEqZHM5
> VYMzDGIOp3p6P7CF2LFLoIh4C+4nbnKabp9wVCIfFCeLKABR5EC92TSFU5GzX1yR
> N4Yih4JoVnTPjKvi54EWQhph6qYTb8VwsP+3lWTMs+/MkgtpShcK+Cb3TPjJRVyC
> 0CU3lm45OM967Yk1+8bg6qnmvJZNvrtXVA4Ijr+rcrsBJW6Z8IkhSpjHf84Ud2M=
> =CS5c
> -----END PGP SIGNATURE-----
> 
> --=-rzSsBjcPf+kQEds4PID0--
> 
> 
> --===============7738493491241320234==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============7738493491241320234==--
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list