Crypto failure Issues

Tony Finch dot at dotat.at
Mon Jul 27 22:22:55 UTC 2015


Mark Andrews <marka at isc.org> wrote:
>
> And the issue almost certainly is not providing a complete enough
> change root environment.  Gost dynamically loads the crypto engine
> after named starts.

I have a lot of sympathy for anyone who encounters this problem because it
took me a long time to work out what the solution is. Practically no-one
has experience of OpenSSL engines because at best the average sysadmin
might know that engines are weird stuff you need for HSMs.

A large part of this is OpenSSL's fault, because its error reporting is
not good enough. OpenSSL has a lot of internal abstraction layers, but its
error codes are just per-module errno-style numbers, which means it is
fundamentally incapable of explaining what went wrong. Like in this
instance when its errno said, "ENGINE_by_id failed" but because it can't
encapsulate the crucial argument in the error code, it can't say, oh by
the way, the engine name is GOST. And because the abstraction layer is
fundamentally designed to allow you to be unaware of which engine you are
using (which engine failed) this ends up making problems hard to debug.

BIND is generally a lot better than explaining what it is doing than
OpenSSL, but it also has layers, and also has errno-style error codes, so
the lack of information propagates. Sadface. Happily BIND has debug
logging which lets you report this kind of problem from the depths of its
libraries. But it doesn't log in this situation. Sadface.

Debian has an interesting patch to BIND which makes it initialize OpenSSL
before calling chroot(), which completely solves this problem in a very
nice way. This worked well for me until, er, some point in the last few
months on the BIND 9.11 HEAD branch.

http://anonscm.debian.org/cgit/users/lamont/bind9.git/commit/?h=master&id=60cf6b37caf48bd3270aa2b7b8af5ebc47396dce

I am afraid I have not identified why this patch doesn't work any more,
because why would anyone in their right mind give a monkeys about elegant
solutions to problems caused by obscure crypto algorithms that no-one in
their right mind uses.

Tony.

PS. it seems I am a bit cross about GOST.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Portland, Plymouth: West or northwest 6 to gale 8 decreasing 4 or 5.
Moderate or rough. Mainly fair. Good.


More information about the bind-users mailing list