OPENSSL_FORCE_FIPS_MODE variable causes OpenSSL errors when running named commands
Danilo Godec
danilo.godec at agenda.si
Mon Jan 20 15:03:29 UTC 2025
Hello,
I'm running bind 9.18.28 on OpenSuSE Leap 15.6. I also run 'certbot'
with some home-brewed scripts for DNS validation.
Something happened between January 6th and yesterday that caused
'certbot' renewals to fail with OpenSSL errors:
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
Digging deeper I found out that 'certbot' defines several environment
variables when it runs external scripts ('hooks') and among those is also:
export OPENSSL_FORCE_FIPS_MODE="0"
And when this variable is defined (regardless of it's value), named
related commands, such as rndc, named-checkzone and named-checkconf fail
with that error.
# named-checkconf
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
# named-checkzone
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
# rndc
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
So my workaround is to 'unset' this variable in my script.
I guess the issue was caused by one of the OpenSuSE package updates
(glibc, maybe?) and has probably nothing to do with Bind itself, but I
thought someone else might run into it.
Danilo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250120/7c3ce591/attachment.htm>
More information about the bind-users
mailing list