[nsd-users] nsd-control SSL problems (UNCLASSIFIED)

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Nov 26 13:26:12 UTC 2013

Hash: SHA1

Hi Howard,

The call that fails is SSL_do_handshake (returned failure and
SSL_Error is the printed error).

Other search hits say that 'random generator not sufficiently seeded'
could be the issue.  Does it print "warning: no entropy, seeding
openssl PRNG with time" ?  This is openssl's faq entry for getting
randomness http://www.openssl.org/support/faq.html#USER1

Is the randomness device unavailable because of chroot?  I could try
to seed openssl prng before chroot happens...

Best regards,

On 11/26/2013 01:58 PM, Kash, Howard M CIV (US) wrote:
> Classification: UNCLASSIFIED Caveats: NONE
> I changed the hash to sha1 and have tried various key lengths
> (1024, 512) and keep getting the same error.  I will compile
> OpenSSL 1.0.1e and link against that to see if it is really an
> issue with OpenSSL 0.9.8.  BTW, I'm using a sha256 TSIG key and
> it's working.
> Howard
> -----Original Message----- From: nsd-users
> [mailto:nsd-users-bounces at NLnetLabs.nl] On Behalf Of W.C.A. 
> Wijngaards Sent: Tuesday, November 26, 2013 4:43 AM To:
> nsd-users at NLnetLabs.nl Subject: Re: [nsd-users] nsd-control SSL
> problems (UNCLASSIFIED)
> Hi Howard,
> On 11/25/2013 09:17 PM, Kash, Howard M CIV (US) wrote:
>> Classification: UNCLASSIFIED Caveats: NONE
>> I've installed NSD 4.0 on two RedHat 6, 64-bit systems and four 
>> RedHat 5, 32-bit systems.  On the two RHEL6 systems nsd-control 
>> works fine.  On the four RHEL5 systems, nsd-control gives
>> "error: SSL handshake failed".  In the log file it says "error:
>> remote control failed ssl crypto error:140B512D:SSL 
>> routines:SSL_GET_NEW_SESSION:ssl session id callback failed".
>> I've tried removing the certificates and re-running
>> nsd-control-setup with the same result.  All attempts are from
>> localhost.  RHEL6 uses OpenSSL 1.0.0, whereas RHEL5 uses 0.9.8e,
>> but the NSD documentation doesn't specify a requirement for a
>> particular version.  Any ideas?
> At the start of nsd-control-setup (a shell script), the line 
> HASH=sha256
> change that to HASH=sha1
> Then remove the certificates and run the nsd-control-setup script 
> again, and you have different certificates.  At the start of the 
> script you can also change the key length (BITS=xx).  I am not sure
> if this will work, but older openssl could not have sha256, I
> believe.
> Best regards, Wouter
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> Classification: UNCLASSIFIED Caveats: NONE

Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the nsd-users mailing list