[nsd-users] nsd-control SSL problems (UNCLASSIFIED)

Kash, Howard M CIV (US) howard.m.kash.civ at mail.mil
Tue Nov 26 13:53:32 UTC 2013 

Classification: UNCLASSIFIED
Caveats: NONE


This does seem to be the issue.  No errors about entropy/seeding, but
creating a dev/urandom device inside the chroot jail seems to fix it.
Linking nsd (nsd-control doesn't matter) with OpenSSL 1.0.1e also works even
without the urandom device.


Howard


-----Original Message-----
From: W.C.A. Wijngaards [mailto:wouter at nlnetlabs.nl] 
Sent: Tuesday, November 26, 2013 8:26 AM
To: Kash, Howard M CIV (US)
Cc: nsd-users at NLnetLabs.nl
Subject: Re: [nsd-users] nsd-control SSL problems (UNCLASSIFIED)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Howard,

The call that fails is SSL_do_handshake (returned failure and
SSL_Error is the printed error).

Other search hits say that 'random generator not sufficiently seeded'
could be the issue.  Does it print "warning: no entropy, seeding
openssl PRNG with time" ?  This is openssl's faq entry for getting
randomness http://www.openssl.org/support/faq.html#USER1

Is the randomness device unavailable because of chroot?  I could try
to seed openssl prng before chroot happens...

Best regards,
   Wouter

On 11/26/2013 01:58 PM, Kash, Howard M CIV (US) wrote:
> Classification: UNCLASSIFIED Caveats: NONE
> 
> 
> I changed the hash to sha1 and have tried various key lengths
> (1024, 512) and keep getting the same error.  I will compile
> OpenSSL 1.0.1e and link against that to see if it is really an
> issue with OpenSSL 0.9.8.  BTW, I'm using a sha256 TSIG key and
> it's working.
> 
> 
> Howard
> 
> 
> 
> -----Original Message----- From: nsd-users
> [mailto:nsd-users-bounces at NLnetLabs.nl] On Behalf Of W.C.A. 
> Wijngaards Sent: Tuesday, November 26, 2013 4:43 AM To:
> nsd-users at NLnetLabs.nl Subject: Re: [nsd-users] nsd-control SSL
> problems (UNCLASSIFIED)
> 
> Hi Howard,
> 
> On 11/25/2013 09:17 PM, Kash, Howard M CIV (US) wrote:
>> Classification: UNCLASSIFIED Caveats: NONE
> 
> 
>> I've installed NSD 4.0 on two RedHat 6, 64-bit systems and four 
>> RedHat 5, 32-bit systems.  On the two RHEL6 systems nsd-control 
>> works fine.  On the four RHEL5 systems, nsd-control gives
>> "error: SSL handshake failed".  In the log file it says "error:
>> remote control failed ssl crypto error:140B512D:SSL 
>> routines:SSL_GET_NEW_SESSION:ssl session id callback failed".
>> I've tried removing the certificates and re-running
>> nsd-control-setup with the same result.  All attempts are from
>> localhost.  RHEL6 uses OpenSSL 1.0.0, whereas RHEL5 uses 0.9.8e,
>> but the NSD documentation doesn't specify a requirement for a
>> particular version.  Any ideas?
> 
> At the start of nsd-control-setup (a shell script), the line 
> HASH=sha256
> 
> change that to HASH=sha1
> 
> Then remove the certificates and run the nsd-control-setup script 
> again, and you have different certificates.  At the start of the 
> script you can also change the key length (BITS=xx).  I am not sure
> if this will work, but older openssl could not have sha256, I
> believe.
> 
> Best regards, Wouter
> 
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
> Classification: UNCLASSIFIED Caveats: NONE
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSlKF0AAoJEJ9vHC1+BF+NONIP/RueJk+3hAFL0+zxxMIxxDPv
96gmOUhD/J+lPl0rpI1mUHhBWmtRR/L01gLxB8tAfqo0A7BQD/hVZTsgrYVf7bxJ
4CQmAsI5O9iWR3MY1lUZBpsytgoi5e29e9mInXqmbFzH5ngqpcDfbyAmn40B0t17
Fhl09NkvboYfK77ZLnVdeQH9Z4g5fCMapgiiCw30Aqbo3DIfOjKBIQoWY/PpZyEL
72Av1lZ9jNbmhG7QzfgQnF4emXCGgVxy5A731N8nBJ6nYD7PjQ0djV2g1PLw/T/P
hmVQyCdGLMbO1TNXdfoW9+5eUzIpBbY7VlJnFpKj73O3AjSfNbNe+6t/DoK+8/o1
houaXw6QZTqlvyzQ7rJmMA3MhW/tEQHYLg9IlF7BHPlkyIPsdUNnXK465J5DwhX6
uPHpP3quQCQt9DOO41hd5a8VS4omfjE7d1NLucgywLJNoeh0zJKO9/uJoiEHvyas
jI80casjy7XxEPlWo9c84GTOIvqV5RHZb8whTvbUquR6tYHqZ+gqDHerh5X4uP9H
uPVayeNSkphZq5hGfYNZLKOtdr3UT9Jucf2zaWRwOlT1zHABTRH9LvVgSolzbEd2
+HAtMspLHrsYI0ov0gmeumzRXQHbRr14NAgp2rOEug5vivSAqiFhzzhN58Twoznv
7wXmsnDE+mc51z+sh+L+
=FDpI
-----END PGP SIGNATURE-----

Classification: UNCLASSIFIED
Caveats: NONE


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5635 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20131126/622f74ad/attachment.bin>

More information about the nsd-users mailing list