OPENSSL_CONF confuses dig, host, nslookup

Bug #1494869 reported by Dirk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

HI,

during the development of my project testssl.sh users encountered a bug which was tracked down to the awkward situation that if the environment variable OPENSSL_CONF is defined in a certain way DNS resultion fails

Steps tp reproduce under 14.04 LTS:
--snip
prompt% export OPENSSL_CONF=gost.conf
prompt% cat OPENSSL_CONF
# testssl config file for openssl

openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
gost = gost_section

[ gost_section ]
engine_id = gost
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

prompt% host -t a testssl.sh
GOST engine already loaded
11-Sep-2015 18:30:58.591 ENGINE_by_id failed (crypto failure)
11-Sep-2015 18:30:58.591 error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=gost
prompt%
--snap

similar with nslookup or dig. See also https://github.com/drwetter/testssl.sh/issues/134 .

Cheers, Dirk

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1494869/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Dirk (diru) wrote :

(it also affects bind9-host). My humble guess though is a library is the culprit.

affects: ubuntu → bind9 (Ubuntu)
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. I appreciate the quality of this bug report and I'm sure it'll be helpful to others experiencing the same issue.

This sounds like an upstream bug to me. Please can you verify this by building directly from the appropriate latest upstream sources? If this can be confirmed as an upstream bug, the best route to getting it fixed in Ubuntu in this case would be to file an upstream bug if you're able to do that. Otherwise, I'm not sure what we can do directly in Ubuntu to fix the problem.

If you do end up filing an upstream bug, please link to it from here. Thanks!

tags: added: needs-upstream-report
Revision history for this message
Robie Basak (racb) wrote :

Importance -> Low since I presume that "the environment variable OPENSSL_CONF is defined in a certain way" applies to only a minority of users.

Changed in bind9 (Ubuntu):
importance: Undecided → Low
Revision history for this message
Dirk (diru) wrote :

Thx for ACK'ing!

It's not happening in 15.10 as reported in https://github.com/drwetter/testssl.sh/issues/134.

I filed this bug with Debian too (not visible yet). Due to limited time however I won't be able to check whether it's in the vanilla sources or someplace else, sorry!

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Dirk, thanks for making the awesome testssl.sh tool!

I think it's time to close this bug because as you said in the previous comment, 15.10+ is not affected. Also, 14.04 is out of regular support.

FYI, OpenSSL 1.1.0 dropped support for GOST and engines are now deprecated (https://github.com/openssl/openssl/blob/master/README-ENGINES.md).

Changed in bind9 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.