I've installed NSD 4.0 on two RedHat 6, 64-bit systems and four RedHat 5, 32-bit systems. On the two RHEL6 systems nsd-control works fine. On the four RHEL5 systems, nsd-control gives "error: SSL handshake failed". In the log file it says "error: remote control failed ssl crypto error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed". I've tried removing the certificates and re-running nsd-control-setup with the same result. All attempts are from localhost. RHEL6 uses OpenSSL 1.0.0, whereas RHEL5 uses 0.9.8e, but the NSD documentation doesn't specify a requirement for a particular version. Any ideas?
I've installed NSD 4.0 on two RedHat 6, 64-bit systems and four
RedHat 5, 32-bit systems. On the two RHEL6 systems nsd-control
works fine. On the four RHEL5 systems, nsd-control gives "error:
SSL handshake failed". In the log file it says "error: remote
control failed ssl crypto error:140B512D:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed". I've
tried removing the certificates and re-running nsd-control-setup
with the same result. All attempts are from localhost. RHEL6 uses
OpenSSL 1.0.0, whereas RHEL5 uses 0.9.8e, but the NSD documentation
doesn't specify a requirement for a particular version. Any
ideas?
At the start of nsd-control-setup (a shell script), the line
HASH=sha256
change that to HASH=sha1
Then remove the certificates and run the nsd-control-setup script
again, and you have different certificates. At the start of the
script you can also change the key length (BITS=xx). I am not sure if
this will work, but older openssl could not have sha256, I believe.
I've installed NSD 4.0 on two RedHat 6, 64-bit systems and four RedHat 5, 32-bit systems. On the two RHEL6 systems nsd-control works fine. On the four RHEL5 systems, nsd-control gives "error: SSL handshake failed". In the log file it says "error: remote control failed ssl crypto error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed". I've tried removing the certificates and re-running nsd-control-setup with the same result. All attempts are from localhost. RHEL6 uses OpenSSL 1.0.0, whereas RHEL5 uses 0.9.8e, but the NSD documentation doesn't specify a requirement for a particular version. Any ideas?
I changed the hash to sha1 and have tried various key lengths (1024, 512)
and keep getting the same error. I will compile OpenSSL 1.0.1e and link
against that to see if it is really an issue with OpenSSL 0.9.8. BTW, I'm
using a sha256 TSIG key and it's working.
The call that fails is SSL_do_handshake (returned failure and
SSL_Error is the printed error).
Other search hits say that 'random generator not sufficiently seeded'
could be the issue. Does it print "warning: no entropy, seeding
openssl PRNG with time" ? This is openssl's faq entry for getting
randomness http://www.openssl.org/support/faq.html#USER1
Is the randomness device unavailable because of chroot? I could try
to seed openssl prng before chroot happens...
This does seem to be the issue. No errors about entropy/seeding, but
creating a dev/urandom device inside the chroot jail seems to fix it.
Linking nsd (nsd-control doesn't matter) with OpenSSL 1.0.1e also works even
without the urandom device.