Bug 1263 - --disable-ecdh option patch for Solaris11.3(after Dec 2016)
--disable-ecdh option patch for Solaris11.3(after Dec 2016)
Product: unbound
Classification: Unclassified
Component: server
Sun other
: P5 minor
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2017-05-07 10:16 CEST by Kunitaka Namba
Modified: 2017-05-08 09:05 CEST (History)
2 users (show)

See Also:

disable-ecdh_option.patch (937 bytes, text/plain)
2017-05-07 10:16 CEST, Kunitaka Namba

Note You need to log in before you can comment on or make changes to this bug.
Description Kunitaka Namba 2017-05-07 10:16:25 CEST
Created attachment 396 [details]

Solaris11.3's openssl patches


Unbound used Solaris11.3's openssl libs

# /usr/local/unbound/sbin/unbound
Apr 30 17:51:05 unbound[51454:0] error: Error in SSL_CTX_ecdh_auto, not enabling ECDHE crypto error:00000000:lib(0):func(0):reason(0)

SSL_CTX_ecdh_auto -> ECDHE, but not use by "-DOPENSSL_NO_ECDH"

Why enabled ECDHE ?

SSL_CTX_ecdh_auto is support by new patches.

$ diff /usr/include/openssl/ssl.h /.zfs/snapshot/{Jun_2017_CPU*}/usr/include/openssl/ssl.h | \
grep SSL_CTX | grep ECDH
<         SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) 

* CPU = Oracle Critical Patch Update

But not included in "/usr/bin/openssl".

$ nm /usr/bin/openssl | grep -i CTX | grep -i ECDH | wc -l

I think a problem on Solaris11.3 side.

This ad hoc patch for Solaris11.3。



$ cp -ip configure configure.org

$ patch configure disable-ecdh_option.patch
patching file configure

$ diff configure configure.org

$ ./configure --prefix=/usr/local/unbound CFLAGS="-I/usr/local/include -m64" \
LDFLAGS="-L/usr/local/lib:/usr/lib/64 -R/usr/local/lib:/usr/lib/64 -m64" \
--enable-event-api --with-libevent --disable-gost --disable-ecdsa --disable-ecdh
Comment 1 Wouter Wijngaards 2017-05-08 09:05:20 CEST
Hi Kunitaka Namba,

We already had a report that ECDH does not work when ECC is not enabled in the openssl library.  So the current code repository version of unbound already has a fix, that only enables the ECDH when both SHA256 and ECDSA are available.  It looks like this could also, already, fix your problem, because you are disabling ECDSA already, and that would then also disable the ECDH call.

The code fix was this, and is also in the code repository.  Can you see if the latest code repository is fixed?  ((If not I'd be happy to include your patch, by the way))

Index: daemon/remote.c
--- daemon/remote.c	(revision 4136)
+++ daemon/remote.c	(revision 4137)
@@ -260,7 +260,7 @@
 		return NULL;
+#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
 	/* if we have sha256, set the cipher list to have no known vulns */
 		log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");

Best regards, Wouter