On Fri Mar 18 00:06:19 2016, lamont@mmjgroup.com wrote:
> Because openssl init may load additional libraries, it should be done
> before the chroot.

=> there are many (better) things to try:

 - first simply install correctly OpenSSL in the chroot'ed
  environment so with its dependencies. I know it is
  hard to get everything which can be needed in chroot.
  Now today a virtual machine or a container provide
  a better isolation...

 - second it is a good idea to built OpenSSL with static
  (i.e., statically linked) engines (cf win32utils/build.txt).
  Unfortunately the OpenSSL Configure bound this feature
  to the shared/static library switch on Linux.

 - third you can simply configure bind without the GOST
  support (i.e., --without-gost) as GOST is used only in
  Russia for a few zones. (according to
  http://secspider.verisignlabs.com/stats.html
  there are 90 GOST keys in the whole DNS).

 - finally there is a new bind --enable-late-chroot
  configure option being considered (ticket #40655).
  It solves another problem (interface discovery at
  startup which requires a /proc/net in the chroot'ed
  environment) but should work well for you.

Note the last point shows it is a better idea to move
the chroot() call later than to move the crypto init itself.