MIME-Version: 1.0 In-Reply-To: <20160318000613.GA19060@mix.mmjgroup.com> X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Disposition: inline X-RT-Interface: Web References: <20160318000613.GA19060@mix.mmjgroup.com> Content-Type: text/plain; charset="utf-8" Message-ID: Content-Transfer-Encoding: binary X-RT-Original-Encoding: utf-8 RT-Send-CC: X-RT-Encrypt: 0 X-RT-Sign: 0 Content-Length: 1282 On Fri Mar 18 00:06:19 2016, lamont@mmjgroup.com wrote: > Because openssl init may load additional libraries, it should be done > before the chroot. => there are many (better) things to try: - first simply install correctly OpenSSL in the chroot'ed environment so with its dependencies. I know it is hard to get everything which can be needed in chroot. Now today a virtual machine or a container provide a better isolation... - second it is a good idea to built OpenSSL with static (i.e., statically linked) engines (cf win32utils/build.txt). Unfortunately the OpenSSL Configure bound this feature to the shared/static library switch on Linux. - third you can simply configure bind without the GOST support (i.e., --without-gost) as GOST is used only in Russia for a few zones. (according to http://secspider.verisignlabs.com/stats.html there are 90 GOST keys in the whole DNS). - finally there is a new bind --enable-late-chroot configure option being considered (ticket #40655). It solves another problem (interface discovery at startup which requires a /proc/net in the chroot'ed environment) but should work well for you. Note the last point shows it is a better idea to move the chroot() call later than to move the crypto init itself.