X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org
From muks@isc.org  Sun Dec 24 14:29:18 2017
From: "Mukund Sivaraman" <muks@isc.org>
content-type: text/plain; charset="utf-8"
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.1
X-RT-Interface: Email
X-Original-To: bind9-confidential@bugs.isc.org
MIME-Version: 1.0
X-RT-Original-Encoding: utf-8
References: <RT-Ticket-46764@isc.org> <rt-4.4.1-21730-1512381258-1474.46764-4-0@isc.org> <rt-4.4.1-77314-1514125318-488.46764-4-0@isc.org>
Content-Disposition: inline
Return-Path: <muks@isc.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
Subject: Re: [ISC-Bugs #46764] check MD5 and SHA1 support at startup
To: "Francis Dupont via RT" <bind9-confidential@isc.org>
Delivered-To: bind9-confidential@bugs.isc.org
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 46168D78B0B for <bind9-confidential@bugs.isc.org>; Sun, 24 Dec 2017 14:29:18 +0000 (UTC)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by mx.pao1.isc.org (Postfix) with ESMTP id 3D6C93B8B6D for <bind9-confidential@isc.org>; Sun, 24 Dec 2017 14:29:14 +0000 (UTC)
Received: from jurassic (unknown [182.156.99.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 7C2F456A05B3; Sun, 24 Dec 2017 14:29:11 +0000 (GMT)
Message-ID: <20171224142907.GA18663@jurassic>
In-Reply-To: <rt-4.4.1-77314-1514125318-488.46764-4-0@isc.org>
X-RT-Incoming-Encryption: Not encrypted
Date: Sun, 24 Dec 2017 19:59:07 +0530
RT-Message-ID: <rt-4.4.1-77314-1514125759-1801.46764-0-0@isc.org>
Content-Length: 1569

On Sun, Dec 24, 2017 at 02:21:58PM +0000, Francis Dupont via RT wrote:
> BTW on Fedora 27 with OPENSSL_FORCE_FIPS_MODE set to 1
> in the environment (easier than to boot in FIPS mode):
> 
> ./named -g -c /dev/null
> 24-Dec-2017 15:17:29.432 starting BIND 9.12.0rc1 <id:unset_id>
> 24-Dec-2017 15:17:29.432 running on Linux x86_64 4.14.7-300.fc27.x86_64 #1 SMP Mon Dec 18 16:06:12 UTC 2017
> 24-Dec-2017 15:17:29.432 built with '--enable-full-report' '--enable-developer'
> 24-Dec-2017 15:17:29.432 running as: named -g -c /dev/null
> 24-Dec-2017 15:17:29.432 ----------------------------------------------------
> 24-Dec-2017 15:17:29.432 BIND 9 is maintained by Internet Systems Consortium,
> 24-Dec-2017 15:17:29.432 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
> 24-Dec-2017 15:17:29.432 corporation.  Support and training for BIND 9 are 
> 24-Dec-2017 15:17:29.432 available at https://www.isc.org/support
> 24-Dec-2017 15:17:29.432 ----------------------------------------------------
> 24-Dec-2017 15:17:29.432 found 2 CPUs, using 2 worker threads
> 24-Dec-2017 15:17:29.432 using 1 UDP listener per interface
> 24-Dec-2017 15:17:29.432 using up to 4096 sockets
> 24-Dec-2017 15:17:29.433 md5.c:58: fatal error:
> 24-Dec-2017 15:17:29.433 RUNTIME_CHECK(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1) failed
> 24-Dec-2017 15:17:29.433 exiting (due to fatal error in library)
> Abort (core dumped)

I recommend printing a user-friendly message than the above when
EVP_md5() cannot be used, i.e., print an explanation message than using
RUNTIME_CHECK().

		Mukund