From rickard at opendnssec.org Thu Dec 10 14:00:06 2015 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 10 Dec 2015 15:00:06 +0100 Subject: [Opendnssec-develop] Build getting killed on Jenkins Message-ID: Hi My build was killed on freebsd9 and freebsd10. Is the Jenkins build taking too long or is there another issue? // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Fri Dec 11 11:58:45 2015 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 11 Dec 2015 12:58:45 +0100 Subject: [Opendnssec-develop] A big thank you for SoftHSM Message-ID: <566ABA75.4020908@openfortress.nl> Hi all, I want to post a big Thank You to the OpenDNSSEC project for not just developing a great DNSSEC signer, but also create an open source PKCS #11 implementation that goes well beyond the needs for DNSSEC and instead tries to be a general implementation. This software has helped to innovate things, because it is so easy to try things out! Just to give a few examples that I could publish and let other people try without requiring hardware and drivers: * https://github.com/arpa2/tlspool -- A TLS implementation in a separate daemon, with credentials stored behind PKCS #11 * https://github.com/arpa2/kerberos-pkcs11 -- A quick demo that current-day Kerberos crypto can be protected by PKCS #11 * https://github.com/arpa2/srp-pkcs11 -- Secure Remote Passwords with a modified client-side formalism that protects the "password" through PKCS #11 In addition, I am pleased with the continued, thorough bugfixing support. Thank you very much! Rick van Rein OpenFortress.nl / ARPA2.net From rickard at opendnssec.org Sun Dec 13 19:30:10 2015 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Sun, 13 Dec 2015 20:30:10 +0100 Subject: [Opendnssec-develop] A big thank you for SoftHSM In-Reply-To: <566ABA75.4020908@openfortress.nl> References: <566ABA75.4020908@openfortress.nl> Message-ID: On Fri, Dec 11, 2015 at 12:58 PM, Rick van Rein wrote: > In addition, I am pleased with the continued, thorough bugfixing > support. Thank you very much! > I am glad to hear that you are satisfied with SoftHSM! // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuri at nlnetlabs.nl Mon Dec 14 09:38:27 2015 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Mon, 14 Dec 2015 10:38:27 +0100 Subject: [Opendnssec-develop] Library (un)link issues. Message-ID: <566E8E13.5070602@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, We've had a report[0] with duplicate[1] where "ods-ksmutil key list - --verbose" segfaults. #0 0x00007ffff50a7c80 in ?? () #1 0x00007ffff5e39252 in CRYPTO_THREADID_current () from /usr/lib64/libcrypto.so.1.0.0 #2 0x00007ffff5dc8648 in ERR_remove_thread_state () from /usr/lib64/libcrypto.so.1.0.0 #3 0x00007ffff75089bc in vio_end () from /usr/lib64/libmysqlclient.so.18 #4 0x00007ffff74d1d26 in mysql_server_end () from /usr/lib64/libmysqlclient.so.18 #5 0x0000000000424f7d in DbDisconnect () #6 0x0000000000407c71 in cmd_exportkeys () #7 0x000000000040d339 in main () Switching the two lines (i.e. hsm_close() last) resolves the issue. enforcer/utils/ksmutil.c: (in cmd_exportkeys()) 1837 hsm_close(); 1838 DbDisconnect(dbhandle); What I suspect is that both libmysqlclient and softhsm link against OpenSSL on user's system and double closing/unlinking of OpenSSL gives this problem. When the lines are swapped it works more or less by luck? Or maybe because mysql developers known about similar issues? In any case I don't know enough about this matter to make a meaningful statement about which of the involved software should be fixed. Looking for your 2 cents! //Yuri [0] https://issues.opendnssec.org/browse/SUPPORT-183 [1] https://issues.opendnssec.org/browse/SUPPORT-184 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZujhMACgkQI3PTR4mhavjeEwCgrcJcIzJIZ12Yy9Ryftis5Av4 SlcAn1BH+Yth0eXw5rUdFQttPB6w4nAU =h5Pu -----END PGP SIGNATURE-----