9.17.21 RUNTIME_CHECK(csock->tls.tls != ((void *)0)) failed

sthaug at nethelp.no sthaug at nethelp.no
Mon Jan 24 11:54:53 UTC 2022 

(Also sending to bind-users as bind-workers is scheduled to be shutdown.)

>>> If I start named, then (without changing named.conf) do "rndc reconfig"
>>> and then send named a DoT query (dig +tls or kdig +tls) named dies with
>>> 
>>> Jan 11 13:45:53 dns named[78236]: netmgr/tlsdns.c:1517: fatal error:
>>> Jan 11 13:45:53 dns named[78236]: RUNTIME_CHECK(csock->tls.tls != ((void *)0)) failed
>>> Jan 11 13:45:53 dns named[78236]: exiting (due to fatal error in library)
>>> 
>>> and the following error message appears in the window where I started
>>> named:
>>> 
>>> isc_tls_create:SSL_new(0x803c3f000) -> error:140BA0E4:SSL routines:SSL_new:ssl ctx has no default ssl version
>>> Abort (core dumped)
>> 
>> This smells of:
>> 
>>     https://gitlab.isc.org/isc-projects/bind9/-/issues/3053
>> 
>> which is fixed in the "main" branch, but not in BIND 9.17.21.  Could you
>> please retry with a build from the current "main" branch?
> 
> Thank you for the speedy followup! The description / discussion from
> the 3053 issue does indeed sound like my problem, *and* I can confirm
> that a build from the current "main" branch solves the problem!

Followup: Unfortunately, this didn't solve the whole problem. While
doing the above testing I was running named as root, in order to
generate a core dump. When I'm now testing with named running as
user bind (and then dropping privileges after startup), it seems to
be unable to rebind to port 853 after an "rndc reconfigure". This
is probably expected since 853 is a "privileged" port.

The error messages I'm getting after an "rndc reconfig" are:

Jan 24 12:41:25 dns named[6281]: listening on IPv4 interface lo0, 127.0.0.1#853
Jan 24 12:41:25 dns named[6281]: creating TLS socket: permission denied
Jan 24 12:41:25 dns named[6281]: creating IPv4 interface lo0 failed; interface ignored
Jan 24 12:41:25 dns named[6281]: no longer listening on 193.75.110.2#853
Jan 24 12:41:25 dns named[6281]: listening on IPv4 interface ixl1.15, 193.75.110.2#853
Jan 24 12:41:25 dns named[6281]: creating TLS socket: permission denied
Jan 24 12:41:25 dns named[6281]: creating IPv4 interface ixl1.15 failed; interface ignored

and the named process no longer listens on TCP port 853.

Also tried this on 9.17.22, and the same problem occurs.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the bind-users mailing list