BIND package built with wrong openssl library on 2.7.0
-
The BIND DNS server package on pfsense CE 2.7.0 appears to have been built for openssl 3.0 causing "Shared object "libssl.so.30" not found" errors which prevent BIND from starting. I am running pfsense 2.7.0-RELEASE (haven't upgraded to 2.7.1 yet) but the BIND package appears to have been built for openssl 3.0 instead of 1.1.
BIND fails to start from the GUI. Manually starting it results in:
[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: service named onestart install: chown 53:53 /var/run/named: Operation not permitted ld-elf.so.1: Shared object "libssl.so.30" not found, required by "rndc-confgen" ld-elf.so.1: Shared object "libssl.so.30" not found, required by "named-checkconf"The libraries for "named-checkconf" show it has been linked with "libssl.so.30" and "libcrypto.so.30" which are not present:
[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ldd /usr/local/sbin/named-checkconf /usr/local/sbin/named-checkconf: libjson-c.so.5 => /usr/local/lib/libjson-c.so.5 (0xc5989c31000) libprotobuf-c.so.1 => /usr/local/lib/libprotobuf-c.so.1 (0xc598a8e9000) libfstrm.so.0 => /usr/local/lib/libfstrm.so.0 (0xc598b4ca000) libssl.so.30 => not found (0) libcrypto.so.30 => not found (0) libxml2.so.2 => /usr/local/lib/libxml2.so.2 (0xc598ba18000) libz.so.6 => /lib/libz.so.6 (0xc598bf71000) libuv.so.1 => /usr/local/lib/libuv.so.1 (0xc598c5c5000) libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0xc598d502000) libthr.so.3 => /lib/libthr.so.3 (0xc598e5c3000) libc.so.7 => /lib/libc.so.7 (0xc598e6f2000) liblzma.so.5 => /usr/lib/liblzma.so.5 (0xc598e350000) libm.so.5 => /lib/libm.so.5 (0xc598fdb8000) libelf.so.2 => /lib/libelf.so.2 (0xc598ec39000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xc598f5f5000) libmd.so.6 => /lib/libmd.so.6 (0xc599037c000) [vdso] (0xc598813e620)Executable details:
[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ls -l /usr/local/sbin/named-checkconf -r-xr-xr-x 1 root wheel 2734192 Nov 17 15:25 /usr/local/sbin/named-checkconfIt also causes "pkg" to fail, even though that seems to be linked with the correct openssl library version. Heres some details:
[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: pkg info ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pkg"[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ldd `which pkg` /usr/sbin/pkg: libarchive.so.7 => /usr/lib/libarchive.so.7 (0x151327fe7000) libfetch.so.6 => /usr/lib/libfetch.so.6 (0x1513274a3000) libprivateucl.so.1 => /usr/lib/libprivateucl.so.1 (0x151328ae2000) libcrypto.so.111 => /lib/libcrypto.so.111 (0x15132a95e000) libssl.so.111 => /usr/lib/libssl.so.111 (0x151329aea000) libutil.so.9 => /lib/libutil.so.9 (0x15132c50c000) libmd.so.6 => /lib/libmd.so.6 (0x15132b64a000) libc.so.7 => /lib/libc.so.7 (0x15132cd03000) libz.so.6 => /lib/libz.so.6 (0x15132e2b2000) libbz2.so.4 => /usr/lib/libbz2.so.4 (0x15132de9d000) liblzma.so.5 => /usr/lib/liblzma.so.5 (0x15132edfe000) libbsdxml.so.4 => /lib/libbsdxml.so.4 (0x15132f2bd000) libprivatezstd.so.5 => /usr/lib/libprivatezstd.so.5 (0x1513301ca000) libm.so.5 => /lib/libm.so.5 (0x1513308cb000) libthr.so.3 => /lib/libthr.so.3 (0x15133104b000) [vdso] (0x1513261e0620)[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: truss pkg mmap(0x0,135168,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 10815225339904 (0x9d61daa2000) mprotect(0x188ceb6ea000,4096,PROT_READ) = 0 (0x0) issetugid() = 0 (0x0) sigfastblock(0x1,0x188ceb6ed0a0) = 0 (0x0) [snip] open("/lib/libssl.so.30",O_RDONLY|O_CLOEXEC|O_VERIFY,010524047400) ERR#2 'No such file or directory' open("/usr/lib/libssl.so.30",O_RDONLY|O_CLOEXEC|O_VERIFY,010524047400) ERR#2 'No such file or directory' ld-elf.so.1: write(2,"ld-elf.so.1: ",13) = 13 (0xd) Shared object "libssl.so.30" not found, required by "pkg"write(2,"Shared object "libssl.so.30" not"...,57) = 57 (0x39) write(2,"\n",1) = 1 (0x1) exit(0x1) process exit, rval = 1 -
I had the same issue on my router at home which is vanilla FreeBSD.
I upgraded from 13.2->14.0 (same as pfSense 2.6.0 -> 2.7.0 I think) and the Bind 9.11 package wasn't working. Removed and re-installed and still not working.
Installed Bind 9.16 and fixed. I'm guessing that pfSense is still using Bind 9.11 and the package hasn't been upgraded yet.
FreeBSD upgraded OpenSSL from 1.1.1 to 3.0.12 so I'm guessing the base for pfSense inherited this. -
Manually copying the openssl 3.0 libraries from a pfsense CE 2.7.1 system to /usr/local/lib on the 2.7.0 system fixed the issue for me. This isn't ideal but ISC BIND is working on pfsense CE 2.7.0 now:
[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ls -l /usr/local/lib/lib*.so.30 -rw-r--r-- 1 root wheel 4588560 Nov 23 10:00 /usr/local/lib/libcrypto.so.30 -rw-r--r-- 1 root wheel 694560 Nov 23 10:00 /usr/local/lib/libssl.so.30[2.7.0-RELEASE][rsh@balsa.home.arpa]/home/rsh: ldd /usr/local/sbin/named-checkconf /usr/local/sbin/named-checkconf: libjson-c.so.5 => /usr/local/lib/libjson-c.so.5 (0x2fde82caf000) libprotobuf-c.so.1 => /usr/local/lib/libprotobuf-c.so.1 (0x2fde83cbc000) libfstrm.so.0 => /usr/local/lib/libfstrm.so.0 (0x2fde84396000) libssl.so.30 => /usr/local/lib/libssl.so.30 (0x2fde8579e000) libcrypto.so.30 => /usr/local/lib/libcrypto.so.30 (0x2fde861d3000) libxml2.so.2 => /usr/local/lib/libxml2.so.2 (0x2fde84451000) libz.so.6 => /lib/libz.so.6 (0x2fde84ceb000) libuv.so.1 => /usr/local/lib/libuv.so.1 (0x2fde86bbb000) libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x2fde8711e000) libthr.so.3 => /lib/libthr.so.3 (0x2fde87801000) libc.so.7 => /lib/libc.so.7 (0x2fde8849e000) liblzma.so.5 => /usr/lib/liblzma.so.5 (0x2fde8931d000) libm.so.5 => /lib/libm.so.5 (0x2fde894f9000) libelf.so.2 => /lib/libelf.so.2 (0x2fde8a3a7000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2fde8be5a000) libmd.so.6 => /lib/libmd.so.6 (0x2fde8a578000) [vdso] (0x2fde821ab620)