Giters

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!

Home Page:https://www.wolfssl.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug]: [haproxy] blocking when using chroot + wolfssl

wlallemand opened this issue · comments

commented

Contact Details

No response

Version

5.6.6

Description

HAProxy has a "chroot" primitive which is often used by users. With OpenSSL, Rand_Bytes() is called before chroot() so OpenSSL is able to open /dev/urandom and keep the FD. Once HAProxy has done its chroot(), the random is fed from this FD.

With WolfSSL, its seems that wc_GenerateSeed() is not keeping the fd and is closing it each time, which means once chroot'ed, haproxy does not have access anymore to the random source, and every requests are blocking.

It looks like the only way to make this work, is to stop using /dev/urandom and use getrandom(), by building wolfSSL with WOLFSSL_GETRANDOM.

Is there a way to keep to the /dev/urandom open during init and keep using it?

Thanks

Reproduction steps

No response

Relevant log output

https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/random.c#L3775