wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

[Bug]: [haproxy] blocking when using chroot + wolfssl

Open wlallemand opened this issue 1 year ago • 2 comments

Contact Details

No response

Version

5.6.6

Description

HAProxy has a "chroot" primitive which is often used by users. With OpenSSL, Rand_Bytes() is called before chroot() so OpenSSL is able to open /dev/urandom and keep the FD. Once HAProxy has done its chroot(), the random is fed from this FD.

With WolfSSL, its seems that wc_GenerateSeed() is not keeping the fd and is closing it each time, which means once chroot'ed, haproxy does not have access anymore to the random source, and every requests are blocking.

It looks like the only way to make this work, is to stop using /dev/urandom and use getrandom(), by building wolfSSL with WOLFSSL_GETRANDOM.

Is there a way to keep to the /dev/urandom open during init and keep using it?

Thanks

Reproduction steps

No response

Relevant log output

https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/random.c#L3775

wlallemand avatar Feb 01 '24 14:02 wlallemand

Hello, Any update on this?

wlallemand avatar May 24 '24 13:05 wlallemand

+1 for this. wolfssl is emerging as very good alternative to OpenSSL for http/3 in HAproxy and this problem can be "confusing" for users

cervajs avatar May 24 '24 16:05 cervajs