As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot. This depends on OS, OS version and ssl library
configuration. Update the manpage to better explain this.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -2139,15 +2139,12 @@ parameter can point to an empty directory, however |
2139 | 2139 |
complications can result when scripts or restarts |
2140 | 2140 |
are executed after the chroot operation. |
2141 | 2141 |
|
2142 |
-Note: if OpenVPN is built using the PolarSSL SSL |
|
2143 |
-library, |
|
2144 |
-.B \-\-chroot |
|
2145 |
-will only work if a /dev/urandom device node is available |
|
2146 |
-inside the chroot directory |
|
2142 |
+Note: The SSL library will probably need /dev/urandom to be available inside |
|
2143 |
+the chroot directory |
|
2147 | 2144 |
.B dir. |
2148 |
-This is due to the way PolarSSL works (it wants to open |
|
2149 |
-/dev/urandom every time randomness is needed, not just once |
|
2150 |
-at startup) and nothing OpenVPN can influence. |
|
2145 |
+This is because SSL libraries occasionally need to collect fresh random. Newer |
|
2146 |
+linux kernels and some BSDs implement a getrandom() or getentropy() syscall |
|
2147 |
+that removes the need for /dev/urandom to be available. |
|
2151 | 2148 |
.\"********************************************************* |
2152 | 2149 |
.TP |
2153 | 2150 |
.B \-\-setcon context |