Update manpage: OpenSSL might also need /dev/urandom inside chroot

As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot.  This depends on OS, OS version and ssl library
configuration.  Update the manpage to better explain this.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 368bd4c2b082c1daeb2b62ae975a3e6f15c42e75..9760e8b9b03c89510d4aa5c5ac4c042bca9ec99e 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2139,15 +2139,12 @@ parameter can point to an empty directory, however
 complications can result when scripts or restarts
 are executed after the chroot operation.
 
-Note: if OpenVPN is built using the PolarSSL SSL
-library,
-.B \-\-chroot
-will only work if a /dev/urandom device node is available
-inside the chroot directory
+Note: The SSL library will probably need /dev/urandom to be available inside
+the chroot directory
 .B dir.
-This is due to the way PolarSSL works (it wants to open
-/dev/urandom every time randomness is needed, not just once
-at startup) and nothing OpenVPN can influence.
+This is because SSL libraries occasionally need to collect fresh random.  Newer
+linux kernels and some BSDs implement a getrandom() or getentropy() syscall
+that removes the need for /dev/urandom to be available.
 .\"*********************************************************
 .TP
 .B \-\-setcon context