Update manpage: OpenSSL might also need /dev/urandom inside chroot

As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot.  This depends on OS, OS version and ssl library
configuration.  Update the manpage to better explain this.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0609eb477bdcd7b23bd8072f69714592323cab2e)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 25ea9f97cf51b19ea53e330532f64c6e3b31f6d6..f68b1633892c6874c95cd837fa982cbdac05ad30 100644 (file)
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2118,15 +2118,12 @@ parameter can point to an empty directory, however
 complications can result when scripts or restarts
 are executed after the chroot operation.
 
-Note: if OpenVPN is built using the PolarSSL SSL
-library,
-.B \-\-chroot
-will only work if a /dev/urandom device node is available
-inside the chroot directory
+Note: The SSL library will probably need /dev/urandom to be available inside
+the chroot directory
 .B dir.
-This is due to the way PolarSSL works (it wants to open
-/dev/urandom every time randomness is needed, not just once
-at startup) and nothing OpenVPN can influence.
+This is because SSL libraries occasionally need to collect fresh random.  Newer
+linux kernels and some BSDs implement a getrandom() or getentropy() syscall
+that removes the need for /dev/urandom to be available.
 .\"*********************************************************
 .TP
 .B \-\-setcon context