From: Steffan Karger <steffan@karger.me>
Date: Thu, 7 Jan 2016 19:52:44 +0000 (+0100)
Subject: Update manpage: OpenSSL might also need /dev/urandom inside chroot
X-Git-Tag: v2.4_alpha1~160
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0609eb477bdcd7b23bd8072f69714592323cab2e;p=thirdparty%2Fopenvpn.git

Update manpage: OpenSSL might also need /dev/urandom inside chroot

As reported in trac ticket #646, OpenSSL might also need /dev/urandom to
be available in the chroot.  This depends on OS, OS version and ssl library
configuration.  Update the manpage to better explain this.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10954
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 368bd4c2b..9760e8b9b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2139,15 +2139,12 @@ parameter can point to an empty directory, however
 complications can result when scripts or restarts
 are executed after the chroot operation.
 
-Note: if OpenVPN is built using the PolarSSL SSL
-library,
-.B \-\-chroot
-will only work if a /dev/urandom device node is available
-inside the chroot directory
+Note: The SSL library will probably need /dev/urandom to be available inside
+the chroot directory
 .B dir.
-This is due to the way PolarSSL works (it wants to open
-/dev/urandom every time randomness is needed, not just once
-at startup) and nothing OpenVPN can influence.
+This is because SSL libraries occasionally need to collect fresh random.  Newer
+linux kernels and some BSDs implement a getrandom() or getentropy() syscall
+that removes the need for /dev/urandom to be available.
 .\"*********************************************************
 .TP
 .B \-\-setcon context