From 945388590f8244f912850ce87a0fe2003ef36e25 Mon Sep 17 00:00:00 2001 From: Steffan Karger Date: Thu, 7 Jan 2016 20:52:44 +0100 Subject: [PATCH] Update manpage: OpenSSL might also need /dev/urandom inside chroot As reported in trac ticket #646, OpenSSL might also need /dev/urandom to be available in the chroot. This depends on OS, OS version and ssl library configuration. Update the manpage to better explain this. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1452196364-18786-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10954 Signed-off-by: Gert Doering (cherry picked from commit 0609eb477bdcd7b23bd8072f69714592323cab2e) --- doc/openvpn.8 | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 25ea9f97c..f68b16338 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2118,15 +2118,12 @@ parameter can point to an empty directory, however complications can result when scripts or restarts are executed after the chroot operation. -Note: if OpenVPN is built using the PolarSSL SSL -library, -.B \-\-chroot -will only work if a /dev/urandom device node is available -inside the chroot directory +Note: The SSL library will probably need /dev/urandom to be available inside +the chroot directory .B dir. -This is due to the way PolarSSL works (it wants to open -/dev/urandom every time randomness is needed, not just once -at startup) and nothing OpenVPN can influence. +This is because SSL libraries occasionally need to collect fresh random. Newer +linux kernels and some BSDs implement a getrandom() or getentropy() syscall +that removes the need for /dev/urandom to be available. .\"********************************************************* .TP .B \-\-setcon context -- 2.47.2