search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.31k stars 822 forks source link

[Bug]: [haproxy] blocking when using chroot + wolfssl #7197

Open wlallemand opened 8 months ago

wlallemand commented 8 months ago

Contact Details

No response

Version

5.6.6

Description

HAProxy has a "chroot" primitive which is often used by users. With OpenSSL, Rand_Bytes() is called before chroot() so OpenSSL is able to open /dev/urandom and keep the FD. Once HAProxy has done its chroot(), the random is fed from this FD.

With WolfSSL, its seems that wc_GenerateSeed() is not keeping the fd and is closing it each time, which means once chroot'ed, haproxy does not have access anymore to the random source, and every requests are blocking.

It looks like the only way to make this work, is to stop using /dev/urandom and use getrandom(), by building wolfSSL with WOLFSSL_GETRANDOM.

Is there a way to keep to the /dev/urandom open during init and keep using it?

Thanks

Reproduction steps

No response

Relevant log output

https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/random.c#L3775
wlallemand commented 4 months ago

Hello, Any update on this?

cervajs commented 4 months ago

+1 for this. wolfssl is emerging as very good alternative to OpenSSL for http/3 in HAproxy and this problem can be "confusing" for users