On Thu, 1 Feb 2024 at 12:08, William Lallemand <wlallem...@haproxy.com> wrote: > > That's interesting, however I'm surprised the init does not work before the > chroot, > we are doing a RAND_bytes() with OpenSSL before the chroot to achieve this.
This approach can actually hide chroot issues leading to nasty operational issues like "Haproxy 1.8 with OpenSSL 1.1.1-pre4 stops working after 1 hour" (see [1] and [2]). It's also not unrealistic to cause issue with process management, like FD leaks [3]. Stable OpenSSL on stable OS release branches today use getrandom() and not /dev/urandom. I think using the filesystems for CRNG is a footgun. At least let us fail fast and immediately if there is an issue with CRNG seeding from chroot. I consider getrandom() a modern and simple solution to all those problems. > I'll check if we can do something like this instead of needing a explicit > option, but > if that's not possible we will require GETRANDOM in the --enable-haproxy > build option. Actually I think wolfssl should add feature detection just like it does with other optional syscalls. But that is not what the suggested wolfssl 5.6.6 release does. Regards, Lukas [1] https://www.mail-archive.com/haproxy@formilux.org/msg29592.html [2] https://github.com/openssl/openssl/issues/5330 [3] https://github.com/haproxy/haproxy/issues/314
