On Fri, Feb 02, 2024 at 05:33:08PM +0000, Lukas Tribus wrote: > Subject: [PATCH] DOC: install: clarify WolfSSL chroot requirements > --- > INSTALL | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/INSTALL b/INSTALL > index 18eb67f311..8ebf8d298c 100644 > --- a/INSTALL > +++ b/INSTALL > @@ -293,6 +293,18 @@ Please also note that wolfSSL supports many > platform-specific features that may > affect performance, and that for production uses it might be a good idea to > check them using "./configure --help". Please refer to the lib's > documentation. > > +When running wolfSSL in chroot, either mount /dev/[u]random devices into the > +chroot: > + > + $ mkdir -p /path/to/chrootdir/dev/ > + $ mknod -m 444 /path/to/chrootdir/dev/random c 1 8 > + $ mknod -m 444 /path/to/chrootdir/dev/urandom c 1 9 > + > +Or, if your OS supports it, enable the getrandom() syscall by appending the > +following argument to the wolfSSL configure command: > + > + EXTRA_CFLAGS=-DWOLFSSL_GETRANDOM=1 > + > Building HAProxy with wolfSSL requires to specify the API variant on the > "make" > command line, for example: > > -- > 2.17.1 >
Merged, thanks! I also made some tests with RAND_bytes() after chroot() which seems to work so it's kind of difficult to understand what's going on. HAProxy doesn't seem to try opening /dev/urandom once it chroot'ed, and the clients are getting SIGPIPEs. So, I believe some initialization are failing in HAProxy and we are not checking it correctly. It might be interesting to dig that a little bit. -- William Lallemand
