Search code examples
pythonlinuxrandomopensslchroot

openssl inside a chroot

I'm getting the following error when I try to make an ssl connection from inside a chroot jail:

twisted.internet.error.ConnectionLost: Connection to the other side was lost in a non-clean fashion.

I'm using the openssl 0.9.6 with pyopenssl to make the ssl connection and I'm using the twisted python library for python 2.4 on Linux (centos 5.5).

After some troubleshooting I've discovered that openssl is failing because it is trying to read the /dev/random file and it is failing because there is no /dev/random inside the chroot. I've confirmed that if I create a /dev/random file inside the chroot the connection succeeds.

  • I've thought about mounting devfs filesystem which contains the /dev/random file inside my chroot but my app and it's sysadmins have a bad habit of deleting the root of the chroot without unmounting everything first.
  • I've thought about reading from the /dev/random file before I do the chroot but my current setup is to call chroot before my binary is even started, and changing where the chroot happens would be a too big of a change in the app that I'm not sure when or how it could be done.
  • I've thought of running a program outside my chroot jail that just reads from /dev/random and writes into a named file pipe called /jail/dev/random tht is accessible from inside the chroot jail but I don't like having to run a separate process just for having access to a source of randomness. Also it seems overly complicated for just initializing openssl.

What is the right way to initialize openssl if I don't have access to /dev/random from my program?

Solution

  • Perhaps a better way is to bind-mount the device files as follows:

    # touch chroot/dev/random
# mount --bind /dev/random chroot/dev/random

    and the same for urandom.