Hi, You can work-around the issue by setting isolate-workers=false. The problem is that the getrandom() system call is not included in the whitelisted seccomp filter. The "right" solution is to either apply patch [0] or move to 0.11.5.
regards, Nikos [0]. http://pkgs.fedoraproject.org/cgit/rpms/ocserv.git/commit/?id=d0dbbc1a1988c995771c0bbb85894e723049b5ef On Thu, Oct 6, 2016 at 4:19 PM, Gergely Katona <n...@tfw.hu> wrote: > Subject: ocserv: GnuTLS error (at worker-vpn.c:585): Error in the system's > randomness device. > Package: ocserv > Version: 0.11.4-1+b1 > Severity: important > > Dear Maintainer, > > > I've started the ocserv service and tried to connect with an android phone > and later on with a linux machine. > Both times I recived: > GnuTLS error (at worker-vpn.c:585): Error in the system's randomness device. > On the client's side: > LIB: SSL negotiation with srv3.unnamedhost.somewhere > LIB: SSL connection failure: The TLS connection was non-properly terminated > > > Oct 06 15:19:19 srv3 systemd[1]: Started OpenConnect SSL VPN server. > Oct 06 15:19:19 srv3 ocserv[8425]: Setting 'radius' as primary > authentication method > Oct 06 15:19:19 srv3 ocserv[8425]: Setting 'radius' as accounting method > Oct 06 15:19:19 srv3 ocserv[8425]: Setting 'file' as supplemental config > option > Oct 06 15:19:19 srv3 ocserv[8425]: listening on 2 systemd sockets... > Oct 06 15:19:19 srv3 ocserv[8425]: main: initialized ocserv 0.11.4 > Oct 06 15:19:19 srv3 ocserv[8438]: sec-mod: reading supplemental config from > files > Oct 06 15:19:19 srv3 ocserv[8438]: sec-mod: sec-mod initialized (socket: > /var/run/ocserv-socket.8425) > Oct 06 15:19:48 srv3 ocserv[8445]: GnuTLS error (at worker-vpn.c:585): Error > in the system's randomness device. > Oct 06 15:19:48 srv3 ocserv[8425]: main: [::ffff:192.168.31.230]:36872 user > disconnected (reason: unspecified, rx: 0, tx: 0) > > > -- System Information: > Debian Release: 8.6 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'testing'), > (50, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set > LC_ALL to default locale: No such file or directory > UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages ocserv depends on: > ii dbus 1.8.20-0+deb8u1 > ii init-system-helpers 1.22 > ii libc6 2.24-3 > ii libev4 1:4.22-1 > ii libgnutls30 3.5.4-2 > ii libgssapi-krb5-2 1.14.3+dfsg-2 > ii libhttp-parser2.1 2.1-2 > ii liblz4-1 0.0~r131-2 > ii libnettle6 3.2-1 > ii libnl-3-200 3.2.27-1 > ii libnl-route-3-200 3.2.27-1 > ii liboath0 2.6.1-1 > ii libopts25 1:5.18.12-2 > ii libpam0g 1.1.8-3.1+deb8u1+b1 > ii libpcl1 1.6-1 > ii libprotobuf-c1 1.2.1-1+b1 > ii libradcli4 1.2.6-4 > ii libreadline6 6.3-8+b3 > ii libseccomp2 2.3.1-2 > ii libsystemd0 215-17+deb8u5 > ii libtalloc2 2.1.7-1 > ii libtasn1-6 4.9-4 > ii libwrap0 7.6.q-25 > ii ssl-cert 1.0.38 > > Versions of packages ocserv recommends: > ii ca-certificates 20141019+deb8u1 > > ocserv suggests no packages. > > -- Configuration Files: > /etc/ocserv/ocserv.conf changed [not included] > > -- debconf information excluded >
