Hi
I can confirm that setting "isolate-workers=false" the connection can be
established.
Still I think/feel this should be fixed one way or the other.
regards,
Gergely
On 2016-10-06 16:39, Nikos Mavrogiannopoulos wrote:
Hi,
You can work-around the issue by setting isolate-workers=false. The
problem is that the getrandom() system call is not included in the
whitelisted seccomp filter. The "right" solution is to either apply
patch [0] or move to 0.11.5.
regards,
Nikos
[0].
http://pkgs.fedoraproject.org/cgit/rpms/ocserv.git/commit/?id=d0dbbc1a1988c995771c0bbb85894e723049b5ef
On Thu, Oct 6, 2016 at 4:19 PM, Gergely Katona <[email protected]> wrote:
Subject: ocserv: GnuTLS error (at worker-vpn.c:585): Error in the system's
randomness device.
Package: ocserv
Version: 0.11.4-1+b1
Severity: important
Dear Maintainer,
I've started the ocserv service and tried to connect with an android phone
and later on with a linux machine.
Both times I recived:
GnuTLS error (at worker-vpn.c:585): Error in the system's randomness device.
On the client's side:
LIB: SSL negotiation with srv3.unnamedhost.somewhere
LIB: SSL connection failure: The TLS connection was non-properly terminated
Oct 06 15:19:19 srv3 systemd[1]: Started OpenConnect SSL VPN server.
Oct 06 15:19:19 srv3 ocserv[8425]: Setting 'radius' as primary
authentication method
Oct 06 15:19:19 srv3 ocserv[8425]: Setting 'radius' as accounting method
Oct 06 15:19:19 srv3 ocserv[8425]: Setting 'file' as supplemental config
option
Oct 06 15:19:19 srv3 ocserv[8425]: listening on 2 systemd sockets...
Oct 06 15:19:19 srv3 ocserv[8425]: main: initialized ocserv 0.11.4
Oct 06 15:19:19 srv3 ocserv[8438]: sec-mod: reading supplemental config from
files
Oct 06 15:19:19 srv3 ocserv[8438]: sec-mod: sec-mod initialized (socket:
/var/run/ocserv-socket.8425)
Oct 06 15:19:48 srv3 ocserv[8445]: GnuTLS error (at worker-vpn.c:585): Error
in the system's randomness device.
Oct 06 15:19:48 srv3 ocserv[8425]: main: [::ffff:192.168.31.230]:36872 user
disconnected (reason: unspecified, rx: 0, tx: 0)
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'testing'),
(50, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ocserv depends on:
ii dbus 1.8.20-0+deb8u1
ii init-system-helpers 1.22
ii libc6 2.24-3
ii libev4 1:4.22-1
ii libgnutls30 3.5.4-2
ii libgssapi-krb5-2 1.14.3+dfsg-2
ii libhttp-parser2.1 2.1-2
ii liblz4-1 0.0~r131-2
ii libnettle6 3.2-1
ii libnl-3-200 3.2.27-1
ii libnl-route-3-200 3.2.27-1
ii liboath0 2.6.1-1
ii libopts25 1:5.18.12-2
ii libpam0g 1.1.8-3.1+deb8u1+b1
ii libpcl1 1.6-1
ii libprotobuf-c1 1.2.1-1+b1
ii libradcli4 1.2.6-4
ii libreadline6 6.3-8+b3
ii libseccomp2 2.3.1-2
ii libsystemd0 215-17+deb8u5
ii libtalloc2 2.1.7-1
ii libtasn1-6 4.9-4
ii libwrap0 7.6.q-25
ii ssl-cert 1.0.38
Versions of packages ocserv recommends:
ii ca-certificates 20141019+deb8u1
ocserv suggests no packages.
-- Configuration Files:
/etc/ocserv/ocserv.conf changed [not included]
-- debconf information excluded
