Hi Robert,
On Wed, Apr 24, 2019 at 03:13:00PM -0400, Robert Newson wrote:
> Hi,
>
> Thanks for the suggestion and, yes, we're using the master-worker mode (-Ws
> specifically). I made a custom build as directed
> (https://github.com/cloudant/haproxy-1.9/tree/urandom-leak) and tried it out.
> Same leak, unfortunately. An extra /dev/urandom fd each reload.
Ah, that's not what I was suggesting :-) I was suggesting to put the
return statement at the *beginning* of the function so that it does
not initialize the random number generator. Or if you prefer, just
pretend that it's already initialized (which will achieve the same) :
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 015943ee6..bd12d876d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3736,7 +3736,7 @@ ignore_entry:
static int ssl_initialize_random()
{
unsigned char random;
- static int random_initialized = 0;
+ static int random_initialized = 1;
if (!random_initialized && RAND_bytes(&random, 1) != 0)
random_initialized = 1;
Willy
