Bug#543941: Ping! OpenVPN with LDAP+TLS authentication runs into file exhaustion
Simon Josefsson
simon at josefsson.org
Thu Nov 5 09:43:29 UTC 2009
Lars Ellenberg <lars.ellenberg at linbit.com> writes:
> OpenVPN with LDAP+TLS authentication runs into file exhaustion
>
>> Issue is only happening when LDAP is used with TLS support. On every
>> authentication, a file handle to /dev/urandom is created but never
>> released.
>>
>> Because the handle to /dev/urandom is never released, after some times
>> the service had been running, users will fail to authentication because
>> the backend is not able to open new file handles on /dev/urandom.
>
> As there has been absolutely no reaction yet, maybe you just missed it.
> Please have a look again at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543941#36
Did you miss this discussion?
http://thread.gmane.org/gmane.comp.encryption.gpg.libgcrypt.devel/2125
In short, dlopen/dlclose usage of libgcrypt is not supported.
Possibly GnuTLS could use Nettle as a the crypto library instead of
libgcrypt. I'll look into this.
/Simon
> Where I explain
> * the root cause,
> * possible workarounds,
> (one-line change to openvpn,
> or about 6 line change to libpam-ldap), and
> * a possible fix for this issue
> (slightly more involved libgcrypt stuff).
>
> Thanks.
More information about the Pkg-gnutls-maint
mailing list