Bug#543941: Ping! OpenVPN with LDAP+TLS authentication runs into file exhaustion

Simon Josefsson simon at josefsson.org
Thu Nov 5 09:43:29 UTC 2009


Lars Ellenberg <lars.ellenberg at linbit.com> writes:

> OpenVPN with LDAP+TLS authentication runs into file exhaustion
>
>> Issue is only happening when LDAP is used with TLS support. On every
>> authentication, a file handle to /dev/urandom is created but never
>> released.
>> 
>> Because the handle to /dev/urandom is never released, after some times
>> the service had been running, users will fail to authentication because
>> the backend is not able to open new file handles on /dev/urandom.
>
> As there has been absolutely no reaction yet, maybe you just missed it.
> Please have a look again at
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543941#36

Did you miss this discussion?

http://thread.gmane.org/gmane.comp.encryption.gpg.libgcrypt.devel/2125

In short, dlopen/dlclose usage of libgcrypt is not supported.

Possibly GnuTLS could use Nettle as a the crypto library instead of
libgcrypt.  I'll look into this.

/Simon

> Where I explain
>  * the root cause,
>  * possible workarounds,
> 	(one-line change to openvpn,
> 	or about 6 line change to libpam-ldap), and
>  * a possible fix for this issue
> 	(slightly more involved libgcrypt stuff).
>
> Thanks.





More information about the Pkg-gnutls-maint mailing list