chroot 内的 openssl
当我尝试从 chroot 监狱内部建立 ssl 连接时,出现以下错误:
twisted.internet.error.ConnectionLost: Connection to the other side was lost in a non-clean fashion.
我正在使用 openssl 0.9.6 和 pyopenssl 来建立 ssl 连接,并且我正在使用用于 python 2.4 的twisted python 库Linux(centos 5.5)。
经过一些故障排除后,我发现 openssl 失败是因为它试图读取 /dev/random 文件,而失败是因为 chroot 中没有 /dev/random 。我已经确认,如果我在 chroot 中创建 /dev/random 文件,连接就会成功。
- 我考虑过安装 devfs 文件系统,其中包含我的 chroot 中的 /dev/random 文件,但我的应用程序及其系统管理员有一个坏习惯,即删除 chroot 的根目录而不首先卸载所有内容。
- 我考虑过在执行 chroot 之前从 /dev/random 文件中读取内容,但我当前的设置是在二进制文件启动之前调用 chroot,并且更改 chroot 发生的位置将对应用程序进行太大的更改我不确定何时或如何完成它。
- 我想过在 chroot 监狱外运行一个程序,该程序仅从 /dev/random 读取并写入名为 /jail/dev/random 的命名文件管道,可以从 chroot 监狱内部访问它,但我不喜欢这样做运行一个单独的进程只是为了访问随机源。而且,仅仅初始化 openssl 似乎过于复杂。
如果我无法从程序中访问 /dev/random ,初始化 openssl 的正确方法是什么?
I'm getting the following error when I try to make an ssl connection from inside a chroot jail:
twisted.internet.error.ConnectionLost: Connection to the other side was lost in a non-clean fashion.
I'm using the openssl 0.9.6 with pyopenssl to make the ssl connection and I'm using the twisted python library for python 2.4 on Linux (centos 5.5).
After some troubleshooting I've discovered that openssl is failing because it is trying to read the /dev/random file and it is failing because there is no /dev/random inside the chroot. I've confirmed that if I create a /dev/random file inside the chroot the connection succeeds.
- I've thought about mounting devfs filesystem which contains the /dev/random file inside my chroot but my app and it's sysadmins have a bad habit of deleting the root of the chroot without unmounting everything first.
- I've thought about reading from the /dev/random file before I do the chroot but my current setup is to call chroot before my binary is even started, and changing where the chroot happens would be a too big of a change in the app that I'm not sure when or how it could be done.
- I've thought of running a program outside my chroot jail that just reads from /dev/random and writes into a named file pipe called /jail/dev/random tht is accessible from inside the chroot jail but I don't like having to run a separate process just for having access to a source of randomness. Also it seems overly complicated for just initializing openssl.
What is the right way to initialize openssl if I don't have access to /dev/random from my program?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以为 openssl 伪造随机数,例如命令行 openssl:
无论如何 openssl 需要随机源,没有随机数它就不可能安全,例如来自维基百科:
如果没有随机源,SSL/TLS 很容易被黑客攻击。
如果您担心
chroot/dev/会被删除,为什么不只创建chroot/dev/random或chroot/dev/urandom安装整个开发?哦,顺便说一句,您还想复制系统 /etc/resolv.conf 以及可能的其他主机、服务、以太坊等...
You could fake random for openssl, e.g. command-line openssl:
Anyhow openssl needs a source of randomness, it cannot be secure without random nonce, e.g. from wikipedia:
Without source of randomness, SSL/TLS can be easily hacked.
If you are worried that
chroot/dev/can be deleted, why not create onlychroot/dev/randomorchroot/dev/urandomintead of mounting whole dev?Oh, btw you also want to copy system /etc/resolv.conf and possibly other hosts, services, ethers, etc...
创建 urandom 和 random 后不要忘记 SELinux
ausearch -c 'php-fpm' --raw
audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
Don't forgot about SELinux after create urandom and random
ausearch -c 'php-fpm' --raw
audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
也许更好的方法是按如下所示绑定挂载设备文件:
urandom 也是如此。
Perhaps a better way is to bind-mount the device files as follows:
and the same for urandom.