HAProxy no responses when built with wolfssl, while working with openssl

Help!
15

Confirmed this is about /dev/[u]random access:

gettimeofday({tv_sec=1706642203, tv_usec=117454}, NULL) = 0
clock_gettime(CLOCK_THREAD_CPUTIME_ID, {tv_sec=0, tv_nsec=20852494}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=3981304, tv_nsec=26693841}) = 0
accept(4, {sa_family=AF_INET, sin_port=htons(34994), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 7
fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
brk(0x55905ba7e000)     = 0x55905ba7e000
openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/dev/random", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/dev/random", O_RDONLY) = -1 ENOENT (No such file or directory)

But there is really nothing for haproxy to do here. OpenSSL at some point did something more dangerous in this case, which was reading random data initially and then silently breaking SSL later, when more random data was required (haproxy broke, but only after running for half an hour without any issues).

You can mount random/urandom within your chroot to solve this; but really a modern libssl should use getrandom() as opposed to accessing random files.

To do the latter you need to enable it in wolfssl manually (adding EXTRA_CFLAGS=-DWOLFSSL_GETRANDOM=1 as configure argument):

$ ./configure --enable-haproxy --enable-quic --prefix=/opt/wolfssl-5.6.6/ EXTRA_CFLAGS=-DWOLFSSL_GETRANDOM=1

And indeed it works fine in chroot by no longer accessing the files but calling getrandom() instead:

gettimeofday({tv_sec=1706642846, tv_usec=9373}, NULL) = 0
clock_gettime(CLOCK_THREAD_CPUTIME_ID, {tv_sec=0, tv_nsec=28593327}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=3981946, tv_nsec=918110946}) = 0
accept(4, {sa_family=AF_INET, sin_port=htons(34998), sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 7
fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
brk(0x55e7c3ea1000)     = 0x55e7c3ea1000
getrandom("\x5c\x1a\x6b\x23\x2d\xe8\x4b\x0b\x79\x9c\x3f\x46\x55\xda\xe3\xc1\xb8\x96\x48\x29\xe1\x79\x33\xf8\xdc\xd3\xb5\x14\x2b\x9d\x5d\x93"..., 52, 0) = 52