file handle exhaustion with openvpn and pam_ldap

Andreas Metzler ametzler at
Mon Oct 26 13:17:57 CET 2009

On 2009-10-26 Werner Koch <wk at> wrote:
> On Sun, 25 Oct 2009 09:35, ametzler at said:

> > When using openvpn and pam_ldap against an LDAP server with TLS
> > support on every authentication, a file handle to /dev/urandom is
> > created but never released. (libldap-2.4-2 is using gnutls, openvpn
> > isn't.)

> The problem is that you can't load/unload/load libgcrypt using dlopen
> tricks.  This is simply not defined unless dlopen/dlclose implements a
> complete process initialization/termination.  True, there is a function
> to terminate the secure memory which needs to be called before the
> process terminates but this is not a complete shutdown of libgcrypt, the
> OS needs to cleanup some of the resources.

> The documentation os FIPS required state machine says:

>   [The state transition from] Operational to Shutdown is an artifical
>   state without any direct action in Libgcrypt.  When reaching the
>   Shutdown state the library is deinitialized and can't return to any
>   other state again.

> Thus to change this you would need to implement the required OS parts in
> your dlopen/dlclose.


just to clarify. -  You are saying that:

* This issue cannot be fixed in gcrypt itself (and therefore will not
  be fixed).
* The way dlopen works on $OS would need to be changed (I guess on
  Linux this would be glibc.)

thanks, cu andreas

More information about the Gcrypt-devel mailing list