Hi All,
I am experimenting with stunnel inside a VM on Xenserver 6.02. So this may
not be a "common" use case, nonetheless, I would like to point out the
issue.
It is a basic setup as follows with 3 VMs running "ab" for webclient,
stunnel+haproxy combo as the https/http bridge and nginx as the webserver.
client VM (ab) <-> stunnel + haproxy VM <-> webserver VM (nginx)
Specs on the stunnel VM are 2GB RAM, single-core dedicated 2.5 GHz Xeon
E5-2640 vCPU, running Debian Squeeze 2.6.32-5-amd64 (64 bit) kernel.
All things unchanged such as stunnel/haproxy/nginx config and taking care
of common gotchas such as file descriptor limit, TIMEOUTclose, disabling
libwrap, etc. stunnel is built with pthreads. Also stunnel is configured to
use a 2K RSA self-signed certificate, and the client is being forced to do
TLS1. "ab" is invoked with "-c 4" so as to peg the stunnel VM CPU (any
value beyond 4 doesn't seem to matter). nginx serves a tiny 32 byte static
html file.
With stunnel 4.29 and OpenSSL 0.9.8o, I get 300 requests per second as max
throughput.
With stunnel 4.56 and OpenSSL 1.0.1e, I get only 40 requests per second as
max throughput.
tcpdump tells me that the Server Hello sent to the client takes a longer
time in the latter case. Tinkering with TCP_NODELAY doesn't change anything.
Anyone else seeing this maybe even on physical hardware?
Has anything changed in OpenSSL across those versions?
Suggestions?
Thanks.