2013/4/17 PPingPongBaker PPingPongBaker ppingpongbaker@gmail.com:
Hi All,
I am experimenting with stunnel inside a VM on Xenserver 6.02. So this may not be a "common" use case, nonetheless, I would like to point out the issue.
It is a basic setup as follows with 3 VMs running "ab" for webclient, stunnel+haproxy combo as the https/http bridge and nginx as the webserver.
client VM (ab) <-> stunnel + haproxy VM <-> webserver VM (nginx)
Specs on the stunnel VM are 2GB RAM, single-core dedicated 2.5 GHz Xeon E5-2640 vCPU, running Debian Squeeze 2.6.32-5-amd64 (64 bit) kernel.
All things unchanged such as stunnel/haproxy/nginx config and taking care of common gotchas such as file descriptor limit, TIMEOUTclose, disabling libwrap, etc. stunnel is built with pthreads. Also stunnel is configured to use a 2K RSA self-signed certificate, and the client is being forced to do TLS1. "ab" is invoked with "-c 4" so as to peg the stunnel VM CPU (any value beyond 4 doesn't seem to matter). nginx serves a tiny 32 byte static html file.
With stunnel 4.29 and OpenSSL 0.9.8o, I get 300 requests per second as max throughput.
With stunnel 4.56 and OpenSSL 1.0.1e, I get only 40 requests per second as max throughput.
tcpdump tells me that the Server Hello sent to the client takes a longer time in the latter case. Tinkering with TCP_NODELAY doesn't change anything.
Anyone else seeing this maybe even on physical hardware? Has anything changed in OpenSSL across those versions? Suggestions?
That is a strange question;) A lot has changed between OpenSSL 0.9.8 and 1.0.1 and I mean really a _lot_. The single most important change is support for TLS 1.1 and 1.2 with additional cipher modes. Not to mention countless other changes (including performance improvements). If you want to compare various stunnel versions, then use the same OpenSSL version. If you want to compare OpenSSL... then use the same stunnel version. The configuration you mentioned above doesn't make a lot of sense as it makes it hard to tell where the performance drop comes from. If you really must test such configuration, the best way would be to ensure the same TLS version (1.0, not 1.1 or 1.2, OpenSSL 1.0.1 defaults to 1.2) and the same cipher.
-- Janusz Dziemidowicz