Hi... I'm deploying stunnel on some servers. I did some tests, and i never had problems. For example, i tried 5k parallel connections, and i didn't have any problem.
But, i have problems when a small number of connections wants to transfer big chunks of information; the connection hangs.
This is a snippet of logs:
Server side: 2006.10.20 16:00:58 LOG7[20302:1]: oracle11521 accepted FD=226 from 192.168.22.10:39721 2006.10.20 16:00:58 LOG7[20302:200]: oracle11521 started 2006.10.20 16:00:58 LOG7[20302:200]: FD 226 in non-blocking mode 2006.10.20 16:00:58 LOG7[20302:200]: TCP_NODELAY option set on local socket 2006.10.20 16:00:58 LOG5[20302:200]: oracle11521 connected from 192.168.22.10:39721 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): before/ accept initialization 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): SSLv3 read client hello A 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): SSLv3 write server hello A 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): SSLv3 write change cipher spec A 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): SSLv3 write finished A 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): SSLv3 flush data 2006.10.20 16:00:58 LOG7[20302:200]: SSL state (accept): SSLv3 read finished A 2006.10.20 16:00:58 LOG7[20302:200]: 3 items in the session cache 2006.10.20 16:00:58 LOG7[20302:200]: 0 client connects (SSL_connect ()) 2006.10.20 16:00:58 LOG7[20302:200]: 0 client connects that finished 2006.10.20 16:00:58 LOG7[20302:200]: 0 client renegotiations requested 2006.10.20 16:00:58 LOG7[20302:200]: 199 server connects (SSL_accept()) 2006.10.20 16:00:58 LOG7[20302:200]: 194 server connects that finished 2006.10.20 16:00:58 LOG7[20302:200]: 0 server renegotiations requested 2006.10.20 16:00:58 LOG7[20302:200]: 173 session cache hits 2006.10.20 16:00:58 LOG7[20302:200]: 0 session cache misses 2006.10.20 16:00:58 LOG7[20302:200]: 18 session cache timeouts 2006.10.20 16:00:58 LOG6[20302:200]: SSL accepted: previous session reused 2006.10.20 16:00:58 LOG7[20302:200]: FD 227 in non-blocking mode 2006.10.20 16:00:58 LOG7[20302:200]: oracle11521 connecting 192.168.22.13:1521 2006.10.20 16:00:58 LOG7[20302:200]: connect_wait: waiting 10 seconds 2006.10.20 16:00:58 LOG7[20302:200]: connect_wait: connected 2006.10.20 16:00:58 LOG7[20302:200]: Remote FD=227 initialized 2006.10.20 16:00:58 LOG7[20302:200]: TCP_NODELAY option set on remote socket 2006.10.20 16:00:58 LOG7[20302:75]: SSL_read returned WANT_READ: retrying 2006.10.20 16:00:58 LOG7[20302:75]: SSL_read returned WANT_READ: retrying 2006.10.20 16:00:58 LOG7[20302:75]: SSL_read returned WANT_READ: retrying
client side: 2006.10.20 16:16:01 LOG6[12415:91]: SSL connected: new session negotiated 2006.10.20 16:16:01 LOG6[12415:91]: Negotiated ciphers: DES-CBC3- SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2006.10.20 16:16:01 LOG7[12415:91]: Socket closed on read 2006.10.20 16:16:01 LOG7[12415:91]: SSL write shutdown 2006.10.20 16:16:01 LOG7[12415:91]: SSL alert (write): warning: close notify 2006.10.20 16:16:01 LOG7[12415:91]: SSL_shutdown retrying 2006.10.20 16:16:01 LOG7[12415:91]: SSL doesn't need to read or write 2006.10.20 16:16:01 LOG7[12415:91]: SSL alert (read): warning: close notify 2006.10.20 16:16:01 LOG7[12415:91]: SSL closed on SSL_read 2006.10.20 16:16:01 LOG7[12415:91]: Socket write shutdown 2006.10.20 16:16:01 LOG5[12415:91]: Connection closed: 3663 bytes sent to SSL, 5239 bytes sent to socket 2006.10.20 16:16:01 LOG7[12415:91]: oracle11521 finished (3 left)
The timings are shifted, i don't know if the delta of time is related to a misconfiguration of clock on the machines, or are snippets taken from different events... i don't have direct access to the machines.
I tried to make a test (client and server on the same machine)
client: nc localhost 10001 >>/dev/null stunnel accept on 10001 and connect to localhost:11521
on the server side: stunnel accept on 11521 and connect on 1521 cat 230megsfile | nc -l -p 1521 & 2>&1 >>/dev/null
so, when the nc on client side connects, the server starts the cat.
It did complete correctly within a pair of minutes on an ibook 64 1.33 1g ram, but with LOADS of want_read and want_write errors on both sides of stunnel.
The server and client are working on "big iron", i mean some superdome hardware with 30-40 cpu on both sides, and with an estimated traffic of 10gig/day
And, important... the version of the stunnel instances is 4.15
Can you help me?
Bye, dario.