Hi All,
I am experimenting with stunnel inside a VM on Xenserver 6.02. So this may not be a "common" use case, nonetheless, I would like to point out the issue.
It is a basic setup as follows with 3 VMs running "ab" for webclient, stunnel+haproxy combo as the https/http bridge and nginx as the webserver.
client VM (ab) <-> stunnel + haproxy VM <-> webserver VM (nginx)
Specs on the stunnel VM are 2GB RAM, single-core dedicated 2.5 GHz Xeon E5-2640 vCPU, running Debian Squeeze 2.6.32-5-amd64 (64 bit) kernel.
All things unchanged such as stunnel/haproxy/nginx config and taking care of common gotchas such as file descriptor limit, TIMEOUTclose, disabling libwrap, etc. stunnel is built with pthreads. Also stunnel is configured to use a 2K RSA self-signed certificate, and the client is being forced to do TLS1. "ab" is invoked with "-c 4" so as to peg the stunnel VM CPU (any value beyond 4 doesn't seem to matter). nginx serves a tiny 32 byte static html file.
With stunnel 4.29 and OpenSSL 0.9.8o, I get 300 requests per second as max throughput.
With stunnel 4.56 and OpenSSL 1.0.1e, I get only 40 requests per second as max throughput.
tcpdump tells me that the Server Hello sent to the client takes a longer time in the latter case. Tinkering with TCP_NODELAY doesn't change anything.
Anyone else seeing this maybe even on physical hardware? Has anything changed in OpenSSL across those versions? Suggestions?
Thanks.