I will give you strange advice assuming you are on Unix of some flavor. Use inetd. It always works or the O/S does not work 😊 It then becomes the actual server and a new instance of stunnel is fired for every connection. I use it because it is the most reliable way and takes no server software management. There is an old argument against this – it is in theory has less performance when a correction is created. I say theoretical as modern computers are so fast that creating a process millions of times does not stress a machine. I run 100s of millions of connections daily on a single computer and have zero performance issues. I also have zero issues like you described and I always had them before. Even if you do have an issue it would only affect one connection. Because each connection is unique. From your description it is the server process having an issue or perhaps some of the children not getting “clean” as they keep them running in a loop. With inetd it does it’s business and ends. There are no cross-connection or server issues.
I give this advice several times a year and may ¼ take it and thank me. The rest mock the idea citing the theoretical performance difference (without even trying it) and continue to struggle. This is not just an issue with this version. Many versions have had trouble with running in a loop like that – memory management, variables not cleared, etc. And remember openssl is tied to this as well.
The other thing I would recommend (also weird) is using static links. That way an install of say a new openssl (where your encryption issue appears to be now) won’t affect you. There is no way anyone is testing the software with every version of every O/S with every version of openssl. If you do a static link and have a working version, no need to change. Until a new TLS comes out or something but you can control that well when you have a static link. And that, BTW, theoretically loads faster. The program is much bigger but in need not load dynamic libraries from all over the place when it is fired up.
Let me know what you find out and do 😊
E
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
https://www.facebook.com/groups/286143052248115
From: Steve Clement <steve3279@gmail.com>
Sent: Friday, February 4, 2022 4:52 AM
To: stunnel-users@stunnel.org
Subject: [stunnel-users] stunnel 5-15 minute outages
Hello,
I have been working on an issue that seems a lot like this one:
We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this.
Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket
Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required
We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual.
Any help would be appreciated, thank you.
--
Steve Clement
steve3279@gmail.com
614-632-7380