Jeremy, I know there's an android build of stunnel. Im not trying to be funny, but are you running stunnel on your mobile phone? :)
The latest android mobile phones include quadcore CPU's with 2GB's of RAM It would be interesting to see how much of a load a mobile phone can handle with a USB to RJ45 Ethernet interface.
Edit: I tried sending this earlier, but it doesn't look like it went through. My apologies in case this is a duplicate. ------------------------
Thanks for taking the time to read this. We're operating on a low spec system that can not be modified at this point. stunnel was introduced at the last minute, without consideration to resource requirements and now consumes enough ram to cause the kernel to issue OOM exceptions. So in short, we are trying to trade increased CPU usage for less memory usage and have tried setting “sessions” to 3600 to reduce memory pressure, but unfortunately it doesn't last. Our current solution is to cron a restart of stunnel on a regular basis, but would prefer to limit number of threads or number of cache entries or something else altogether similarly gentler. Thanks again for your consideration and assistance in this! If there's any specific information I can give, please let me know. Regards, Jeremy
Arsen, you are right, that article is old. It presumes you're using stunnel3. The current version of stunnel is stunnel4; which uses a configuration file instead of those command line arguments. For example, below is what you would see in a generic stunnel server config file:
/etc/stunnel/stunnel.conf cert = /etc/stunnel/apache.pem key = /etc/stunnel/apache.pem debug = 7 output = /etc/stunnel/debug.log ;sslVersion = all setuid = nobody setgid = nobody pid = /var/run/stunnel/stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 [stunnel-https] accept = 443 connect = localhost:80 -------------------------------------------------------
. Only very limited command line arguments are permitted in stunnel4. In your case, if you want to get results quicker, it may be a lot easier to just look for an old version of stunnel3 to download.
----- Forwarded Message -----
I’m trying to set up wireshark debugging of ssl traffic by following this article: http://www.webos-internals.org/wiki/Decrypt_SSL_(trusted_man-in-the-middle_t...) It lists following stunnel commands to do the job: Listen on local IP and de-SSL traffic to localhost:8080 sudo stunnel -p ps.pem -d 443 -r 8080 Listen on 8080, re-SSL to remote server on 443 sudo stunnel -c -d 8080 -r ps.palmws.com:443 The article seems outdated, and stunnel does not react on these commands anymore. Can anyone provide me with a proper configuration file to do the same?
Yeah, either it's a fake or the guy must be high. I was actually trying to read it seriously when I realized it was just nonsense.
------------------------------------------------------------------------------------------
Another fake? On Nov 11, 2012 3:25 AM, "Michal Trojnara" menkaur@gmail.com wrote: Howdy Arsen! (Is that your real name? I must say it is a strange name for sure. But to each his own, dude.) :)
Arsen Zahray wrote:
I'm trying to set up wireshark debugging of ssl traffic by following this article:
Where exactly did you follow it to? Hee hee. Get it?
http://www.webos-internals.org/wiki/Decrypt_SSL_(trusted_man-in-the-middle_t echnique)
I couldn't find this site. Is there a typo booboo here?
It lists following stunnel commands to do the job:
Listen on local IP and de-SSL traffic to localhost:8080
I'll check my notes, but I can't remember "de-SSL" being a command. Then again, I am getting a little older and my brain a little slower. So who knows for sure!
sudo stunnel -p ps.pem -d 443 -r 8080
I am 99.9% sure that "443" was never a stunnel command.
Listen on 8080, re-SSL to remote server on 443
For this one try substituting "at" for "on". That might work. Did you read the amnual?
sudo stunnel -c -d 8080 -r ps.palmws.com:443
You really need to double-check this one.
The article seems outdated, and stunnel does not react on these commands anymore.
I'm not sure stunnel ever reacted on these commands. Did you test it with an old build?
Can anyone provide me with a proper configuration file to do the same?
Define "configuration file" exactly. I want to make sure we are on the same page. :)
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Wouldn't it be nice to accelerate Stunnel SSL with sslshader? I'm not sure if sslshader will have opensource/multiplatform support. But, the idea sure sounds neat.
On 2013-03-26 19:34, mkanet@yahoo.com wrote:
Wouldn't it be nice to accelerate Stunnel SSL with sslshader? I'm not sure if sslshader will have opensource/multiplatform support. But, the idea sure sounds neat.
I found this project back in 2011. It sounds interesting indeed. It would be nice to implement an OpenSSL engine front-end to their libgpucrypto, so it could be used with stunnel.
Offloading AES or SHA1 is not very practical, as software implementations can already handle over 1Tbps on modern CPUs. I bet stunnel deployments that need to handle over 1Tbps traffic are not very common.
RSA acceleration on the other hand sounds interesting. Although over 10ms GPU latency sounds bad compared to ~2ms CPU latency, the bulk processing throughput of ~20 CPU cores could be useful. On the other hand I'm not sure if this is the most cost-effective solution. It may be cheaper to buy 3 6-core or 8-core CPUs instead.
For comparison stunnel benchmark on a 6-year-old machine: https://www.stunnel.org/perf.html
Mike
I wrote:
Offloading AES or SHA1 is not very practical, as software implementations can already handle over 1Tbps on modern CPUs. I bet stunnel deployments that need to handle over 1Tbps traffic are not very common.
Of course I meant 1Gbps and not 1Tbps. 8-)
Mike
Hi!
It might already be there with Intel AES-NI instruction set. Seems like recent Openssl versions supports it and then by magic i guess stunnel will.
Not tested, just read about it regarding truecrypt..
Regards/Uffe
On 2013-03-27 07:32, Michal Trojnara wrote:
I wrote:
Offloading AES or SHA1 is not very practical, as software implementations can already handle over 1Tbps on modern CPUs. I bet stunnel deployments that need to handle over 1Tbps traffic are not very common.
Of course I meant 1Gbps and not 1Tbps. 8-)
Mike
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Michal Trojnara -
mkanet@yahoo.com -
Uffe Vedenbrant