Hello-
I am new to Stunnel and have a basic architecture question.
I have Stunnel installed on box A where it receives http messages from multiple client processes . Stunnel sends them to box B via https (mutual ssl).
We are seeing that Stunnel opens one connection for each client processes.
Can we configure Stunnel to have only ONE SSL connection (or a pool of connections) between box A and B and have Stunnel use the open connection for all traffic from various clients ?
We would like to avoid the overhead of SSL-handshake for each new client process.
Thanks for the help.
Sunil
On Thu, 2010-09-16 18:12:36 -0700, Sunil Karumuri wrote:
[..]
Can we configure Stunnel to have only ONE SSL connection (or a pool of connections) between box A and B and have Stunnel use the open connection for all traffic from various clients ?
Sunil,
This would add a lot of complexity to stunnel, as it would need to keep track of originator and destination (and sequence) of the 'data items' sent through the tunnel. Also the state of the multiplexed connections have to be known on both ends of the tunnel. (Currently, the TCP/IP stack does this job.)
Maybe the multiplexing could be done with other tools (like encapsulate(1) from the netpipes(1) package), still using stunnel for encryption.
You may also be looking for a VPN solution.
Ludolf
Ludolf Holzheid wrote:
Sunil Karumuri wrote:
Can we configure Stunnel to have only ONE SSL connection (or a pool of connections) between box A and B and have Stunnel use the open
connection
for all traffic from various clients ?
You may also be looking for a VPN solution.
... or just use SSH tunnels instead of SSL encapsulation.
It's not really the matter of specific software (e.g. stunnel), but the SSL protocol itself. SSL/TLS is based on 1:1 encapsulation of a data stream in an SSL connection. In most cases it's a good idea, e.g. traffic shapers (in OS kernels or network devices) can see separate data streams preventing starvation of low-throughput interactive connections.
It's possible to add a multiplexing layer between data streams and SSL. That's what so-called "SSL VPNs" do. Please note such an extension would be proprietary and thus incompatible with any other product. IMHO interoperability is a huge advantage of stunnel over various proprietary products.
Mike
-
Ludolf Holzheid -
Michal Trojnara -
Sunil Karumuri