Hi,
I am trying to use stunnel to add ssl support to my app. My app and linux server are tuned to accept 200k+ connections without a problem. When adding stunnel on the same server, the connection stops when it reaches 64k due to stunnel uses ephemeral ports to connect to my app on the localhost.
Any suggestions how to get around this limit?
One thing I am thinking of is to add 10 virtual interfaces on loopback: lo0:2, lo0:3, etc with ip 127.0.0.2, 127.0.0.3 etc. Can stunnel be configured to cycle through a pool of ip for outbound connection to my app listening on 127.0.0.1? That would give 10x64k of ephemeral ports. I see stunnel has "local" to specify outgoing ip, but I am not sure if it supports a list of ip or use multiple times. If so, will it round robin the list?
Thanks Frank
On 2014-04-26 19:38, Frank Liu wrote:
I am trying to use stunnel to add ssl support to my app. My app and linux server are tuned to accept 200k+ connections without a problem. When adding stunnel on the same server, the connection stops when it reaches 64k due to stunnel uses ephemeral ports to connect to my app on the localhost.
Could you please share your configuration file, and the versions of stunnel and Linux kernel? Maybe I can recommend an easier solution.
Mike
On Mon, Apr 28, 2014 at 11:07 AM, Michal Trojnara <
Michal.Trojnara@mirt.net> wrote:
On 2014-04-26 19:38, Frank Liu wrote: I am trying to use stunnel to add ssl support to my app. My app and linux server are tuned to accept 200k+ connections without a problem. When adding stunnel on the same server, the connection stops when it reaches 64k due to stunnel uses ephemeral ports to connect to my app on the localhost.
Could you please share your configuration file, and the versions of stunnel and Linux kernel? Maybe I can recommend an easier solution.
Mike
Thanks Mike! Below is the information you requested.
Frank
chroot = /opt/stunnel/var/lib/stunnel/ setuid = appadm setgid = appadm pid = /stunnel.pid cert = /opt/app/app.pem key = /opt/app/app.key options = NO_SSLv2 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [appssl-8889] accept = 8889 connect = 127.0.0.1:8888
uname -a Linux tiger 3.2.0-49-generic #75-Ubuntu SMP Tue Jun 18 17:39:32 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
./stunnel -version stunnel 5.01 on x86_64-unknown-linux-gnu platform Compiled with OpenSSL 1.0.1c 10 May 2012 Running with OpenSSL 1.0.1 14 Mar 2012 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Global options: debug = daemon.notice RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:! SSLv2 (with "fips = no") curve = prime256v1 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
-
Frank Liu -
Michal Trojnara