Hi,
we run stunnel on an solaris 9 with unlimited FD. Today we get the follwing error:
connect_wait: s_poll_wait timeout
With 'top' we see ~190-~220 threads and the client can't connect to our site.
our config is:
--- cert = /usr/local/apache/our.pem
setuid = stunnel setgid = apache options = ALL pid = /usr/local/apache/logs/stunnel_netbanking.pid
ciphers = ALL:!EXP1024-DHE-DSS-RC4-SHA:!EXP1024-RC4-SHA:!EXP1024-DHE-DSS-DES-CBC-SHA:!EXP1024-DES-CBC-SHA:!EXP1024-RC2-CBC-MD5:!EXP1024-RC4-MD5:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL:@STRENGTH
debug = 6 output = /usr/local/apache/logs/stunnel_netbanking.log
[https] accept = 10.3.169.208:443 connect = 10.3.169.208:10800 TIMEOUTclose = 0 xforwardedfor = yes --- stunnel 4.07 on sparc-sun-solaris2.9 PTHREAD+POLL+IPv4 with OpenSSL 0.9.7d 17 Mar 2004 PRNG seeded successfully file ulimit = 2147483647 (can be changed with 'ulimit -n') poll() used - no FD_SETSIZE limit for file descriptors 8388607 clients allowed ---
Please can you help us to solve the problem.
thx
al ;-)
Alexander Lazic wrote:
we run stunnel on an solaris 9 with unlimited FD. Today we get the follwing error:
connect_wait: s_poll_wait timeout
It simply means that your remote web server was not able to accept the connection within 10 seconds. You can increase the timeout with TIMEOUTconnect option.
With 'top' we see ~190-~220 threads and the client can't connect to our site.
Quite a huge load for a website. You could try squid as an http accelerator or cluster your webserver.
[https] accept = 10.3.169.208:443 connect = 10.3.169.208:10800
I think you could get a bit better performance with: "connect = 10800" (same as "connect = localhost:10800").
xforwardedfor = yes
I hope your xforwardedfor patch is not a security risk. AFAIR there were obvious buffer overflows in the patches on stunnel.org website.
Best regards, Mike
-
Alexander Lazic -
Michal Trojnara