Hello,
I use sTunnel for years and ujpdated from 5.17 to 5.18 on my Win7 64bits.
I use sTunnel for POP-SSL and SMTP-SSL for 12 accounts (gmail, yahoo ...) but I noticed that after a few connexions sTunnel may keep high CPU, 25% as reported by TaskManager (50% on core 1 and 3 on my Core-i5 quad-core).
The problem, may appear after 10 cnx sometime more.
The reading order the POP-S accounts that are checked do not matter.
The POP accounts are never high loaded I mean I do not receive tons of e-mails and they are not oversized.
Sometime the 25% CPU usage disappear by its own, sometime it can stay forever.
Never noticed such problem on previous versions.
Standard logs show nothing special.
regards.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.06.2015 00:04, Dod wrote:
I use sTunnel for POP-SSL and SMTP-SSL for 12 accounts (gmail, yahoo ...) but I noticed that after a few connexions sTunnel may keep high CPU, 25% as reported by TaskManager (50% on core 1 and 3 on my Core-i5 quad-core).
After 1 minute of running stunnel running in server mode starts computing new DH parameters. This usually takes a few minutes depending on your hardware. The process is repeated every 24 hours.
If you don't want it, you can generate static DH parameters with: openssl dhparam 2048 and append them to your stunnel.conf
Sometime the 25% CPU usage disappear by its own, sometime it can stay forever.
...depending on how you define "forever"...
Never noticed such problem on previous versions.
Standard logs show nothing special.
You should see "DH parameters updated" message when the process completes.
Mike
On Sun, 14 Jun 2015 06:59:52 +0200 Michal Trojnara Michal.Trojnara@mirt.net wrote:
After 1 minute of running stunnel running in server mode starts computing new DH parameters. This usually takes a few minutes depending on your hardware. The process is repeated every 24 hours.
Hi,
depending on your hardware, and what hardware we need now to run stunnel in server mode...
I see that the difference with previous versions are these 2 lines: Using hardcoded DH parameters DH initialized with 2048-bit key
Looking that I'm over 15 minutes now (and waiting) running the command openssl dhparam 2048 to generate static one, this could be a nightmare every 24 hours. For me isn't 25%CPU it is above 50% (or 100% in one thread) in a humble Pentium 4.
For me, too much. That is why I decided to follow your advice but, anyway, this takes so much to be by default for every system where stunnel runs. Some people might have stunnel running in lower specs hardware for a tiny server.
It is only my opinion.
Regards.
P.S.: I waited till end before send this to the list and took, finally, over 20 minutes...
Hello Javier,
Well after writing my answer to michal a few hours ago (and restart stunnel again) ... still 25% !
For sure something is wrong... and looking at log file no "DH parameters end" event since I restarted stunnel 3 hours ago.
Something goes wrong with this calculation cycle that make it never end.
regards.
J> On Sun, 14 Jun 2015 06:59:52 +0200 J> Michal Trojnara Michal.Trojnara@mirt.net wrote:
After 1 minute of running stunnel running in server mode starts computing new DH parameters. This usually takes a few minutes depending on your hardware. The process is repeated every 24 hours.
J> Hi,
J> depending on your hardware, and what hardware we need now to run J> stunnel in server mode...
J> I see that the difference with previous versions are these 2 lines: J> Using hardcoded DH parameters J> DH initialized with 2048-bit key
J> Looking that I'm over 15 minutes now (and waiting) running the J> command openssl dhparam 2048 to generate static one, this could be a J> nightmare every 24 hours. For me isn't 25%CPU it is above 50% (or J> 100% in one thread) in a humble Pentium 4.
J> For me, too much. That is why I decided to follow your advice but, J> anyway, this takes so much to be by default for every system where J> stunnel runs. Some people might have stunnel running in lower specs J> hardware for a tiny server.
J> It is only my opinion.
J> Regards.
J> P.S.: I waited till end before send this to the list and took, J> finally, over 20 minutes... J> _______________________________________________ J> stunnel-users mailing list J> stunnel-users@stunnel.org J> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
mailto:dodfr@yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.06.2015 16:47, Javier wrote:
depending on your hardware, and what hardware we need now to run stunnel in server mode...
[cut]
For me isn't 25%CPU it is above 50% (or 100% in one thread) in a humble Pentium 4.
Yes, it may be a good idea to add static DH parameters into stunnel.pem if you run stunnel on ARM, MIPS, or a 10 years old PC platform.
For me, too much. That is why I decided to follow your advice but, anyway, this takes so much to be by default for every system where stunnel runs. Some people might have stunnel running in lower specs hardware for a tiny server.
It is only my opinion.
[cut]
P.S.: I waited till end before send this to the list and took, finally, over 20 minutes...
I attempt to run this thread with low CPU priority wherever possible. Some CPU utilization should not be a problem in practice.
The DH parameters are only generated when at least one of the services runs in server mode. I assume battery-powered machines rarely run as servers...
I appreciate your opinions. Do you think I should trade security for 20 minutes idle CPU time every 24 hours? On modern machines it's closer to 2 minutes...
Mike
On 14/06/15, you wrote in gmane.network.stunnel.user:
I appreciate your opinions. Do you think I should trade security for 20 minutes idle CPU time every 24 hours? On modern machines it's closer to 2 minutes... Mike
Hi,
No, of course not. I understood that you did this for security reasons. Better randomize DH params every X time, then fixed, but maybe should be considered.
An user option maybe, to set fixed or random, but random by default? Just an idea.
Note that I'm not requesting this for me, just telling that could be low specs environments to run tiny servers. If it is going to be default, good to know anyway.
I would lie if I don't say that I run the server(s) for small periods of time and having stunnel running 20 minutes calculating the DH is [something], even the DH aren't needed to start connections.
You set as fixed from 4.40 (according to manual) and I'm using Stunnel from 4.5x, so this was new to me.
Regards.
P.S.: fixed=hardcoded
Hello Michal,
I think I found something about the permanent CPU usage, it may not be directly related to DH calculation.
Now I activated the debug=info level I have a better view of what is happening.
As showed in my previous mail with the log sample, the last stunnel startup showed DH calculation in a matter of minutes all was OK and CPU slowed down as it should at the end of calculation.
But right now a few hours later the CPU is stuck again with this 25% usage.
I checked the logs and saw nothing related to DH or [CRON] so it is not because DH calculation may have restarted sooner than the 24H expected cycle.
The only thing I did is to travel with my laptop in my bag so computer went into standby mode and then awaked 2 hours later and right now, one hour after this awake CPU is still 25%.
Going from standby to awake mode produced some winsock errors in the logs (nothing unusual, all related to the loss of my WiFi the time it connect again) like :
Software caused connection abort (WSAECONNABORTED) (10053) Network is unreachable (WSAENETUNREACH) (10051)
I think that CPU usage may go crazy if some kind of session failure happen, but I may be wrong.
Did something change between 5.17 and 5.18 related to error/session management ?
regards.
Sunday, June 14, 2015, 9:13:09 PM, you wrote:
J> On 14/06/15, you wrote in gmane.network.stunnel.user:
I appreciate your opinions. Do you think I should trade security for 20 minutes idle CPU time every 24 hours? On modern machines it's closer to 2 minutes... Mike
J> Hi,
J> No, of course not. I understood that you did this for security J> reasons. Better randomize DH params every X time, then fixed, but J> maybe should be considered.
J> An user option maybe, to set fixed or random, but random by default? J> Just an idea.
J> Note that I'm not requesting this for me, just telling that could be J> low specs environments to run tiny servers. If it is going to be J> default, good to know anyway.
J> I would lie if I don't say that I run the server(s) for small periods J> of time and having stunnel running 20 minutes calculating the DH is J> [something], even the DH aren't needed to start connections.
J> You set as fixed from 4.40 (according to manual) and I'm using J> Stunnel from 4.5x, so this was new to me.
J> Regards.
J> P.S.: fixed=hardcoded J> _______________________________________________ J> stunnel-users mailing list J> stunnel-users@stunnel.org J> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
mailto:dodfr@yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15.06.2015 00:04, Dod wrote:
Did something change between 5.17 and 5.18 related to error/session management ?
There is one change. Could you check your logs for "no descriptor is ready"?
Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.06.2015 21:13, Javier wrote:
An user option maybe, to set fixed or random, but random by default? Just an idea.
This is how it's implemented. You can add your own (fixed) DH parameters to your stunnel.conf in order to prevent stunnel from generating them every 24 hours.
Best regards, Mike
On Tue, 16 Jun 2015 16:40:53 +0200 Michal Trojnara Michal.Trojnara@mirt.net wrote:
On 14.06.2015 21:13, Javier wrote:
An user option maybe, to set fixed or random, but random by default? Just an idea.
This is how it's implemented. You can add your own (fixed) DH parameters to your stunnel.conf in order to prevent stunnel from generating them every 24 hours.
Hi,
ok, ok.
That last idea was in the direction of an option for toggling hardcoded DH (as there were built into stunnel until now, instead let user to generate static one) or generate them randomly each 24 hours.
But I see is pointless.
Nothing else then.
Regards.
Hello Michal,
Since my previous email I did some tests and each time I put my laptop into standby mode and awake it stunnel go into 25% CPU usage.
But as it can also happen during the day without standby mode I am still thinking it may have something to do (directly or indirectly) with winsock errors, may be a thread go into some fast loop that make it use CPU that much ?
regards.
-
Dod -
Javier -
Michal Trojnara