Which is why my advice is “strange.” We support so many Unix versions with thousands of users of various capabilities. I don’t want to have to learn secret tricks – especially as they change with versions of the O/S. So I use inetd – all the same on every O/S and always works. I see no reason not to do this unless you have a belief that there is a performance issue with it, which is possible I suppose but I suspect completely unlikely in modern computers. Further, inetd is running anyway so the server part is hardly affected by stunnel whereas if you use stunnel in server mode it has overhead … so a real picky person would do performance analysis and it still may be more efficient to use inetd depending on server overhead. Which is like different by O/S and computer hardware and …
I worry about performance only when it actually matters. I’d rather concern myself with reliable with less maintenance on my part. My primary O/S is AIX which is stone reliable and requires little fussing with – hence using AIX to do the server part (inetd) makes my life easier.
And probably 95% of the people here will disagree with me and that is fine because there is no “right” answer, just choices. I just think some people dismiss inetd out of hand because they were told a decade or two ago (I am old 😊 ) that performance was an issue and that remains the legend. And, I have helped several people overcome issues by changing to inetd, especially those with little experience in server management and/or O/S settings like Danny did (good job!).
So please don’t flame me people – this is just explaining why one might consider using inetd mode, not making a case to always use it.
E
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
http://www.vicsmba.com/ http://www.vicsmba.com
https://www.facebook.com/groups/286143052248115 https://www.facebook.com/groups/286143052248115
From: Danny Clowes danny0809881@gmail.com Sent: Friday, February 4, 2022 1:21 PM To: Eric Eberhard flash@vicsmba.com Cc: Steve Clement steve3279@gmail.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Re: stunnel 5-15 minute outages
Hi,
Ive been using stunnel on number of servers for very long time over all experience has been very good not had any issues or concerns with the stunnel they never crash always online. Ive just tested stunnel on debian 11 it's working brilliant. The Linux system do have limitations in place and the client will only allow so many connections before it will close down say can't take anymore connections however I edited the Linux server remove limitation in place. These where teething issues when started to use stunnel. If anyone interested I would provide hidden scrects how make stunnel work like dream.
On Fri, 4 Feb 2022, 19:04 Eberhard, <flash@vicsmba.com mailto:flash@vicsmba.com > wrote:
I will give you strange advice assuming you are on Unix of some flavor. Use inetd. It always works or the O/S does not work 😊 It then becomes the actual server and a new instance of stunnel is fired for every connection. I use it because it is the most reliable way and takes no server software management. There is an old argument against this – it is in theory has less performance when a correction is created. I say theoretical as modern computers are so fast that creating a process millions of times does not stress a machine. I run 100s of millions of connections daily on a single computer and have zero performance issues. I also have zero issues like you described and I always had them before. Even if you do have an issue it would only affect one connection. Because each connection is unique. From your description it is the server process having an issue or perhaps some of the children not getting “clean” as they keep them running in a loop. With inetd it does it’s business and ends. There are no cross-connection or server issues.
I give this advice several times a year and may ¼ take it and thank me. The rest mock the idea citing the theoretical performance difference (without even trying it) and continue to struggle. This is not just an issue with this version. Many versions have had trouble with running in a loop like that – memory management, variables not cleared, etc. And remember openssl is tied to this as well.
The other thing I would recommend (also weird) is using static links. That way an install of say a new openssl (where your encryption issue appears to be now) won’t affect you. There is no way anyone is testing the software with every version of every O/S with every version of openssl. If you do a static link and have a working version, no need to change. Until a new TLS comes out or something but you can control that well when you have a static link. And that, BTW, theoretically loads faster. The program is much bigger but in need not load dynamic libraries from all over the place when it is fired up.
Let me know what you find out and do 😊
E
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
http://www.vicsmba.com/ http://www.vicsmba.com
https://www.facebook.com/groups/286143052248115 https://www.facebook.com/groups/286143052248115
From: Steve Clement <steve3279@gmail.com mailto:steve3279@gmail.com > Sent: Friday, February 4, 2022 4:52 AM To: stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org Subject: [stunnel-users] stunnel 5-15 minute outages
Hello,
I have been working on an issue that seems a lot like this one:
https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html
We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this.
Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required
We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual.
Any help would be appreciated, thank you.
Hi Eric and Danny,
This is very helpful. I will pass on your suggestions.
Thanks,
On Fri, Feb 4, 2022 at 5:08 PM Eberhard flash@vicsmba.com wrote:
Which is why my advice is “strange.” We support so many Unix versions with thousands of users of various capabilities. I don’t want to have to learn secret tricks – especially as they change with versions of the O/S. So I use inetd – all the same on every O/S and always works. I see no reason not to do this unless you have a belief that there is a performance issue with it, which is possible I suppose but I suspect completely unlikely in modern computers. Further, inetd is running anyway so the server part is hardly affected by stunnel whereas if you use stunnel in server mode it has overhead … so a real picky person would do performance analysis and it still may be more efficient to use inetd depending on server overhead. Which is like different by O/S and computer hardware and …
I worry about performance only when it actually matters. I’d rather concern myself with reliable with less maintenance on my part. My primary O/S is AIX which is stone reliable and requires little fussing with – hence using AIX to do the server part (inetd) makes my life easier.
And probably 95% of the people here will disagree with me and that is fine because there is no “right” answer, just choices. I just think some people dismiss inetd out of hand because they were told a decade or two ago (I am old 😊 ) that performance was an issue and that remains the legend. And, I have helped several people overcome issues by changing to inetd, especially those with little experience in server management and/or O/S settings like Danny did (good job!).
So please don’t flame me people – this is just explaining why one might consider using inetd mode, not making a case to always use it.
E
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
https://www.facebook.com/groups/286143052248115
*From:* Danny Clowes danny0809881@gmail.com *Sent:* Friday, February 4, 2022 1:21 PM *To:* Eric Eberhard flash@vicsmba.com *Cc:* Steve Clement steve3279@gmail.com; stunnel-users@stunnel.org *Subject:* Re: [stunnel-users] Re: stunnel 5-15 minute outages
Hi,
Ive been using stunnel on number of servers for very long time over all experience has been very good not had any issues or concerns with the stunnel they never crash always online. Ive just tested stunnel on debian 11 it's working brilliant. The Linux system do have limitations in place and the client will only allow so many connections before it will close down say can't take anymore connections however I edited the Linux server remove limitation in place. These where teething issues when started to use stunnel. If anyone interested I would provide hidden scrects how make stunnel work like dream.
On Fri, 4 Feb 2022, 19:04 Eberhard, flash@vicsmba.com wrote:
I will give you strange advice assuming you are on Unix of some flavor. Use inetd. It always works or the O/S does not work 😊 It then becomes the actual server and a new instance of stunnel is fired for every connection. I use it because it is the most reliable way and takes no server software management. There is an old argument against this – it is in theory has less performance when a correction is created. I say theoretical as modern computers are so fast that creating a process millions of times does not stress a machine. I run 100s of millions of connections daily on a single computer and have zero performance issues. I also have zero issues like you described and I always had them before. Even if you do have an issue it would only affect one connection. Because each connection is unique. From your description it is the server process having an issue or perhaps some of the children not getting “clean” as they keep them running in a loop. With inetd it does it’s business and ends. There are no cross-connection or server issues.
I give this advice several times a year and may ¼ take it and thank me. The rest mock the idea citing the theoretical performance difference (without even trying it) and continue to struggle. This is not just an issue with this version. Many versions have had trouble with running in a loop like that – memory management, variables not cleared, etc. And remember openssl is tied to this as well.
The other thing I would recommend (also weird) is using static links. That way an install of say a new openssl (where your encryption issue appears to be now) won’t affect you. There is no way anyone is testing the software with every version of every O/S with every version of openssl. If you do a static link and have a working version, no need to change. Until a new TLS comes out or something but you can control that well when you have a static link. And that, BTW, theoretically loads faster. The program is much bigger but in need not load dynamic libraries from all over the place when it is fired up.
Let me know what you find out and do 😊
E
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
https://www.facebook.com/groups/286143052248115
*From:* Steve Clement steve3279@gmail.com *Sent:* Friday, February 4, 2022 4:52 AM *To:* stunnel-users@stunnel.org *Subject:* [stunnel-users] stunnel 5-15 minute outages
Hello,
I have been working on an issue that seems a lot like this one:
https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html
We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this.
Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required
We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual.
Any help would be appreciated, thank you.
--
Steve Clement steve3279@gmail.com 614-632-7380
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Sounds like a possible issue with a DDOS scenario even if it might be internal.. See below on what i mean..
I.e. if you have routing towards the STUNNEL host but for some host remotely that have no return routes..
That could cause the IP stack to run out of possible listeners to serve incoming connections.
In the early days of internet when someone was upset about the funny service hotmail.com they ( ISP in US ) added filters to block spam..
For us in Sweden we got the 1st TCP packet but never the response packets.. Filling up all listening queues.. Now and then the listening queue was cleaned up due to timeouts and a few working session was established.
Might not be this.. But worth checking based on the description, if not just a comment on what we can experience on internet by a simple issue..
I.e. full routing end 2 end on all possible sessions. And FW rules that will allow this.. Ans no asymmetric routing that by mistake drops sessions thru firewalls..
Regards/Uffe
On 2022-02-04 23:08, Eberhard wrote:
We support so many Unix versions with thousands of users of various capabilities. I don’t want to have to learn secret tricks – especially as they change with versions of the O/S. So I use inetd – all the same on every O/S and always works. I see no reason not to do this unless you have a belief that there is a performance issue with it, which is possible I suppose but I suspect completely unlikely in modern computers. Further, inetd is running anyway so the server part is hardly affected by stunnel whereas if you use stunnel in server mode it has overhead … so a real picky person would do performance analysis and it still may be more efficient to use inetd depending on server overhead. Which is like different by O/S and computer hardware and …
-
Eberhard -
Steve Clement -
Uffe Vedenbrant