[stunnel-users] Stunnel hangs on big flows of data

Michal Trojnara Michal.Trojnara at mobi-com.net
Fri Oct 27 15:20:15 CEST 2006 

On Friday 27 October 2006 12:41, Dario Mariani wrote:
> The problem is this:
> the system works well for about 45min, then gives these messages and
> hangs.

System (kernel) hangs?
Stunnel hangs (no longer accepts new connections)?
This connection hangs (no longer transfers any data)?

> With the tests that i made on my laptop, i had those debug messages,
> but it all worked well and in expected times (the path netcat  120m
> file -> stunnel client -> stunnel server -> openssl s_server >/dev/
> null took 20 seconds!!! )

6MB/s (48Mbit/s) for two SSL connections on a laptop seems to be
a reasonable performance.

> What i'm asking is:
> - what these messages _exactly_ means? reading some openssl related
> forums, i saw that this message is sent by the server when the read
> buffer is empty and the server is awaiting data.

From http://www.openssl.org/docs/ssl/SSL_read.html:

If the underlying BIO is non-blocking, SSL_read() will also return when the 
underlying BIO could not satisfy the needs of SSL_read() to continue the 
operation. In this case a call to SSL_get_error(3) with the return value of 
SSL_read() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. As at any 
time a re-negotiation is possible, a call to SSL_read() can also cause write 
operations! The calling process then must repeat the call after taking 
appropriate action to satisfy the needs of SSL_read(). The action depends on 
the underlying BIO. When using a non-blocking socket, nothing is to be done, 
but select() can be used to check for the required condition. When using a 
buffering BIO, like a BIO pair, data must be written into or retrieved out of 
the BIO before being able to continue. 

> - do you have any idea on what topic i can direct my analysis?

The problem is either in transfer() function in client.c file or somewhere in 
OpenSSL library.

> > How can I reproduce the hang mentioned int the subject?
>
> Well, i have some problems with this point:
> i CANNOT put up stunnel on the system that had the problem, until i
> fix the problem  :(
>
> Excuse me for my lack of precision and details, but these are chaotic
> days here :)

I see.

Best regards,
    Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061027/97dc767b/attachment.sig>

More information about the stunnel-users mailing list