[stunnel-users] Stunnel Dies at 3500 connections...
bear at bears.org
bear at bears.org
Mon Sep 24 18:24:28 CEST 2007
Hey!
I'm having a problem with a stunnel setup I have, and was wondering if
anyone could help?
I have two machines, one is acting as a simulator of clients. It uses the
MINA library from apache to simulate a bunch of clients of the server.
And the other acting as a server. Without stunnel in place, the client
and server chat with no trouble... even with as many as 10k simulated
clients. The protocol they communicate is just compressed binary data
over standard TCP/IP. 20-50 bytes each direction per exchange.
The behavior changes once stunnel is in place. The server behaves just
fine, but the client acts very strange... in ways that make me think that
stunnel is hitting some OS limit. (The files ulimit is set waaaaaay
higher than the number of clients)
On starting the client application, it begins making connections through
the stunnel tunnel. The first 1500 or so are fine, but after that the
load on the machine begins to climb. It gets to 5 or so around 2000. If
I only do 2000 clients, the load then drops down into the 0.5 range, and
the system runs okay. However, if I set the number of simulated clients
higher... say 4000, the load continues to climb. When it gets to 3500 or
so, the load goes above 500. The machine becomes unusable, and after a
bit, stunnel dies with the message KILLED.
I tried changing how quickly the clients connect, but that seemed to make
no difference. Also, running two stunnels for the clients, and sending
2000 to each, for instance, causes it to still break down around 3500 or
so. (Which is why I think it is an os limit)
Any suggestions on this? Thanks!
Peace,
Gary
version
Stunnel 4.20
startup info
2007.09.24 12:09:50 LOG7[26537:3086939840]: RAND_status claims sufficient
entropy for the PRNG
2007.09.24 12:09:50 LOG7[26537:3086939840]: PRNG seeded successfully
2007.09.24 12:09:50 LOG4[26537:3086939840]: Wrong permissions on
hcs-key-and-cert-1024.pem
2007.09.24 12:09:50 LOG7[26537:3086939840]: Certificate:
hcs-key-and-cert-1024.pem
2007.09.24 12:09:50 LOG7[26537:3086939840]: Certificate loaded
2007.09.24 12:09:50 LOG7[26537:3086939840]: Key file:
hcs-key-and-cert-1024.pem
2007.09.24 12:09:50 LOG7[26537:3086939840]: Private key loaded
2007.09.24 12:09:50 LOG7[26537:3086939840]: SSL context initialized for
service hcsuno
2007.09.24 12:09:50 LOG5[26537:3086939840]: stunnel 4.20 on
i686-pc-linux-gnu with OpenSSL 0.9.8d 28 Sep 2006
2007.09.24 12:09:50 LOG5[26537:3086939840]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv4 Auth:LIBWRAP
2007.09.24 12:09:50 LOG6[26537:3086939840]: file ulimit = 80000 (can be
changed with 'ulimit -n')
2007.09.24 12:09:50 LOG6[26537:3086939840]: poll() used - no FD_SETSIZE
limit for file descriptors
2007.09.24 12:09:50 LOG5[26537:3086939840]: 39062 clients allowed
2007.09.24 12:09:50 LOG7[26537:3086939840]: FD 3 in non-blocking mode
2007.09.24 12:09:50 LOG7[26537:3086939840]: FD 4 in non-blocking mode
2007.09.24 12:09:50 LOG7[26537:3086939840]: FD 5 in non-blocking mode
2007.09.24 12:09:50 LOG7[26537:3086939840]: SO_REUSEADDR option set on
accept socket
2007.09.24 12:09:50 LOG7[26537:3086939840]: hcsuno bound to 0.0.0.0:4090
2007.09.24 12:09:50 LOG7[26537:3086939840]: Created pid file
/tmp/stunnel1.pid
uname -a
Linux testbed-client1 2.6.9-42.ELsmp #1 SMP Sat Aug 12 09:39:11 CDT 2006
i686 i686 i386 GNU/Linux
libc 2.3.4
stunnel -version
stunnel 4.20 on i686-pc-linux-gnu with OpenSSL 0.9.8d 28 Sep 2006
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP
Global options
debug = 5
pid = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /usr/local/etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
key = /usr/local/etc/stunnel/stunnel.pem
session = 300 seconds
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-java-awt=gtk
--host=i386-redhat-linux
Thread model: posix
gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)
openssl version
OpenSSL 0.9.7a Feb 19 2003
In the config, I have:
client=yes
debug=debug
socket = l:TCP_NODELAY=1
pid = /tmp/stunnel1.pid
foreground=yes
[hcsuno]
accept=4090
connect = testbed-hcs1:4094
cert = hcs-key-and-cert-1024.pem
key = hcs-key-and-cert-1024.pem
********* ***** ** Gary Coulbourne
*************************.* Bear Activist
****** *********** ** *******o
******* ********* **** ****`- Systems Administrator
******* ********* ***** http://www.bears.org
****** ********** **** bear at bears.org
## ***** ***** ## **** KB3INA
### ***** ### **** Animal Conservation/Preservation
#,,, ***,,, ##,,, **,,,
More information about the stunnel-users
mailing list