Which is why my advice is “strange.” We support so many Unix versions with thousands of users of various capabilities. I don’t want to have to learn secret tricks – especially as they change with versions of the O/S. So I use inetd – all the same on every O/S and always works. I see no reason not to do this unless you have a belief that there is a performance issue with it, which is possible I suppose but I suspect completely unlikely in modern computers. Further, inetd is running anyway so the server part is hardly affected by stunnel whereas if you use stunnel in server mode it has overhead … so a real picky person would do performance analysis and it still may be more efficient to use inetd depending on server overhead. Which is like different by O/S and computer hardware and …
I worry about performance only when it actually matters. I’d rather concern myself with reliable with less maintenance on my part. My primary O/S is AIX which is stone reliable and requires little fussing with – hence using AIX to do the server part (inetd) makes my life easier. And probably 95% of the people here will disagree with me and that is fine because there is no “right” answer, just choices. I just think some people dismiss inetd out of hand because they were told a decade or two ago (I am old 😊 ) that performance was an issue and that remains the legend. And, I have helped several people overcome issues by changing to inetd, especially those with little experience in server management and/or O/S settings like Danny did (good job!). So please don’t flame me people – this is just explaining why one might consider using inetd mode, not making a case to always use it. E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Danny Clowes <[email protected]> Sent: Friday, February 4, 2022 1:21 PM To: Eric Eberhard <[email protected]> Cc: Steve Clement <[email protected]>; [email protected] Subject: Re: [stunnel-users] Re: stunnel 5-15 minute outages Hi, Ive been using stunnel on number of servers for very long time over all experience has been very good not had any issues or concerns with the stunnel they never crash always online. Ive just tested stunnel on debian 11 it's working brilliant. The Linux system do have limitations in place and the client will only allow so many connections before it will close down say can't take anymore connections however I edited the Linux server remove limitation in place. These where teething issues when started to use stunnel. If anyone interested I would provide hidden scrects how make stunnel work like dream. On Fri, 4 Feb 2022, 19:04 Eberhard, <[email protected] <mailto:[email protected]> > wrote: I will give you strange advice assuming you are on Unix of some flavor. Use inetd. It always works or the O/S does not work 😊 It then becomes the actual server and a new instance of stunnel is fired for every connection. I use it because it is the most reliable way and takes no server software management. There is an old argument against this – it is in theory has less performance when a correction is created. I say theoretical as modern computers are so fast that creating a process millions of times does not stress a machine. I run 100s of millions of connections daily on a single computer and have zero performance issues. I also have zero issues like you described and I always had them before. Even if you do have an issue it would only affect one connection. Because each connection is unique. From your description it is the server process having an issue or perhaps some of the children not getting “clean” as they keep them running in a loop. With inetd it does it’s business and ends. There are no cross-connection or server issues. I give this advice several times a year and may ¼ take it and thank me. The rest mock the idea citing the theoretical performance difference (without even trying it) and continue to struggle. This is not just an issue with this version. Many versions have had trouble with running in a loop like that – memory management, variables not cleared, etc. And remember openssl is tied to this as well. The other thing I would recommend (also weird) is using static links. That way an install of say a new openssl (where your encryption issue appears to be now) won’t affect you. There is no way anyone is testing the software with every version of every O/S with every version of openssl. If you do a static link and have a working version, no need to change. Until a new TLS comes out or something but you can control that well when you have a static link. And that, BTW, theoretically loads faster. The program is much bigger but in need not load dynamic libraries from all over the place when it is fired up. Let me know what you find out and do 😊 E VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322 928-567-3727 (land line) 928-301-7537 (cell phone) <http://www.vicsmba.com/> http://www.vicsmba.com <https://www.facebook.com/groups/286143052248115> https://www.facebook.com/groups/286143052248115 From: Steve Clement <[email protected] <mailto:[email protected]> > Sent: Friday, February 4, 2022 4:52 AM To: [email protected] <mailto:[email protected]> Subject: [stunnel-users] stunnel 5-15 minute outages Hello, I have been working on an issue that seems a lot like this one: https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html We are running stunnel 5.56 and it has been working with no issues until November. Since November there have been 6 short 5-15 minute outages where we see network traffic between client and server in the packet captures, but stunnel logs stop during this period. Everything recovers on its own after this brief outage. I am looking for help in what to look for to explain this. Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 byte(s) sent to TLS, 74 byte(s) sent to socket Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not required We usually see dozens of messages every second, so to have an 11 minute gap in the logs is unusual. Any help would be appreciated, thank you. -- Steve Clement [email protected] <mailto:[email protected]> 614-632-7380 _______________________________________________ stunnel-users mailing list -- [email protected] <mailto:[email protected]> To unsubscribe send an email to [email protected] <mailto:[email protected]>
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
