Hi Eric and Danny, This is very helpful. I will pass on your suggestions.
Thanks, On Fri, Feb 4, 2022 at 5:08 PM Eberhard <fl...@vicsmba.com> wrote: > Which is why my advice is “strange.” We support so many Unix versions > with thousands of users of various capabilities. I don’t want to have to > learn secret tricks – especially as they change with versions of the O/S. > So I use inetd – all the same on every O/S and always works. I see no > reason not to do this unless you have a belief that there is a performance > issue with it, which is possible I suppose but I suspect completely > unlikely in modern computers. Further, inetd is running anyway so the > server part is hardly affected by stunnel whereas if you use stunnel in > server mode it has overhead … so a real picky person would do performance > analysis and it still may be more efficient to use inetd depending on > server overhead. Which is like different by O/S and computer hardware and > … > > > > I worry about performance only when it actually matters. I’d rather > concern myself with reliable with less maintenance on my part. My primary > O/S is AIX which is stone reliable and requires little fussing with – hence > using AIX to do the server part (inetd) makes my life easier. > > > > And probably 95% of the people here will disagree with me and that is fine > because there is no “right” answer, just choices. I just think some people > dismiss inetd out of hand because they were told a decade or two ago (I am > old 😊 ) that performance was an issue and that remains the legend. And, > I have helped several people overcome issues by changing to inetd, > especially those with little experience in server management and/or O/S > settings like Danny did (good job!). > > > > So please don’t flame me people – this is just explaining why one might > consider using inetd mode, not making a case to always use it. > > > > E > > > > > > > > VICS, LLC > > Eric S Eberhard > > 2933 W Middle Verde Rd > > Camp Verde, AZ 86322 > > > > 928-567-3727 (land line) > > 928-301-7537 (cell phone) > > > > http://www.vicsmba.com > > https://www.facebook.com/groups/286143052248115 > > > > > > *From:* Danny Clowes <danny0809...@gmail.com> > *Sent:* Friday, February 4, 2022 1:21 PM > *To:* Eric Eberhard <fl...@vicsmba.com> > *Cc:* Steve Clement <steve3...@gmail.com>; stunnel-users@stunnel.org > *Subject:* Re: [stunnel-users] Re: stunnel 5-15 minute outages > > > > Hi, > > > > Ive been using stunnel on number of servers for very long time over all > experience has been very good not had any issues or concerns with the > stunnel they never crash always online. Ive just tested stunnel on debian > 11 it's working brilliant. The Linux system do have limitations in place > and the client will only allow so many connections before it will close > down say can't take anymore connections however I edited the Linux server > remove limitation in place. These where teething issues when started to use > stunnel. If anyone interested I would provide hidden scrects how make > stunnel work like dream. > > > > On Fri, 4 Feb 2022, 19:04 Eberhard, <fl...@vicsmba.com> wrote: > > I will give you strange advice assuming you are on Unix of some flavor. > Use inetd. It always works or the O/S does not work 😊 It then becomes > the actual server and a new instance of stunnel is fired for every > connection. I use it because it is the most reliable way and takes no > server software management. There is an old argument against this – it is > in theory has less performance when a correction is created. I say > theoretical as modern computers are so fast that creating a process > millions of times does not stress a machine. I run 100s of millions of > connections daily on a single computer and have zero performance issues. I > also have zero issues like you described and I always had them before. > Even if you do have an issue it would only affect one connection. Because > each connection is unique. From your description it is the server process > having an issue or perhaps some of the children not getting “clean” as they > keep them running in a loop. With inetd it does it’s business and ends. > There are no cross-connection or server issues. > > I give this advice several times a year and may ¼ take it and thank me. > The rest mock the idea citing the theoretical performance difference > (without even trying it) and continue to struggle. This is not just an > issue with this version. Many versions have had trouble with running in a > loop like that – memory management, variables not cleared, etc. And > remember openssl is tied to this as well. > > > > The other thing I would recommend (also weird) is using static links. > That way an install of say a new openssl (where your encryption issue > appears to be now) won’t affect you. There is no way anyone is testing the > software with every version of every O/S with every version of openssl. If > you do a static link and have a working version, no need to change. Until a > new TLS comes out or something but you can control that well when you have > a static link. And that, BTW, theoretically loads faster. The program is > much bigger but in need not load dynamic libraries from all over the place > when it is fired up. > > Let me know what you find out and do 😊 > > > E > > > > > > > > VICS, LLC > > Eric S Eberhard > > 2933 W Middle Verde Rd > > Camp Verde, AZ 86322 > > > > 928-567-3727 (land line) > > 928-301-7537 (cell phone) > > > > http://www.vicsmba.com > > https://www.facebook.com/groups/286143052248115 > > > > > > *From:* Steve Clement <steve3...@gmail.com> > *Sent:* Friday, February 4, 2022 4:52 AM > *To:* stunnel-users@stunnel.org > *Subject:* [stunnel-users] stunnel 5-15 minute outages > > > > Hello, > > > > I have been working on an issue that seems a lot like this one: > > https://www.stunnel.org/pipermail/stunnel-users/2011-January/002898.html > > > > We are running stunnel 5.56 and it has been working with no issues until > November. Since November there have been 6 short 5-15 minute outages > where we see network traffic between client and server in the packet > captures, but stunnel logs stop during this period. Everything recovers on > its own after this brief outage. I am looking for help in what to look for > to explain this. > > > > Feb 2 14:49:29 *host* stunnel: LOG5[22565874]: Connection closed: 83 > byte(s) sent to TLS, 74 byte(s) sent to socket > Feb 2 15:00:36 *host* stunnel: LOG6[2705685]: Peer certificate not > required > > > > We usually see dozens of messages every second, so to have an 11 minute > gap in the logs is unusual. > > > > Any help would be appreciated, thank you. > > -- > > Steve Clement > steve3...@gmail.com > 614-632-7380 > > _______________________________________________ > stunnel-users mailing list -- stunnel-users@stunnel.org > To unsubscribe send an email to stunnel-users-le...@stunnel.org > > -- Steve Clement steve3...@gmail.com 614-632-7380
_______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-le...@stunnel.org
