<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hi,<br>
      <br>
      I have updated the manual
      (<a class="moz-txt-link-freetext" href="http://www.stunnel.org/static/stunnel.html">http://www.stunnel.org/static/stunnel.html</a>):<br>
      <br>
      <dl>
        <dt><strong><a name="delay_yes_no" class="item"><strong>delay</strong>
              = yes | no</a></strong></dt>
        <dd>
          <p>delay DNS lookup for <em>connect</em> option</p>
          <p>This option is useful for dynamic DNS, or when DNS is not
            available during
            <strong>stunnel</strong> startup (road warrior VPN, dial-up
            configurations).</p>
          <p>Delayed resolver mode is automatically engaged when stunnel
            fails to resolve on
            startup any of the <em>connect</em> targets for a service.</p>
          <p>Delayed resolver inflicts <em>failover = prio</em>.</p>
          <p>default: no</p>
        </dd>
      </dl>
      <br>
      Mike<br>
      <br>
      On 2013-03-06 00:08, Matt Wise wrote:<br>
    </div>
    <blockquote
      cite="mid:A7235423-5FFD-4F02-899D-BAF83BCA07C0@nextdoor.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      This is odd, but we're seeing failures again with this config.
      We're seeing that with delay=yes, and 6 total connection targets
      (5 servers, 1 ELB), stunnel picks up the first connection (the
      ELB) and never uses any of the other targets. Ever. If we use
      tcpkill to block access to the ELB, we end up completely screwed.
      <div><br>
      </div>
      <div>Anyone else seeing this as a problem still?</div>
      <div><br>
        <div>
          <div>On Jan 7, 2013, at 12:39 PM, Matt Wise <<a
              moz-do-not-send="true" href="mailto:matt@nextdoor.com">matt@nextdoor.com</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <meta http-equiv="Content-Type" content="text/html;
              charset=ISO-8859-1">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; ">
              <div>Ah. Thats it! I also see a fix in 4.54, am I right?</div>
              <div>
                <blockquote type="cite">
                  <ul style="font-family: 'Arial CE', Arial, Helvetica,
                    sans-serif; font-size: small; background-color:
                    rgb(255, 255, 255); ">
                    <li>"delay = yes" fixed to work even if specified
                      *after* "connect" option.</li>
                    <li>Multiple "connect" targets fixed to also work
                      with delayed resolver.</li>
                  </ul>
                </blockquote>
                <div><font size="2" face="Arial CE, Arial, Helvetica,
                    sans-serif">--Matt</font></div>
                <div><font size="2" face="Arial CE, Arial, Helvetica,
                    sans-serif"><br>
                  </font></div>
                <div>
                  <div>On Jan 7, 2013, at 11:39 AM, Michal Trojnara <<a
                      moz-do-not-send="true"
                      href="mailto:Michal.Trojnara@mirt.net">Michal.Trojnara@mirt.net</a>>
                    wrote:</div>
                  <br class="Apple-interchange-newline">
                  <blockquote type="cite">Hi Matt,<br>
                    <br>
                    Load balancing is incompatible with delayed
                    resolver.  Remove "delay =<br>
                    yes" from your configuration file.<br>
                    <br>
                    Mike<br>
                    <br>
                    On 2013-01-07 18:38, Matt Wise wrote:<br>
                    <blockquote type="cite">I've got dozens of clients
                      connecting with Stunnel to a group of 5 servers.
                      Each system has a config that looks like this:<br>
                      <br>
                      <blockquote type="cite">cert =
                        /etc/stunnel/zookeeper.pem<br>
                        key = /etc/stunnel/zookeeper.key<br>
                        CAfile = /etc/stunnel/zookeeper_ca.pem<br>
                        verify = 2<br>
                        delay = yes<br>
                        sslVersion = TLSv1<br>
                        client = yes<br>
                        setuid = stunnel4<br>
                        setgid = stunnel4<br>
                        pid = /var/lib/stunnel4/zookeeper.stunnel4.pid<br>
                        socket = l:TCP_NODELAY=1<br>
                        socket = r:TCP_NODELAY=1<br>
                        TIMEOUTconnect = 2<br>
                        session = 86400<br>
                        debug = 5<br>
                        [zookeeper]<br>
                        accept  = 127.0.0.1:2182<br>
                        failover = rr<br>
                        connect = prod-zookeeper:2182<br>
                        connect = prod-zookeeper-1:2182<br>
                        connect = prod-zookeeper-2:2182<br>
                        connect = prod-zookeeper-3:2182<br>
                        connect = prod-zookeeper-4:2182<br>
                        connect = prod-zookeeper-5:2182<br>
                      </blockquote>
                      <br>
                      Essentially the first host is a load balancer, and
                      the next 5 are the actual zookeeper hosts so that
                      we can bypass the ELB if its giving us fits. Now
                      what we're seeing is that almost every connection
                      ends up on prod-zookeeper-5. Over and over and
                      over again, our hosts pick the same system each
                      time. We're running Stunnel 4.52:<br>
                      <br>
                      <blockquote type="cite">Clients allowed=8000<br>
                        stunnel 4.52 on i486-pc-linux-gnu platform<br>
                        Compiled/running with OpenSSL 0.9.8k 25 Mar 2009<br>
                        Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP
                        Sockets:POLL,IPv6<br>
                      </blockquote>
                      <br>
                      Any ideas what might be wrong here? Obviously we
                      want the connections to be *roughly* random across
                      the list of hosts... and if one of the hosts goes
                      down, and the connection fails, we want the
                      stunnel service to try again, and randomly pick a
                      new host. It doesn't really seem to be doing that
                      though. <br>
                      <br>
                      --Matt<br>
                      <br>
                      _______________________________________________<br>
                      stunnel-users mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
                    </blockquote>
                    <br>
                    <br>
                    _______________________________________________<br>
                    stunnel-users mailing list<br>
                    <a moz-do-not-send="true"
                      href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br>
                    <a moz-do-not-send="true"
                      href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
                  </blockquote>
                </div>
                <br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>