[stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions

PPingPongBaker PPingPongBaker ppingpongbaker at gmail.com
Wed Apr 17 20:37:02 CEST 2013

Hi All,

I am experimenting with stunnel inside a VM on Xenserver 6.02. So this may
not be a "common" use case, nonetheless, I would like to point out the

It is a basic setup as follows with 3 VMs running "ab" for webclient,
stunnel+haproxy combo as the https/http bridge and nginx as the webserver.

client VM (ab) <-> stunnel + haproxy VM <-> webserver VM (nginx)

Specs on the stunnel VM are 2GB RAM, single-core dedicated 2.5 GHz Xeon
E5-2640 vCPU, running Debian Squeeze 2.6.32-5-amd64 (64 bit) kernel.

All things unchanged such as stunnel/haproxy/nginx config and taking care
of common gotchas such as file descriptor limit, TIMEOUTclose, disabling
libwrap, etc. stunnel is built with pthreads. Also stunnel is configured to
use a 2K RSA self-signed certificate, and the client is being forced to do
TLS1. "ab" is invoked with "-c 4" so as to peg the stunnel VM CPU (any
value beyond 4 doesn't seem to matter). nginx serves a tiny 32 byte static
html file.

With stunnel 4.29 and OpenSSL 0.9.8o, I get 300 requests per second as max

With stunnel 4.56 and OpenSSL 1.0.1e, I get only 40 requests per second as
max throughput.

tcpdump tells me that the Server Hello sent to the client takes a longer
time in the latter case. Tinkering with TCP_NODELAY doesn't change anything.

Anyone else seeing this maybe even on physical hardware?
Has anything changed in OpenSSL across those versions?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130417/cd8a6b9d/attachment.html>

More information about the stunnel-users mailing list