[stunnel-users] Inconsistent performance across stunnel and/or OpenSSL versions

Janusz Dziemidowicz rraptorr at nails.eu.org
Wed Apr 17 21:23:37 CEST 2013

2013/4/17 PPingPongBaker PPingPongBaker <ppingpongbaker at gmail.com>:
> Hi All,
> I am experimenting with stunnel inside a VM on Xenserver 6.02. So this may
> not be a "common" use case, nonetheless, I would like to point out the
> issue.
> It is a basic setup as follows with 3 VMs running "ab" for webclient,
> stunnel+haproxy combo as the https/http bridge and nginx as the webserver.
> client VM (ab) <-> stunnel + haproxy VM <-> webserver VM (nginx)
> Specs on the stunnel VM are 2GB RAM, single-core dedicated 2.5 GHz Xeon
> E5-2640 vCPU, running Debian Squeeze 2.6.32-5-amd64 (64 bit) kernel.
> All things unchanged such as stunnel/haproxy/nginx config and taking care of
> common gotchas such as file descriptor limit, TIMEOUTclose, disabling
> libwrap, etc. stunnel is built with pthreads. Also stunnel is configured to
> use a 2K RSA self-signed certificate, and the client is being forced to do
> TLS1. "ab" is invoked with "-c 4" so as to peg the stunnel VM CPU (any value
> beyond 4 doesn't seem to matter). nginx serves a tiny 32 byte static html
> file.
> With stunnel 4.29 and OpenSSL 0.9.8o, I get 300 requests per second as max
> throughput.
> With stunnel 4.56 and OpenSSL 1.0.1e, I get only 40 requests per second as
> max throughput.
> tcpdump tells me that the Server Hello sent to the client takes a longer
> time in the latter case. Tinkering with TCP_NODELAY doesn't change anything.
> Anyone else seeing this maybe even on physical hardware?
> Has anything changed in OpenSSL across those versions?
> Suggestions?

That is a strange question;) A lot has changed between OpenSSL 0.9.8
and 1.0.1 and I mean really a _lot_. The single most important change
is support for TLS 1.1 and 1.2 with additional cipher modes. Not to
mention countless other changes (including performance improvements).
If you want to compare various stunnel versions, then use the same
OpenSSL version. If you want to compare OpenSSL... then use the same
stunnel version. The configuration you mentioned above doesn't make a
lot of sense as it makes it hard to tell where the performance drop
comes from. If you really must test such configuration, the best way
would be to ensure the same TLS version (1.0, not 1.1 or 1.2, OpenSSL
1.0.1 defaults to 1.2) and the same cipher.

Janusz Dziemidowicz

More information about the stunnel-users mailing list