[stunnel-users] stunnel 5.20 released

Michal Trojnara Michal.Trojnara at mirt.net
Wed Jul 15 16:47:10 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15.07.2015 16:35, Philippe Anctil wrote:
> Yes I compile with fork.
> 
> We have been using that for a very long time. In the 7-8 years
> range if not a few years more. In the past we decided to use fork
> to sidestep leaks. We process astronomical numbers of transactions
> each year on a 24/7 basis and never had any problems.
> 
> Can you expand a bit on why it is a bad idea?

A few reasons out of the top of my head:

1. Posix/windows threads are required for session cache, which is a
major performance improvement.  With fork, stunnel needs to negotiate
a new TLS session on each TCP connection with the same peer.

2. Posix/windows threads are required for DH parameter regenerations.

3. Fork not the default compilation option and it doesn't get nearly
as much testing as posix/windows threads.

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVpnJuAAoJEC78f/DUFuAUnc8P/jbBGV2NtgnUceKS3MVI7cNM
nJA4JsWHD0NczwYtUKnECF5T8eDC8K2V198v5s5NfybJ1Fmk8CTpNSWmPkz0bDKh
V1ocJSMrRtbq8a3VyyYUjlX57vq/CvW/lSXH7bcgcdsWRDmgP07YugylKNUmnOga
P7rVLuc7Q2TumhuWgjer4GzYJj8Bauj0yy4Ejng+DOShXOmo7d8I/dIYN0iwJhxx
ttbHcd2J+Bp4Ngd8Yr7xpvhqwlDEjyV1DXYANdEpLt0cBKAQlGqKbMwFeIBbNcbC
LnwnMYwXhxgnSV9MvM+CFK75dNtr+hSizigio1eMSw2MlBg+r/9fjYVevqlTfXgL
yJf+FqfjU6ehrf+E+v+8byiESn0OwY2Ji81WG3IeLsxJxHQLXlL+0ycx6kgPkObH
vg+5ZaRBAOTMaYMpcWR/UTQEyQOBukTeSTqUAkmWwMmbxfuiTZ7TSEcpnHoDoWlA
lod2MLT6ylWAm9ZyUB1JmPIsYzcgWbwgr6OFzFI3+tJ3hOEwIp9sLzwjL2n624W5
2ttFWMFOILEfL1P2RRT+t0w1v33C3uORBdN/6oz8dWW3bGQQf6zZ3f1XQm0Tsmmb
rQnlTBHqbVhhc4E9sH3z5NTTrlbyQQN7C8aNRRj79J0N9OkBREPmULfpQ2U7r585
gVJKVve02JW3Bx1pNjte
=HK0h
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list