[stunnel-users] Effect of SIGHUP on connections

Michal Trojnara Michal.Trojnara at stunnel.org
Fri Feb 12 17:52:35 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11.02.2016 21:10, Philippe Anctil wrote:
> My test is simple. I try to establish 10 connections at 1 second 
> interval. At the same time, I generate a lot of sighup signals.

I presume you were only sending the signals to the main process.  Right?

> At least one connection fails every time. 30 2016-02-10
> 12:07:14.305001 0.000014    142.168.66.111 142.168.148.114
> TCP      66     4443→56572 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0
> MSS=1460 SACK_PERM=1 WS=128 31 2016-02-10 12:07:14.312908 0.007907
> 142.168.148.114 142.168.66.111        TCP      60     56572→4443
> [ACK] Seq=1 Ack=1 Win=66560 Len=0 32 2016-02-10 12:07:14.312918
> 0.000010    142.168.66.111 142.168.148.114       TCP      54
> 4443→56572 [RST] Seq=1 Win=0 Len=0

So it sends RST 0.01ms after it received the final ACK of the TCP
handshake.  My theory is that it is caused by the listening socket
being momentarily closed in the middle of the TCP handshake, i.e.,
before the kernel informs the userspace (stunnel in this case) about
the newly established TCP connection.

The solution would require identifying the listening sockets defined
both in the old and the new configuration file (i.e. before and after
the reload), and caching the file descriptors instead of reopening
them.  This would introduce a relatively complex (and thus
error-prone) piece of code just to enable accepting new connections
during the configuration file reload.

I might only consider implementing this for a paying customer.

> How could a tcp connection be established and yet find no
> indication of that in stunnel.log?

According to my theory this is because the userspace never gets
notified about this half-established connection.

Best regards,
	Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWvg3TAAoJEC78f/DUFuAUfoYP/0vuDEy+7PKxWN/YBh2NP1P1
mJGGVSb7iVax93/T4ZZS+RB6aX9EBISyrTMhljaMnAaNZohg00WZw4iuQ+m0WMo0
KpfmHrV1SMRrtmQUN4JcaHtBOl34VCtBXjGU6Ra3iiT6uro9rIH2hOCn5lY4Xb5T
lvVbrJhDWyIJkN5MAtROJU76Ts9qTBn/re4VCeaeSWDGiEnvQPV1yjVq+INZn/yy
RfSWX1EAtJKG8jY7HdREeKUlJhLibBtk3KoT/n8qOc43HEh53M3dUWl5gf9+5JvC
5BFQD1vYf+bKMVU18s20Lnk5WPlqxV3T9uFAdL8TbqZQ3Gfm8Ks822oo7gmgkWd7
2qWhb9JACIxrk1fWdYlt6odeQ6Jdd8b9gIbUhrcE+JGou/MdaRcfjJ+al4SCg0NP
6jz7IYJQqx7mMdDNFSxF3g96Vpi88DsYiX72IEmQt8u8+TmUQE3dNFBcgmz+I+e2
G0gTcfa9atfYmXubn2C/YHR2+zNaYcaMMqpt0WnlsvDyA+p6qvWB/adeUCfoAHOT
I9W/BhhPXvzwYiMcdNiO+S589d+v7zVTL6CV0wbti6POhaJBBJqog8fUtyclM3Ud
bUmN7FihFijIP7fhqpM3jTuoeQGn2slYAUDAsDwyj/19N1GwovDFey90c+O9GSjb
Dk84EWI09+Bpza+rOiQb
=dWNM
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list