GNUTLS sucks // using lsof

[bad_brain]

I had to set up 5 e-commerce websites on one of my servers, all of them with SSL (which is luckily no problem anymore nowadays by using SNI, so no need for one IP per certificate anymore), and I thought it might be a nice idea to switch from mod_ssl to GNUTLS because the config is (slightly) more lightweight.

but: bad idea.
when loading a site after a while I noticed it's damn slow, so I logged in to the server and: load of 77.0...
reason were half a dozen of www-data processes causing permanent CPU loads of up to 300%....when I killed them they spawned again within a couple of minutes. how I found out it's GNUTLS? by using the extremely useful lsof tool, you can easily analyze processes with it, simply pick a PID on your system and do:

Code: Select all

lsof +p <PID>

and it'll display a nice list of all modules, files, etc. involved in the process, additionally it displays the "reason" of the process....in my case it were always legit website requests BUT by using HTTPS.

so after some googling I found other people with the same issue, switched back to mod_ssl and all is fine again....

[lilrofl]

Funny, I had this same problem last week while setting up an irc server with GNUTLS instead of SSL. I was back using SSL in minutes

[bad_brain]

oh? also those strange process hangs with high CPU loads?

the most annoying part for me was that it worked quite well at the start...but after 1-2 days (OF COURSE when I was sleeping) it sucked so much CPU resources that the server had the performance of a P2 on 56k....

[lilrofl]

Upon further examination, it was not the same. I implemented GNUTLS with unrealircd, when I connected to the SSL port however the cert took almost a minute to verify, and messaging became slow if more then 50 or so people were logged in.

I tried this afternoon to recreate and see if extra processes were spawning, but it seems that GNUTLS just doesn't play well with multiple virtual machines over a single connection, it starts getting handshake failed errors then the client retries. The errors don't print so it just seems like it's taking forever when it was just a couple of dozen failures.

SSL works fine though, under the same circumstances, so I still figure it's probably GNUTLS.

[bad_brain]

hm, could still be the same issue, I haven't examined what exactly is going on in those hanging processes (I just know they hung because of GNUTLS), but them being in a wait/retry phase forever because of failed handshakes, like in your case, would be an explanation...