Hi Martin

You might want to check out this thread:

http://www.apsis.ch/pound/pound_list/archive/2012/2012-05/1337789033000#1337789033000

The key line in this is:

# Increase the threads to 4096 - we tried 16000 but it didn't like it
Threads         4096

I think it's due to pound's revised threading model, which started in version
2.5.

Regards,
Peter
[...]

Sent from my BlackBerry® wireless device

-----Original Message-----
From: Peter Wake <Peter.Wake(at)teamseer.com>
Date: Tue, 26 Jun 2012 08:13:16 
To: 'pound(at)apsis.ch'<pound(at)apsis.ch>
Reply-to: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] SSL performance

Hi Martin

You might want to check out this thread:

http://www.apsis.ch/pound/pound_list/archive/2012/2012-05/1337789033000#1337789033000

The key line in this is:

# Increase the threads to 4096 - we tried 16000 but it didn't like it
Threads         4096

I think it's due to pound's revised threading model, which started in version
2.5.

Regards,
Peter
[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Thanks for the thread suggestion which I will definitely try, but we
already found out the problem; our office internet connection started to
choke.

So we have to try something else for the test but so far it looks promising.
Cheers,
Martin




[...][...][...]

[...]

If you’re applying against Pound 2.6 final, use the patch here:
https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch

That should fix you right up.
Joe


From: Ricardo Santos [mailto:ricamz(at)gmail.com]
Sent: Saturday, June 23, 2012 3:42 AM
To: pound
Subject: [Pound Mailing List] Pound patch

Hi there.

I have used the pound patch

http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.patch


on the last stable version of Pound, but when I applied the patch it gave me a
rejection file (config.c.rej) with:

(at)(at) -1022,6 +1033,23 (at)(at)
             lin[matches[1].rm_eo] = '\0';
             if((res->add_head = strdup(lin + matches[1].rm_so)) == NULL)
                 conf_err("AddHeader config: out of memory - aborted");
+        } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches,
0)) {
+            res->allow_client_reneg = atoi(lin + matches[1].rm_so);
+            if (res->allow_client_reneg == 2) {
+                ssl_op_enable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+                ssl_op_disable &=
~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+            } else {
+                ssl_op_disable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+                ssl_op_enable &=
~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+            }
+        } else if(!regexec(&SSLHonorCipherOrder, lin, 4, matches, 0)) {
+            if (atoi(lin + matches[1].rm_so)) {
+                ssl_op_enable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+                ssl_op_disable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
+            } else {
+                ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+                ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
+            }
         } else if(!regexec(&Ciphers, lin, 4, matches, 0)) {
             has_other = 1;
             if(res->ctx == NULL)

What I have done to solve it and include those options in the pound.cfg, was to
remove these lines from config.c:

    } else {
                if((res->add_head = realloc(res->add_head,
strlen(res->add_head)
 + strlen(lin + matches[1].rm_so) + 3)) == NULL)
                    conf_err("AddHeader config: out of memory - aborted");
                strcat(res->add_head, "\r\n");
                strcat(res->add_head, lin + matches[1].rm_so);
            }

But I don't know what are the implications of that. Is there any problem when
removing these lines?

Thanks.
--
Ricardo Santos