Monthly Archives: March 2015

Pen 0.27.3 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

Several new configuration options dealing with securing SSL.

ssl_option no_sslv2 turns off SSL2. This has been the default for ages. Nobody should use SSL2 anymore.

ssl_option no_sslv3 turns off SSL3, sacrificing compatibility with Windows XP but also “sacrificing” the associated vulnerabilities.

ssl_option no_tlsv1 turns off TLS1, again sacrificing a bit of compatibility for a bit of security.

ssl_option cipher_server_preference Prefer the ciphers listed at the beginning of the cipher list (see next item).

ssl_ciphers CIPHERS Specify a list of ciphers to support. By default, Pen will use whatever OpenSSL thinks the default should be, and that list will be different depending on the version of OpenSSL and the options used when compiling OpenSSL.

See here for a suggested configuration with intermediate compatibility but still good security:

Perfect Forward Secrecy

The default maximum number of connections has been 256 since Pen’s inception in 2000. Today that is ridiculously conservative since Pen will gladly handle tens of thousands of connections on a Raspberry Pi:

The Great Load Balancer Shootout…
Let’s double that one more time

The default is now bumped to 500; still very conservative.

Full list of changes since 0.27.2:

150330 Added autoconf check that the ECDHE is available and not disabled.
Bumped default max connections and listen queue to 500.

150326 Support for ECDHE cipher suites.

150325 New commands ssl_option and ssl_ciphers to individually disable
insecure protocols and ciphers.

150324 Updated penctl.1 with the new command.

150322 New knob to tweak max number of pending nonblocking connection
attempts: pending_max N (default 100).

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Perfect Forward Secrecy

One of the new features in 0.27.3 will be perfect forward secrecy for SSL.

http://www.computerworld.com/article/2473792/encryption/perfect-forward-secrecy-can-block-the-nsa-from-secure-web-pages–but-no-one-uses-it.html
http://en.wikipedia.org/wiki/Forward_secrecy
http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

Enabling perfect forward secrecy involves picking an up to date version of OpenSSL compiled with the right options and using the appropriate ciphersuite. Do note that older clients (Windows XP) are at odds with secure SSL configuration – there’s no way to get both right at the same time. This suggested configuration is a compromise:

ssl_option no_sslv2
ssl_option no_sslv3
#ssl_option no_tlsv1
ssl_option cipher_server_preference
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

This configuration won’t work with IE6 on XP; hopefully nobody uses that anymore. The extremely long string at the end is the ciphersuite suggested by Mozilla for intermediate compatibility at the time of writing. For the full story, see here:

https://wiki.mozilla.org/Security/Server_Side_TLS

Facebooktwittergoogle_plusredditpinterestlinkedinmail

The Great Load Balancer Shootout…

… is not what this is about. I was however curious how Pen performs compared to other open source load balancers. All load balancers I could think of in Raspbian were installed on the trusty RPi2 and configured to withstand the same torrent of traffic I use to test Pen.

The result can be seen below. In the interest of keeping crazies out, the “other” load balancers have been anonymized. This is a very simple synthetic test and the results may vary a lot depending on the test conditions. It is however nice to see that:

– Pen had the highest maximum throughput, measured in requests per second
– Pen supported the highest concurrency of all tested load balancers

In the chart below, X is the number of concurrent requests and Y is the number of requests per second. More is better. No line means that the load balancer failed.

lb-chart

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Pen 0.27.2 released

Available here:

http://siag.nu/pen/

And also here:

https://sourceforge.net/projects/penloadbalancer/files/Source/

A couple of new features mainly meant for testing:

– Reliable idlers: Pen creates and maintains a number of idle connections
to the backend servers. If a connection is closed by the server, it is
reestablished.

– Dummy server: Instead of proxying requests to a real server, Pen acts
as a web server by replying with an http response to anything the
client says.

And a new bunch of features that allow better control over what Pen
does and how. See below and also the penctl manpage. As usual, everything
that can be done through penctl can also be done through the configuration
file or the command line.

Full list of changes since 0.27.1:

150228 Moved dlist prototypes to dlist.h.

150227 Added check to close idle connections after a period of inactivity.
Penctl: idle_timeout N (default 0 = never close idle connections).

150225 Moved git repository to GitHub..

150225 New feature: dummy server. Rather than acting as a proxy,
Pen will pretend to be a web server with just barely enough
functionality to work as a test target.
Penctl: dummy|no dummy.

150224 Yet Another command: abort_on_error|no abort_on_error makes
Pen call abort() (or not) when encountering a fatal error.

150224 New feature: “reliable idling”. Pen will make and maintain a
number of idle connections to the backend servers. When a connection
closes, a new one is made (hence “reliable”). Penctl: idlers [N].

150223 In do_cmd: return diagnostics to penctl so the user can see them,
instead of uselessly sending them to syslog.

150223 New penctl commands:
socket N (print which connection the socket belongs to)
connection N (print info on the specified connection)
close N (forcibly close connection N)

Facebooktwittergoogle_plusredditpinterestlinkedinmail