Skip to content

TLS Encryption Optimization #68521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dwoz wants to merge 6 commits into
base: master
Choose a base branch
from
Open

TLS Encryption Optimization #68521

dwoz wants to merge 6 commits into from
+3,840 −38

Conversation

@dwoz
Copy link
Contributor

@dwoz dwoz commented Dec 9, 2025
edited
Loading

Adds disable_aes_with_tls config option that eliminates redundant AES encryption when TLS with mutual authentication is active, providing performance improvement with 6 security checks including certificate identity verification.

Fixes: #68536
@dwoz dwoz requested a review from a team as a code owner December 9, 2025 07:23
@dwoz dwoz added the test:full Run the full test suite label Dec 9, 2025
@dwoz dwoz force-pushed the ssl_transport_tests branch from 52dae2a to 38bb7f5 Compare December 9, 2025 21:24
dwoz added 6 commits December 31, 2025 16:07
@dwoz
TLS Encryption Optimization
ada7373 
Adds disable_aes_with_tls config option that eliminates redundant AES
encryption when TLS with mutual authentication is active, providing
10-50% performance improvement with 6 security checks including
certificate identity verification.
@dwoz
Fix tests by making ssl context
7fa340e
@dwoz
More test fixes
a0293ec 
Main Issue: Tests were checking for SSL handshake failures too early. With Tornado's lazy SSL handshaking, TCP connections succeed immediately, but SSL validation happens asynchronously.

test_tcp_ssl.py (20 lines changed):
- Timing fix: Added await asyncio.sleep(1) after connect() to allow SSL handshake to fail
- Stream check: Verify connection closed by checking pub_client._stream.closed()
- Exception handling: Added ssl.SSLError to expected exceptions
- Test isolation: Added minion_opts.pop("ssl", None) to prevent state contamination
- Cleanup: Added process_manager.terminate() for proper process cleanup
- Imports: Added import ssl and import salt.utils.process

test_ws_ssl.py (3 lines changed):
- Test isolation: Added minion_opts.pop("ssl", None)
- Cleanup: Added process_manager.terminate()

These minimal changes fix the test expectations to match the actual async SSL behavior while ensuring proper isolation and cleanup between tests.
@dwoz
Add changelog
708a90c
@dwoz
Fix RST section header formatting
0be288e 
Address PR review feedback from twangboy:
- TLS Encryption Optimization header: Remove extra = character
- Certificate Identity Requirement header: Remove extra - character

RST section headers require exact character count matching the title length.
@dwoz
Update changelog entry for TLS encryption optimization
6961226 
Improve changelog description and fix typo (alid -> valid).
Provide more comprehensive description of the feature.
@dwoz dwoz force-pushed the ssl_transport_tests branch from 1486cf9 to 6961226 Compare December 31, 2025 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test:full Run the full test suite

2 participants

@dwoz @twangboy