Skip to content

[wip] TLS Encryption Optimization #68521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dwoz wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[wip] TLS Encryption Optimization #68521

dwoz wants to merge 3 commits into from

Conversation

@dwoz
Copy link
Contributor

@dwoz dwoz commented Dec 9, 2025
edited
Loading

Adds disable_aes_with_tls config option that eliminates redundant AES encryption when TLS with mutual authentication is active, providing performance improvement with 6 security checks including certificate identity verification.

What does this PR do?

What issues does this PR fix or reference?

Fixes

Previous Behavior

Remove this section if not relevant

New Behavior

Remove this section if not relevant

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes/No

@dwoz dwoz requested a review from a team as a code owner December 9, 2025 07:23
@dwoz dwoz added the test:full Run the full test suite label Dec 9, 2025
@dwoz
TLS Encryption Optimization
38bb7f5 
Adds disable_aes_with_tls config option that eliminates redundant AES
encryption when TLS with mutual authentication is active, providing
10-50% performance improvement with 6 security checks including
certificate identity verification.
@dwoz dwoz force-pushed the ssl_transport_tests branch from 52dae2a to 38bb7f5 Compare December 9, 2025 21:24
@dwoz dwoz force-pushed the ssl_transport_tests branch from 249dee9 to 53ba102 Compare December 12, 2025 22:54
@dwoz
More test fixes
05e0eb0 
Main Issue: Tests were checking for SSL handshake failures too early. With Tornado's lazy SSL handshaking, TCP connections succeed immediately, but SSL validation happens asynchronously.

test_tcp_ssl.py (20 lines changed):
- Timing fix: Added await asyncio.sleep(1) after connect() to allow SSL handshake to fail
- Stream check: Verify connection closed by checking pub_client._stream.closed()
- Exception handling: Added ssl.SSLError to expected exceptions
- Test isolation: Added minion_opts.pop("ssl", None) to prevent state contamination
- Cleanup: Added process_manager.terminate() for proper process cleanup
- Imports: Added import ssl and import salt.utils.process

test_ws_ssl.py (3 lines changed):
- Test isolation: Added minion_opts.pop("ssl", None)
- Cleanup: Added process_manager.terminate()

These minimal changes fix the test expectations to match the actual async SSL behavior while ensuring proper isolation and cleanup between tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

test:full Run the full test suite

Projects

None yet

Milestone

Argon v3008.0

Development

Successfully merging this pull request may close these issues.

2 participants

@dwoz @twangboy