Skip to content

mTLS client prototype#4031

Draft
End-rey wants to merge 3 commits into
mtlsfrom
mtls-client-node
Draft

mTLS client prototype#4031
End-rey wants to merge 3 commits into
mtlsfrom
mtls-client-node

Conversation

@End-rey

@End-rey End-rey commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Continue #4003.

End-rey added 3 commits June 3, 2026 23:20
@End-rey
node: inter-node mTLS
a8b3b0b 
Storage nodes authenticate to each other with mutual TLS over their existing
public gRPC port. A node dials with a sentinel SNI and is served the identity
certificate, verified against the network map; clients keep getting the plain
or server-TLS endpoint unchanged. Peers are pinned by their network-map key.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
object: skip request/response signing on authenticated 1:1 node hops
2562a45 
On the inter-node mTLS listener the peer is an authenticated network-map node,
so verifying the per-request signature and signing the response are redundant
for 1:1 (TTL<=1) hops and are skipped. Requests arriving on the plain public
listener carry no TLS peer certificate and are always verified and signed, so
clients remain unaffected.

Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey
node: client node mtls
37c5e80 
Signed-off-by: Andrey Butusov <andrey@nspcc.io>
@End-rey End-rey self-assigned this Jun 19, 2026
@End-rey

End-rey commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Benchmark tests were run for the client mTLS variant against the inter-node mTLS. Throughput in ops/s. Small-object GET still benefits in some cases, but overall client-side mTLS looks neutral-to-slightly-negative, while large-object GET generally a bit slower.

REP3

Test Size, KB Threads mTLS mTLS client Δ
PUT 4 1 241 243 +1%
PUT 4 4 751 738 −2%
PUT 4 16 1186 1162 −2%
PUT 4096 1 88 88 0%
PUT 4096 4 170 161 −5%
PUT 4096 16 202 187 −7%
GET 4 1 2217 2726 +23%
GET 4 4 4373 4983 +14%
GET 4 16 6142 7027 +14%
GET 4096 1 345 322 −7%
GET 4096 4 575 476 −17%
GET 4096 16 669 528 −21%

EC6+2

Test Size, KB Threads mTLS mTLS client Δ
PUT 4 1 167 156 −7%
PUT 4 4 369 322 −13%
PUT 4 16 316 252 −20%
PUT 4096 1 92 92 0%
PUT 4096 4 160 155 −3%
PUT 4096 16 166 163 −2%
GET 4 1 1655 1890 +14%
GET 4 4 3246 3474 +7%
GET 4 16 2301 (8646 err) 1721 (8935 err) −25%
GET 4096 1 353 326 −8%
GET 4096 4 492 429 −13%
GET 4096 16 547 (509 err) 467 (344 err) −15%

The main gain vs base still comes from the inter-node changes; adding client-side mTLS does not show a general throughput improvement. The only clear positive signal here is small-object GET at low-to-medium concurrency, while large-object GET is somewhat worse

@End-rey End-rey force-pushed the mtls branch 2 times, most recently from 055eceb to 810ccfe Compare June 24, 2026 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roman-khimov roman-khimov Awaiting requested review from roman-khimov roman-khimov will be requested when the pull request is marked ready for review roman-khimov is a code owner
@carpawell carpawell Awaiting requested review from carpawell carpawell will be requested when the pull request is marked ready for review carpawell is a code owner
@cthulhu-rider cthulhu-rider Awaiting requested review from cthulhu-rider cthulhu-rider will be requested when the pull request is marked ready for review cthulhu-rider is a code owner

Assignees

@End-rey End-rey

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@End-rey