API to directly open TLS connections, instead of upgrading an existing socket #3138
Labels
Comments
There is a significant caveat to this: s2n-tls does not (and cannot without redesign) use io_uring for dispatching the reads/writes. So it might not have higher performance compared to our io_uring-powered sockets. There's still a chance for kTLS to be compatible with io_uring, depending on the implementation strategy taken. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background: currently to get a
TLSSocket, you first create a non-encryptedSocket, then upgrade it viaTLSContextto get aTLSSocket. This proposal is for newTLSContextAPIs to directly create client/serverTLSSockets.Motivation:
On Native, s2n-tls is capable of interfacing directly with the underlying socket's file descriptor. This should have higher performance and is probably easier to implement than redirecting it through an FS2
Socket.Even more compelling, s2n-tls also supports using Kernel TLS, where all the encryption/decryption happens in kernel-space. This minimizes data copies.
On JS, the upgrade is implemented by a costly Node.js Socket <-> FS2 Socket <-> Node.js Socket <-> Node.js TLS Socket <-> FS2 TLS Socket conversion. In Node.js it is possible to directly open TLS connections/servers directly, and thus skip a few layers of conversion.
I'm not aware of any motivation to do this on the JVM, at least with the JDK. Probably a hypothetical Netty-based
TLSContextcould take advantage of this.Questions:
Socketeven after upgrading it. If we assume that won't happen, then maybe it can work.The text was updated successfully, but these errors were encountered: