How can I send an unencrypted payload through an encrypted TLS stream with Rustls?

Hi all,

I'm working on a specific use case where I need to send an encrypted header (for an HTTPS request) and unencrypted payload through the same socket. The purpose of this is for an upload speed test, where the server (of which I do not control) only cares about the http header being secure and not the payload. The payload consists of a large number of zeros, so sending them unencrypted is not a security concern in this case.

I could just send the payload encrypted, but in my opinion, that is wasted CPU time encrypting bytes

Is what i'm asking for even possible?

In theory TLS supports renegotiation and a null cipher that doesn't encrypt, so you could destroy security of an already-established connection. In practice I would not expect anybody to allow the null cipher, because it's basically a security vulnerability.

So no. You'd need to make a separate HTTP request or a direct TCP connection, but a TLS connection is designed to be secure from start to end.

1 Like

It's also worth remembering that the main overhead of TLS comes from negotiating which cipher to use during the handshake, not from encrypting the main payload. Therefore, this sounds like a case of over-optimization to me.

For example, this blog post from 2010(!) says:

On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

1 Like

And remember in this context that most modern CPUs (AMD, Apple, Intel, Qualcomm, Mediatek, Samsung etc) have hardware acceleration for AES, since it's such a commonly used symmetric cipher. As a result, if you're using AES, you're unlikely to be slowed down by encryption overhead.

1 Like

I'm targeting a very old single-core 32-bit 400MHz ARM9 CPU actually which is why I'm trying to do everything without TLS in the first place. I have eyeballed the CPU usage on top during these upload tests with TLS and it makes out at 100% (as observed by top), so this makes me think I definitely am bottlenecking on TLS

1 Like

Which cipher are you using? Chacha20-Poly1305 should be faster than AES-128-GCM when there is no hardware acceleration for AES.


What speed test servers are you using? I seem to remember HTTP fallback was available on servers a few years ago. I'm not sure if this feature is still around.

This crate might also be useful.

I just checked and it appears rustls is negotiating AES_256_GCM_SHA384 by default !

I'll try to coerce rustls into using Chacha20

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.