Hello Everyone, I’m implementing PKI/mTLS authentication in Aerospike and want to confirm whether Aerospike officially supports a configuration where the server verifies the client certificate, but the client does NOT need to verify the server certificate.
My goal is:
-
Aerospike server validates the client’s certificate (extract CN → map to user → enforce ACL)
-
But client-side server verification is optional/disabled
-
Still maintain minimal handshake overhead
Right now, with password-based authentication I see ~1–2 ms latency, but with mTLS (even using ECDSA certificates and connection reuse) I consistently see ~5–6 ms per operation. Before assuming this is unavoidable TLS overhead, I want to check if Aerospike has any official configuration, feature, or supported mode that allows asymmetric TLS verification (server verifies client, client does not verify server), or any recommended approach to minimize mTLS handshake cost.
Is such a setup supported or documented? Or is strict mutual verification the only supported mode when tls-authenticate-client is enabled?
Thanks in advance.