So MLE means reports from clients to relays are encrypted. Are there communications from clients to relays that are never encrypted regardless of configuration? What are they?
Are you saying that 9+ clients will always attempt an SSL connection to their relays, or only if they are authenticating relays?
What traffic from relays to clients is never encrypted?
Signing alone prevents tampering, but it means that the traffic is in the clear and can be sniffed between relay and client, which is not ideal and we might prefer to configure it so this is not the case.
In our organization our relays are all server class hardware that is either completely dedicated to being a relay, or used for 2 or 3 tasks with low performance needs. I believe most have 10gig connections at as well. CPU overhead of SSL is not an issue.
I think it would be a huge advantage if all traffic could be encrypted with the absolute minimum of configuration and limitations over the default, without the restriction of authenticating relays preventing new clients from connecting… either through a manual password that is embedded in the client installer, or by preferring encryption or authentication.