Skip to content

feat: add TLS session caching support#657

Open
dkropachev wants to merge 13 commits intomasterfrom
dk/support-tls-tickets-fixes
Open

feat: add TLS session caching support#657
dkropachev wants to merge 13 commits intomasterfrom
dk/support-tls-tickets-fixes

Conversation

@dkropachev
Copy link
Collaborator

@dkropachev dkropachev commented Jan 29, 2026
edited
Loading

Summary

This PR adds TLS session caching support to the Python driver, enabling faster reconnections by reusing negotiated TLS sessions. This reduces handshake latency for both TLS 1.2 (session IDs/tickets) and TLS 1.3 (session tickets).

Fixes: #426

Changes

Core Implementation:

  • Add cassandra.tls module with TLSSessionCache abstract base class and DefaultTLSSessionCache implementation featuring LRU eviction, TTL expiration, and periodic cleanup
  • Add tls_session_cache_key property to endpoint classes (EndPoint, SniEndPoint, UnixSocketEndPoint) for proper cache key generation
  • Integrate TLS session caching in Connection class - apply cached sessions during wrap_socket() and store sessions after successful connections

Cluster Configuration:

  • tls_session_cache_enabled: toggle caching on/off (default: True)
  • tls_session_cache_size: max cached sessions (default: 100)
  • tls_session_cache_ttl: session TTL in seconds (default: 3600)
  • tls_session_cache_options: advanced config via TLSSessionCacheOptions or custom TLSSessionCache implementation

Reactor Support:

  • EventletConnection: TLS session caching via PyOpenSSL's session API
  • TwistedConnection: TLS session caching via _SSLCreator class

Testing

  • Unit tests for DefaultTLSSessionCache (TTL, LRU eviction, thread safety, cleanup)
  • Unit tests for endpoint tls_session_cache_key properties
  • Unit tests for EventletConnection and TwistedConnection TLS session handling
  • Integration tests for end-to-end session caching with real clusters

Documentation

  • Added TLS session caching section to security guide with configuration examples

Pre-review checklist

  • I have split my patch into logically separate commits.
  • All commit messages clearly explain what they change and why.
  • I added relevant tests for new features and bug fixes.
  • All commits compile, pass static checks and pass test.
  • PR description sums up the changes and reasons why they should be introduced.
  • I have provided docstrings for the public items that I want to introduce.
  • I have adjusted the documentation in ./docs/source/.
  • I added appropriate Fixes: annotations to PR description.

github-code-quality[bot]
github-code-quality bot found potential problems Jan 29, 2026
View reviewed changes
@dkropachev dkropachev force-pushed the dk/support-tls-tickets-fixes branch 2 times, most recently from cbbde06 to 5430bb7 Compare January 29, 2026 16:11
@dkropachev dkropachev changed the title Dk/support tls tickets fixes feat: add TLS session caching support Jan 29, 2026
@dkropachev dkropachev marked this pull request as ready for review January 29, 2026 17:16
@dkropachev dkropachev requested a review from Lorak-mmk January 29, 2026 17:16
@dkropachev dkropachev self-assigned this Jan 29, 2026
@dkropachev dkropachev mentioned this pull request Jan 29, 2026
Closed
7 tasks
@dkropachev dkropachev force-pushed the dk/support-tls-tickets-fixes branch from 5430bb7 to 6a84e73 Compare January 29, 2026 17:23
@dkropachev
feat: add TLS session cache implementation
cb07ab0 
Adds cassandra.tls module with:
- TLSSessionCache abstract base class defining the caching interface
- DefaultTLSSessionCache with LRU eviction, TTL expiration, and
  periodic cleanup
- TLSSessionCacheOptions for configuring cache parameters

TLS session caching enables faster reconnections by reusing
negotiated TLS sessions, reducing handshake latency for both
TLS 1.2 (session IDs/tickets) and TLS 1.3 (session tickets).
@dkropachev
feat: add tls_session_cache_key property to endpoint classes
109efde 
Add tls_session_cache_key property to EndPoint, SniEndPoint, and
UnixSocketEndPoint classes to provide appropriate cache keys for
TLS session caching:
- EndPoint: (address, port)
- SniEndPoint: (address, port, server_name) to prevent cache
  collisions when multiple SNI endpoints use the same proxy
- UnixSocketEndPoint: (path,) since Unix sockets have no port
@dkropachev
feat: integrate TLS session caching in Connection class
9225efd 
Add TLS session caching support to the Connection class:
- Add tls_session_cache parameter to Connection.__init__
- Apply cached sessions during wrap_socket() for session resumption
- Store sessions after successful connection in _connect_socket()
- Support both TLS 1.2 and TLS 1.3 session resumption

Sessions are only cached after successful connections to avoid
caching sessions from failed connection attempts.
@dkropachev
feat: add TLS session cache configuration to Cluster
4ff7bbf 
Add TLS session caching configuration options to the Cluster class:
- tls_session_cache_enabled: toggle caching on/off (default: True)
- tls_session_cache_size: max cached sessions (default: 100)
- tls_session_cache_ttl: session TTL in seconds (default: 3600)
- tls_session_cache_options: advanced config via TLSSessionCacheOptions
  or custom TLSSessionCache implementation

The cache is automatically created when SSL is enabled and passed
to connections via the connection factory.
@dkropachev
feat: add TLS session caching to EventletConnection
e6b8ce1 
Implement TLS session caching for the eventlet reactor using
PyOpenSSL's session API:
- Apply cached session via set_session() before handshake
- Store session via get_session() after successful handshake
- Log session reuse for debugging
@dkropachev
feat: add TLS session caching to TwistedConnection
3bb08ba 
Implement TLS session caching for the Twisted reactor using
PyOpenSSL's session API via the _SSLCreator class:
- Pass tls_session_cache to _SSLCreator
- Apply cached session in clientConnectionForTLS()
- Store session in info_callback() after successful handshake
- Log session reuse for debugging
@dkropachev
test: add unit tests for TLS session cache
7ce958d 
Add comprehensive unit tests for DefaultTLSSessionCache:
- Basic get/set operations
- Multiple endpoints with separate cache entries
- TTL expiration
- LRU eviction when cache is full
- cache_by_host_only mode
- Thread safety under concurrent access
- Periodic cleanup of expired sessions
- Clear operations
@dkropachev
test: add unit tests for endpoint tls_session_cache_key
796b891 
Add tests verifying the tls_session_cache_key property for each
endpoint type:
- DefaultEndPoint returns (address, port)
- SniEndPoint includes server_name to prevent cache collisions
- UnixSocketEndPoint returns just the path
@dkropachev
test: add unit tests for EventletConnection TLS session caching
1b817ae 
Add tests for TLS session caching in the eventlet reactor:
- Cached session is applied via set_session()
- Session is stored after successful handshake
- Session reuse is detected and logged
- Behavior without cache configured
@dkropachev
test: add unit tests for TwistedConnection TLS session caching
303a856 
Add tests for TLS session caching in the Twisted reactor:
- Cached session is applied in clientConnectionForTLS()
- Session is stored in info_callback() after handshake
- Session reuse is detected and logged
- _SSLCreator properly receives and uses tls_session_cache
@dkropachev
test: add integration tests for TLS session caching
6c16993 
Add integration tests that verify TLS session caching works
end-to-end with a real Scylla/Cassandra cluster:
- Session caching enabled by default with SSL
- Session reuse on reconnection
- Cache disabled when tls_session_cache_enabled=False
- Custom cache options via TLSSessionCacheOptions
@dkropachev
docs: add TLS session caching documentation
b6ba877 
Document the TLS session caching feature in the security guide:
- Overview of session resumption benefits
- Configuration options (enabled, size, ttl, options)
- Advanced configuration with TLSSessionCacheOptions
- Custom cache implementation example
- Notes on TLS 1.2 vs TLS 1.3 behavior
@dkropachev dkropachev force-pushed the dk/support-tls-tickets-fixes branch from 6a84e73 to b6ba877 Compare February 3, 2026 23:14
Lorak-mmk
Lorak-mmk requested changes Feb 16, 2026
View reviewed changes
Copy link

@Lorak-mmk Lorak-mmk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One additional question: Why did you have to integrate it specifically with eventlet and twisted, while there is already integration in Connection class? And why other reactors don't need that?

cassandra/tls.py Outdated
Comment on lines 37 to 48
@abstractmethod
def get_session(self, endpoint):
"""
Get a cached TLS session for the given endpoint.

Args:
endpoint: The EndPoint object representing the connection target

Returns:
ssl.SSLSession object if a valid cached session exists, None otherwise
"""
pass
Copy link

@Lorak-mmk Lorak-mmk Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you use type hints instead of comments describing the return type?

Copy link

@Lorak-mmk Lorak-mmk Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This applices to all methods, both to args and return types.

Copy link
Collaborator Author

@dkropachev dkropachev Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added type hints to all methods in TLSSessionCache and DefaultTLSSessionCache (args and return types). Removed docstring-based type descriptions.

@dkropachev
Copy link
Collaborator Author

dkropachev commented Feb 16, 2026

Addressing review feedback:

Copyright header (cassandra/tls.py): Fixed. Changed to ScyllaDB copyright since this is new code, not backported from upstream.

Type hints: Fixed. Added type hints to all methods in TLSSessionCache and DefaultTLSSessionCache (args and return types). Removed docstring-based type descriptions.

ABC / @abstractmethod: Removed. You're right, it's not used elsewhere in the driver. Switched to a regular base class with raise NotImplementedError — consistent with the existing codebase patterns.

Consolidate Cluster parameters: Done. Replaced the 4 parameters (tls_session_cache_enabled, tls_session_cache_size, tls_session_cache_ttl, tls_session_cache_options) with a single tls_session_cache parameter. Set to None to disable, pass TLSSessionCacheOptions(...) for custom config, or pass a TLSSessionCache subclass instance for full control. Default behavior (auto-create cache when SSL is enabled) is preserved.

Why eventlet/twisted need separate integration: The base Connection class uses Python's built-in ssl module (ssl.SSLContext.wrap_socket()) which returns an ssl.SSLSocket with a .session property for session resumption. EventletConnection and TwistedConnection use PyOpenSSL instead (SSL.Connection), which has a completely different API for session management (get_session()/set_session() methods instead of the .session property). The other reactors (asyncore, libev, asyncio, gevent) all inherit from the base Connection class and use Python's built-in ssl module, so they get the integration for free.

@dkropachev
Address review feedback: consolidate TLS cache API, add type hints
6ac34bc 
- Fix copyright header: use ScyllaDB instead of DataStax for new files
- Remove ABC/abstractmethod from TLSSessionCache, use NotImplementedError
- Add type hints to all methods in TLSSessionCache and DefaultTLSSessionCache
- Consolidate 4 Cluster parameters into single tls_session_cache parameter
  (None to disable, TLSSessionCacheOptions for config, TLSSessionCache for custom)
- Update docs and tests for new API
@Lorak-mmk
Copy link

Lorak-mmk commented Feb 16, 2026

ABC / @AbstractMethod: Removed. You're right, it's not used elsewhere in the driver. Switched to a regular base class with raise NotImplementedError — consistent with the existing codebase patterns.

In my comment I did not ask for the change. I asked for explanation. I don't know the differences between the two approaches, and wanted to understand them. This would allow us to choose better approach, but now I still don't know how they are different.

@Lorak-mmk
Copy link

Lorak-mmk commented Feb 16, 2026

Btw, why are you responding here, instead of responding to the comments as usual? It will be much harder to keep track of dicsussions.

@dkropachev
Copy link
Collaborator Author

dkropachev commented Feb 16, 2026

ABC / @AbstractMethod: Removed. You're right, it's not used elsewhere in the driver. Switched to a regular base class with raise NotImplementedError — consistent with the existing codebase patterns.

In my comment I did not ask for the change. I asked for explanation. I don't know the differences between the two approaches, and wanted to understand them. This would allow us to choose better approach, but now I still don't know how they are different.

I think it would be better to stick to whatever is done here, it is going to be confusing if same problem solved in different ways.

@dkropachev
Copy link
Collaborator Author

dkropachev commented Feb 16, 2026

Btw, why are you responding here, instead of responding to the comments as usual? It will be much harder to keep track of dicsussions.

Pardon, replied there, my bad.

@dkropachev dkropachev requested a review from Lorak-mmk February 16, 2026 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sylwiaszunejko sylwiaszunejko sylwiaszunejko approved these changes

@Lorak-mmk Lorak-mmk Awaiting requested review from Lorak-mmk

+1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@dkropachev dkropachev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support TLS tickets for quick TLS renegotiation

3 participants

@dkropachev @Lorak-mmk @sylwiaszunejko