Skip to content

feat: add TLS session caching support #657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dkropachev wants to merge 12 commits into
base: master
Choose a base branch
from
Open

feat: add TLS session caching support #657

dkropachev wants to merge 12 commits into from

Conversation

@dkropachev
Copy link
Collaborator

@dkropachev dkropachev commented Jan 29, 2026
edited
Loading

Summary

This PR adds TLS session caching support to the Python driver, enabling faster reconnections by reusing negotiated TLS sessions. This reduces handshake latency for both TLS 1.2 (session IDs/tickets) and TLS 1.3 (session tickets).

Fixes: #426

Changes

Core Implementation:

  • Add cassandra.tls module with TLSSessionCache abstract base class and DefaultTLSSessionCache implementation featuring LRU eviction, TTL expiration, and periodic cleanup
  • Add tls_session_cache_key property to endpoint classes (EndPoint, SniEndPoint, UnixSocketEndPoint) for proper cache key generation
  • Integrate TLS session caching in Connection class - apply cached sessions during wrap_socket() and store sessions after successful connections

Cluster Configuration:

  • tls_session_cache_enabled: toggle caching on/off (default: True)
  • tls_session_cache_size: max cached sessions (default: 100)
  • tls_session_cache_ttl: session TTL in seconds (default: 3600)
  • tls_session_cache_options: advanced config via TLSSessionCacheOptions or custom TLSSessionCache implementation

Reactor Support:

  • EventletConnection: TLS session caching via PyOpenSSL's session API
  • TwistedConnection: TLS session caching via _SSLCreator class

Testing

  • Unit tests for DefaultTLSSessionCache (TTL, LRU eviction, thread safety, cleanup)
  • Unit tests for endpoint tls_session_cache_key properties
  • Unit tests for EventletConnection and TwistedConnection TLS session handling
  • Integration tests for end-to-end session caching with real clusters

Documentation

  • Added TLS session caching section to security guide with configuration examples

Pre-review checklist

  • I have split my patch into logically separate commits.
  • All commit messages clearly explain what they change and why.
  • I added relevant tests for new features and bug fixes.
  • All commits compile, pass static checks and pass test.
  • PR description sums up the changes and reasons why they should be introduced.
  • I have provided docstrings for the public items that I want to introduce.
  • I have adjusted the documentation in ./docs/source/.
  • I added appropriate Fixes: annotations to PR description.

github-code-quality[bot]
github-code-quality bot found potential problems Jan 29, 2026
View reviewed changes
@dkropachev
feat: add TLS session cache implementation
a3a70b1 
Adds cassandra.tls module with:
- TLSSessionCache abstract base class defining the caching interface
- DefaultTLSSessionCache with LRU eviction, TTL expiration, and
  periodic cleanup
- TLSSessionCacheOptions for configuring cache parameters

TLS session caching enables faster reconnections by reusing
negotiated TLS sessions, reducing handshake latency for both
TLS 1.2 (session IDs/tickets) and TLS 1.3 (session tickets).
@dkropachev
feat: add tls_session_cache_key property to endpoint classes
e3de3db 
Add tls_session_cache_key property to EndPoint, SniEndPoint, and
UnixSocketEndPoint classes to provide appropriate cache keys for
TLS session caching:
- EndPoint: (address, port)
- SniEndPoint: (address, port, server_name) to prevent cache
  collisions when multiple SNI endpoints use the same proxy
- UnixSocketEndPoint: (path,) since Unix sockets have no port
@dkropachev
feat: integrate TLS session caching in Connection class
b5eb7db 
Add TLS session caching support to the Connection class:
- Add tls_session_cache parameter to Connection.__init__
- Apply cached sessions during wrap_socket() for session resumption
- Store sessions after successful connection in _connect_socket()
- Support both TLS 1.2 and TLS 1.3 session resumption

Sessions are only cached after successful connections to avoid
caching sessions from failed connection attempts.
@dkropachev
feat: add TLS session cache configuration to Cluster
84ff21c 
Add TLS session caching configuration options to the Cluster class:
- tls_session_cache_enabled: toggle caching on/off (default: True)
- tls_session_cache_size: max cached sessions (default: 100)
- tls_session_cache_ttl: session TTL in seconds (default: 3600)
- tls_session_cache_options: advanced config via TLSSessionCacheOptions
  or custom TLSSessionCache implementation

The cache is automatically created when SSL is enabled and passed
to connections via the connection factory.
@dkropachev
feat: add TLS session caching to EventletConnection
8df2644 
Implement TLS session caching for the eventlet reactor using
PyOpenSSL's session API:
- Apply cached session via set_session() before handshake
- Store session via get_session() after successful handshake
- Log session reuse for debugging
@dkropachev
feat: add TLS session caching to TwistedConnection
c9c667f 
Implement TLS session caching for the Twisted reactor using
PyOpenSSL's session API via the _SSLCreator class:
- Pass tls_session_cache to _SSLCreator
- Apply cached session in clientConnectionForTLS()
- Store session in info_callback() after successful handshake
- Log session reuse for debugging
@dkropachev dkropachev force-pushed the dk/support-tls-tickets-fixes branch 2 times, most recently from cbbde06 to 5430bb7 Compare January 29, 2026 16:11
@dkropachev dkropachev changed the title Dk/support tls tickets fixes feat: add TLS session caching support Jan 29, 2026
@dkropachev dkropachev marked this pull request as ready for review January 29, 2026 17:16
@dkropachev dkropachev requested a review from Lorak-mmk January 29, 2026 17:16
@dkropachev dkropachev self-assigned this Jan 29, 2026
@dkropachev dkropachev mentioned this pull request Jan 29, 2026
Closed
7 tasks
@dkropachev
test: add unit tests for TLS session cache
d4634c8 
Add comprehensive unit tests for DefaultTLSSessionCache:
- Basic get/set operations
- Multiple endpoints with separate cache entries
- TTL expiration
- LRU eviction when cache is full
- cache_by_host_only mode
- Thread safety under concurrent access
- Periodic cleanup of expired sessions
- Clear operations
@dkropachev
test: add unit tests for endpoint tls_session_cache_key
611efa6 
Add tests verifying the tls_session_cache_key property for each
endpoint type:
- DefaultEndPoint returns (address, port)
- SniEndPoint includes server_name to prevent cache collisions
- UnixSocketEndPoint returns just the path
@dkropachev
test: add unit tests for EventletConnection TLS session caching
ab211b4 
Add tests for TLS session caching in the eventlet reactor:
- Cached session is applied via set_session()
- Session is stored after successful handshake
- Session reuse is detected and logged
- Behavior without cache configured
@dkropachev
test: add unit tests for TwistedConnection TLS session caching
eb4afd1 
Add tests for TLS session caching in the Twisted reactor:
- Cached session is applied in clientConnectionForTLS()
- Session is stored in info_callback() after handshake
- Session reuse is detected and logged
- _SSLCreator properly receives and uses tls_session_cache
@dkropachev
test: add integration tests for TLS session caching
b15b788 
Add integration tests that verify TLS session caching works
end-to-end with a real Scylla/Cassandra cluster:
- Session caching enabled by default with SSL
- Session reuse on reconnection
- Cache disabled when tls_session_cache_enabled=False
- Custom cache options via TLSSessionCacheOptions
@dkropachev
docs: add TLS session caching documentation
6a84e73 
Document the TLS session caching feature in the security guide:
- Overview of session resumption benefits
- Configuration options (enabled, size, ttl, options)
- Advanced configuration with TLSSessionCacheOptions
- Custom cache implementation example
- Notes on TLS 1.2 vs TLS 1.3 behavior
@dkropachev dkropachev force-pushed the dk/support-tls-tickets-fixes branch from 5430bb7 to 6a84e73 Compare January 29, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lorak-mmk Lorak-mmk Awaiting requested review from Lorak-mmk

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@dkropachev dkropachev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support TLS tickets for quick TLS renegotiation

2 participants

@dkropachev