3.x: Add test for TLSv1.3 session tickets #652
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bouncheck
force-pushed
the
scylla-3.x-ssl-tests-session-tickets
branch
from
b603ade to
da2829a
Compare
Adds new parameter allowing to specify protocol for SSLContext when using `getSSLOptions`.
Adds new test class that verifies the behavior of session tickets. Relevant only for Scylla clusters and TLSv1.3. There are two ssl implementations being tested: JDK and Netty. JDK implementation is tested by tracking `javax.net.ssl` logs. The specifics of TLS handshakes are read from them and custom metrics are collected. It is expected that the client will receive session tickets and use them when possible. With JDK implementation driver is not expected to be able to reconnect using solely session resumptions after node restart. The cache used in Java internal classes (before JDK 24) can hold only 1 ticket for this purpose. This ticket cannot be reused for simultaneous reconnection to multiple shards. Netty implementation is tested by extending `RemoteEndpointAwareNettySSLOptions`. The extension called `TestableNettySSLOptions` should behave nearly identically. The difference comes from additional listeners and handlers that are used for collecting statistics about completed handshakes and ClientHellos sent. In this implementation the cache stores enough sessions for reconnections, so the test method for this implementation expects all reconnections to use the session resumption. The driver also does not attempt to send ClientHello's into the void before the node gets back up, which would waste the session information from received tickets.
Bouncheck
force-pushed
the
scylla-3.x-ssl-tests-session-tickets
branch
from
da2829a to
191d29a
Compare
dkropachev
approved these changes
Sep 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds new test class that verifies the behavior of session tickets.
Relevant only for Scylla clusters and TLSv1.3.
There are two ssl implementations being tested: JDK and Netty.
JDK implementation is tested by tracking
javax.net.ssllogs.The specifics of TLS handshakes are read from them and custom metrics are
collected. It is expected that the client will receive session tickets and
use them when possible. With JDK implementation driver is not expected to be
able to reconnect using solely session resumptions after node restart.
The cache used in Java internal classes (before JDK 24) can hold only 1 ticket
for this purpose. This ticket cannot be reused for simultaneous reconnection to
multiple shards.
Netty implementation is tested by extending
RemoteEndpointAwareNettySSLOptions.The extension called
TestableNettySSLOptionsshould behave nearly identically.The difference comes from additional listeners and handlers that
are used for collecting statistics about completed handshakes and ClientHellos
sent.
In this implementation the cache stores enough sessions for reconnections, so
the test method for this implementation expects all reconnections to use the
session resumption. The driver also does not attempt to send ClientHello's into
the void before the node gets back up, which would waste the session
information from received tickets.