Skip to content

[improve][client] Add TLSv1.3 support #529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ciuncan wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[improve][client] Add TLSv1.3 support #529

ciuncan wants to merge 3 commits into from
+183 −1

Conversation

@ciuncan
Copy link

@ciuncan ciuncan commented Dec 10, 2025
edited
Loading

Fixes #172

Motivation

We've met this issue with a customer, whose network does deep packet inspection and somehow prevents TLSv1.2 connections to successfully do handshake. Other clients such as Java/Rust works just fine as they are able to connect with TLSv1.3. Since TLSv1.2 usage is hardcoded in CPP client (and by extension Python client), pulsar connection was no longer possible from there. I've opened a PR and would be happy to get it evaluated to be incorporated in pulsar-client (we use python package).

Modifications

The asio SSL context is now constructed with ASIO::ssl::context::sslv23_client instead of ASIO::ssl::context::tlsv12_client, and with default_workarounds | no_sslv2 | no_sslv3 |no_tlsv1 | no_tlsv1_1 options, which excludes unsafe versions and leaves only TLSv1.2 and TLSv1.3. I've tested this connection on the network and it worked fine.

Verifying this change

  • Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

  • Added TLS handshake tests (TlsNegotiationTest.cc) that will build a mock server that will either accept only TLSv1.2 and TLSv1.3
  • The updated client TLS connection code is tested against both protocol versions

Documentation

  • doc-required
    (Your PR needs to update docs and you will update later)

  • doc-not-needed
    The change is transparent to user. It will enable the clients to be able to use TLSv1.3 automatically.

  • doc
    (Your PR contains doc changes)

  • doc-complete
    (Docs have been already added)

@ciuncan ciuncan mentioned this pull request Dec 10, 2025
Open
@BewareMyPower BewareMyPower added this to the 4.0.0 milestone Dec 11, 2025
@BewareMyPower
Copy link
Contributor

BewareMyPower commented Dec 11, 2025

Thanks for your contribution, could you fix the format error?

@ciuncan
Copy link
Author

ciuncan commented Dec 11, 2025

Thanks for your contribution, could you fix the format error?

Reformatted. 👌

@BewareMyPower BewareMyPower modified the milestones: 4.0.0, 4.1.0 Dec 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ciuncan ciuncan

Labels

None yet

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

Support for TLS 1.3 in Pulsar CPP Client

2 participants

@ciuncan @BewareMyPower