Skip to content

Add TLS session resumption support on .NET 8.0+#214

Draft
sylwiaszunejko wants to merge 7 commits into
scylladb:masterfrom
sylwiaszunejko:add-tls-resumtion
Draft

Add TLS session resumption support on .NET 8.0+#214
sylwiaszunejko wants to merge 7 commits into
scylladb:masterfrom
sylwiaszunejko:add-tls-resumtion

Conversation

@sylwiaszunejko
Copy link
Copy Markdown

@sylwiaszunejko sylwiaszunejko commented Apr 9, 2026

Summary

This PR adds TLS session resumption (session ticket reuse) for connections to Scylla/Cassandra nodes when running on .NET 8.0 or later. Subsequent TLS connections to the same host reuse previously negotiated session parameters.

On older runtimes (netstandard2.0), behavior is unchanged.

Motivation

Each new TLS connection currently performs a full handshake. For clusters with many nodes or frequent connection churn, this adds latency. .NET 8.0 introduced SslClientAuthenticationOptions.AllowTlsResume, which enables the runtime to cache and reuse TLS session tickets — but only when the same SslClientAuthenticationOptions instance is reused across connections to the same host.

Changes

Project configuration

  • Add net8.0 as a target framework alongside netstandard2.0 (multi-targeting)
  • Update LangVersion to latest for modern C# features
  • Suppress SYSLIB0051, SYSLIB0012, SYSLIB0039, CA1416 warnings for net8.0 builds
  • Conditionally reference the Cassandra project with the correct target framework in tests

PlatformHelper

  • Report .NET 8.0+ in GetTargetFramework() when built with NET8_0_OR_GREATER

SSLOptions

  • Add EnableSessionResumption property (defaults to true)
  • Add SetEnableSessionResumption(bool) fluent setter
  • Add unit tests for the new property

TlsSessionTicketCache (new class)

  • Per-cluster cache of SslClientAuthenticationOptions keyed by server name
  • Returns the same instance for repeated connections to the same host, which is required by .NET for session ticket reuse
  • Sets AllowTlsResume based on SSLOptions.EnableSessionResumption
  • No-op on netstandard2.0
  • Add unit tests covering caching behavior, AllowTlsResume, revocation mode, and callback propagation

Configuration

  • Add TlsSessionTicketCache property, initialized when SSL is configured

TcpSocket / Connection

  • Pass TlsSessionTicketCache from Configuration through Connection to TcpSocket
  • On NET8_0_OR_GREATER, use AuthenticateAsClientAsync(SslClientAuthenticationOptions) with cached options
  • Keep existing AuthenticateAsClientAsync(string, ...) path for netstandard2.0

Usage

TLS session resumption is enabled by default when using .NET 8.0+. No configuration changes are needed.

To disable it:

var sslOptions = new SSLOptions().SetEnableSessionResumption(false);
var cluster = Cluster.Builder()
    .AddContactPoint("node1.example.com")
    .WithSSL(sslOptions)
    .Build();

Fixes: https://scylladb.atlassian.net/browse/DRIVER-171

@sylwiaszunejko sylwiaszunejko force-pushed the add-tls-resumtion branch 5 times, most recently from 2b19a6a to 96b210c Compare April 9, 2026 13:55
@sylwiaszunejko
Add net8.0 target framework with multi-targeting and warning suppression
d0fc63d 
- Add net8.0 to Cassandra.csproj TargetFrameworks alongside netstandard2.0
- Update LangVersion to 'latest' in both Cassandra and test projects
- Fix NETCOREAPP regex to match multi-digit .NET versions (net8, net9, net10+)
- Suppress SYSLIB0051, SYSLIB0012, SYSLIB0039, CA1416 warnings for net8.0+
- Reference Cassandra net8.0 TFM for net8/net9+ test builds, netstandard2.0 otherwise
@sylwiaszunejko
Add .NET 8.0+ detection in PlatformHelper.GetTargetFramework
ff3b6ca 
- Return '.NET 8.0+' string when built with NET8_0_OR_GREATER define
@sylwiaszunejko
Add EnableSessionResumption property to SSLOptions
c29e1ed 
- Add EnableSessionResumption bool property (defaults to true)
- Add SetEnableSessionResumption fluent setter method
- Add unit tests for default value, setter, and fluent return
@sylwiaszunejko
Add TlsSessionTicketCache for per-host TLS session ticket reuse
1f8e200 
- Cache SslClientAuthenticationOptions per server name (NET8_0_OR_GREATER)
- Reuse same instance per host to enable .NET TLS session ticket resumption
- Set AllowTlsResume from SSLOptions.EnableSessionResumption
- No-op placeholder on netstandard2.0
- Add unit tests for caching, AllowTlsResume, revocation mode, and callbacks
@sylwiaszunejko
Initialize TlsSessionTicketCache in Configuration when SSL is enabled
360d1b3 
- Add TlsSessionTicketCache property to Configuration
- Create cache instance only when SslOptions is configured
@sylwiaszunejko
Use SslClientAuthenticationOptions with TLS session resumption on .NE…
bd9d985 
…T 8.0+

- Pass TlsSessionTicketCache from Configuration to TcpSocket via Connection
- On NET8_0_OR_GREATER use AuthenticateAsClientAsync(SslClientAuthenticationOptions)
- Retrieve cached options from TlsSessionTicketCache for session ticket reuse
- Keep existing SslStream.AuthenticateAsClientAsync path for netstandard2.0
@sylwiaszunejko
Fix whitespace formatting in TokenTests.cs
0d57845 
- Join split else/if into single else-if to satisfy dotnet format rules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sylwiaszunejko