Add clarification that TLS session caching works with TLS 1.2 and 1.3

Copilot · mykaul · Copilot · commit 57a58953f99f · 2025-12-30T08:59:16.000Z
TLS session resumption is not limited to TLS 1.3. It works with both:
- TLS 1.2: Session IDs (RFC 5246) and Session Tickets (RFC 5077)
- TLS 1.3: Session Tickets (RFC 8446)

Python's ssl.SSLSession API handles both transparently, so no version
checks are needed. Added documentation and code comments to clarify this.

Co-authored-by: mykaul &lt;4655593+mykaul@users.noreply.github.com&gt;
diff --git a/TLS_TICKETS_DESIGN.md b/TLS_TICKETS_DESIGN.md
@@ -8,12 +8,17 @@ This document describes the design and implementation of TLS session ticket supp
 
 ### What are TLS Session Tickets?
 
-TLS session tickets (RFC 5077 and RFC 8446 for TLS 1.3) allow clients to cache session state and reuse it for subsequent connections. This provides:
+TLS session tickets (RFC 5077 for TLS 1.2 and RFC 8446 for TLS 1.3) allow clients to cache session state and reuse it for subsequent connections. This provides:
 
 - **Faster reconnections**: Reduced handshake latency by resuming previous sessions
 - **Less CPU usage**: Fewer cryptographic operations during reconnection
 - **Better performance**: Especially important for connection pools that frequently reconnect
 
+**Note**: TLS session resumption works with both TLS 1.2 and TLS 1.3:
+- TLS 1.2 uses Session IDs (RFC 5246) and optionally Session Tickets (RFC 5077)
+- TLS 1.3 uses Session Tickets (RFC 8446) as the primary mechanism
+- Python's `ssl.SSLSession` API works transparently with both versions
+
 ### Python SSL Support
 
 Python's `ssl` module provides built-in support for TLS session resumption:
diff --git a/cassandra/connection.py b/cassandra/connection.py
@@ -140,6 +140,13 @@ class TLSSessionCache:
     quick TLS renegotiation when reconnecting to the same server.
     Sessions are automatically expired after a TTL and the cache has
     a maximum size with LRU eviction using OrderedDict.
+    
+    TLS session resumption works with both TLS 1.2 and TLS 1.3:
+    - TLS 1.2: Session IDs (RFC 5246) and optionally Session Tickets (RFC 5077)
+    - TLS 1.3: Session Tickets (RFC 8446)
+    
+    Python's ssl.SSLSession API handles both versions transparently, so no
+    version-specific checks are needed.
     """
     
     def __init__(self, max_size=100, ttl=3600):
@@ -1027,6 +1034,8 @@ def _wrap_socket_from_context(self):
             opts['server_hostname'] = server_hostname
 
         # Try to get a cached TLS session for resumption
+        # Note: Session resumption works with both TLS 1.2 and TLS 1.3
+        # Python's ssl module handles both transparently via SSLSession objects
         if self.tls_session_cache:
             cached_session = self.tls_session_cache.get_session(
                 self.endpoint.address, self.endpoint.port)
diff --git a/docs/security.rst b/docs/security.rst
@@ -412,6 +412,10 @@ The driver automatically caches TLS sessions to enable session resumption for fa
 When a TLS connection is established, the session is cached and can be reused for subsequent
 connections to the same endpoint, reducing handshake latency and CPU usage.
 
+**TLS Version Support**: Session resumption works with both TLS 1.2 and TLS 1.3. TLS 1.2 uses
+Session IDs and optionally Session Tickets (RFC 5077), while TLS 1.3 uses Session Tickets (RFC 8446)
+as the primary mechanism. Python's ``ssl.SSLSession`` API handles both versions transparently.
+
 Session caching is **enabled by default** when SSL/TLS is configured and applies to the following
 connection classes:
 
