test_ssl: fix indentation

generic_server: improve logging broken TLS connection
Preiously we were logging a broken TLS connection and then this has been logged later again, so now instead of logging we're constructing an exception with a message extened with TLS info, which later will be catched with its full message still logged.
2026-01-09 10:27:17 +01:00 · 2026-01-09 10:24:55 +01:00 · 2026-01-09 10:22:19 +01:00 · 2025-12-29 09:34:08 +01:00
4 changed files with 15 additions and 16 deletions
--- a/alternator/server.cc
+++ b/alternator/server.cc
@@ -979,9 +979,8 @@ client_data server::ongoing_request::make_client_data() const {
    // and keep "driver_version" unset.
    cd.driver_name = _user_agent;
    // Leave "protocol_version" unset, it has no meaning in Alternator.
-    // Leave "hostname", "ssl_protocol" and "ssl_cipher_suite" unset.
-    // As reported in issue #9216, we never set these fields in CQL
-    // either (see cql_server::connection::make_client_data()).
+    // Leave "hostname", "ssl_protocol" and "ssl_cipher_suite" unset for Alternator.
+    // Note: CQL sets ssl_protocol and ssl_cipher_suite via generic_server::connection base class.
    return cd;
 }

--- a/test/cqlpy/test_ssl.py
+++ b/test/cqlpy/test_ssl.py
@@ -14,6 +14,7 @@ import cassandra.cluster
 from contextlib import contextmanager
 import re
 import ssl
+import time


 # This function normalizes the SSL cipher suite name (a string),
@@ -66,13 +67,12 @@ def test_tls_versions(cql):
 # a regression test for #9216
 def test_system_clients_stores_tls_info(cql):
    if not cql.cluster.ssl_context:
-            table_result = cql.execute(f"SELECT * FROM system.clients")
-            for row in table_result:
-                assert not row.ssl_enabled
-                assert row.ssl_protocol is None
-                assert row.ssl_cipher_suite is None
-
-    if cql.cluster.ssl_context:
+        table_result = cql.execute(f"SELECT * FROM system.clients")
+        for row in table_result:
+            assert not row.ssl_enabled
+            assert row.ssl_protocol is None
+            assert row.ssl_cipher_suite is None
+    else:
        # TLS v1.2 must be supported, because this is the default version that
        # "cqlsh --ssl" uses. If this fact changes in the future, we may need
        # to reconsider this test.
@@ -82,7 +82,8 @@ def test_system_clients_stores_tls_info(cql):
            # so we need to retry until all connections are initialized and have their TLS info recorded in system.clients,
            # otherwise we'd end up with some connections e.g. having their ssl_enabled=True but other fields still None.
            expected_ciphers = [normalize_cipher(cipher['name']) for cipher in ssl.create_default_context().get_ciphers()]
-            for _ in range(1000):  # try for up to 1000 * 0.01s = 10s seconds
+            deadline = time.time() + 10  # 10 seconds timeout
+            while time.time() < deadline:
                rows = session.execute(f"SELECT * FROM system.clients")
                if rows and all(
                    row.ssl_enabled
@@ -92,7 +93,7 @@ def test_system_clients_stores_tls_info(cql):
                ):
                    return
                time.sleep(0.01)
-            pytest.fail(f"Not all connections have TLS data set correctly in system.clients after 10s seconds")
+            pytest.fail(f"Not all connections have TLS data set correctly in system.clients after 10 seconds")


@contextmanager
--- a/transport/generic_server.cc
+++ b/transport/generic_server.cc
@@ -414,9 +414,8 @@ future<> server::do_accepts(int which, bool keepalive, socket_address server_add
                                    conn->_ssl_cipher_suite = cipher_suite;
                                    return make_ready_future<bool>(true);
                                });
-                        }).handle_exception([this, conn](std::exception_ptr ep) {
-                            _logger.warn("Inspecting TLS connection failed: {}", ep);
-                            return make_ready_future<bool>(false);
+                        }).handle_exception([conn](std::exception_ptr ep) {
+                            return seastar::make_exception_future<bool>(std::runtime_error(fmt::format("Inspecting TLS connection failed: {}", ep)));
                        })
                    : make_ready_future<bool>(true)
                ).then([conn] (bool ok){
--- a/transport/generic_server.hh
+++ b/transport/generic_server.hh
@@ -63,7 +63,7 @@ protected:

    bool _ssl_enabled = false;
    std::optional<sstring> _ssl_cipher_suite = std::nullopt;
-    std::optional<sstring> _ssl_protocol = std::nullopt;;
+    std::optional<sstring> _ssl_protocol = std::nullopt;

 private:
    future<> process_until_tenant_switch();
Author	SHA1	Message	Date
copilot-swe-agent[bot]	8c48b82b84	test_ssl: fix indentation	2026-01-09 10:27:17 +01:00
Piotr Smaron	2bcbebe92d	generic_server: improve logging broken TLS connection Preiously we were logging a broken TLS connection and then this has been logged later again, so now instead of logging we're constructing an exception with a message extened with TLS info, which later will be catched with its full message still logged.	2026-01-09 10:24:55 +01:00
Piotr Smaron	7016fc4835	test_ssl: improve timeout and readability 1. With this change the test really waits 10s, previously (in case something went wrong), the timeout could take way more than that. 2. Added `else` to above `if` to increase clarity of execution flow - it doesn't change logic, but makes it more clear.	2026-01-09 10:22:19 +01:00
copilot-swe-agent[bot]	d25d295e84	alternator/server: update SSL comment	2025-12-29 09:34:08 +01:00