diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 81b19bd166..4abc6ef496 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -41,12 +41,19 @@ jobs:
       run: cargo clippy --verbose --all-targets --all-features
     - name: Cargo check with cpp_rust_unstable cfg
       run: RUSTFLAGS="--cfg cpp_rust_unstable" cargo clippy --verbose --all-targets --all-features
+
+# Features checks.
+    # No features.
     - name: Cargo check without features
       run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features ""
-    - name: Cargo check with all serialization features
-      run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "full-serialization"
+
+    # All features.
     - name: Cargo check with all features
       run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --all-features
+
+    # Various (de)serialization features.
+    - name: Cargo check with all serialization features
+      run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "full-serialization"
     - name: Cargo check with secrecy-08 feature
       run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "secrecy-08"
     - name: Cargo check with chrono-04 feature
@@ -59,6 +66,14 @@ jobs:
       run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "num-bigint-04"
     - name: Cargo check with bigdecimal-04 feature
       run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "bigdecimal-04"
+
+    # TLS-related feature sets.
+    - name: Cargo check with openssl-x feature
+      run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "openssl-010"
+    - name: Cargo check with rustls-x feature
+      run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "rustls-023"
+    # (openssl-x, rustls-x) is checked in tls.yml.
+
     - name: Build scylla-cql
       run: cargo build --verbose --all-targets --manifest-path "scylla-cql/Cargo.toml" --features "full-serialization"
     - name: Build
diff --git a/.github/workflows/serverless.yaml b/.github/workflows/serverless.yaml
index 9da2f05f6c..83e42f44a7 100644
--- a/.github/workflows/serverless.yaml
+++ b/.github/workflows/serverless.yaml
@@ -11,6 +11,7 @@ on:
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: full
+  RUSTFLAGS: -Dwarnings
 
 jobs:
   build:
@@ -31,8 +32,18 @@ jobs:
         run: rustup update
       - name: Check
         run: cargo check --verbose
-      - name: Run cloud example
-        run: cargo run --example cloud -- $HOME/.ccm/serverless/config_data.yaml
+      # Cloud-related feature sets.   
+      - name: Cargo check with unstable-cloud and openssl-x features
+        run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "unstable-cloud" --features "openssl-010"
+      - name: Cargo check with unstable-cloud and rustls-x features
+        run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "unstable-cloud" --features "rustls-023"
+      - name: Cargo check with unstable-cloud, openssl-x and rustls-x features
+        run: cargo check --all-targets --manifest-path "scylla/Cargo.toml" --features "unstable-cloud" --features "openssl-010" --features "rustls-023"
+
+      - name: Run cloud-openssl example
+        run: cargo run --example cloud-openssl -- $HOME/.ccm/serverless/config_data.yaml
+      - name: Run cloud-rustls example
+        run: cargo run --example cloud-rustls -- $HOME/.ccm/serverless/config_data.yaml
       - name: Run cloud tests
         run: CLOUD_CONFIG_PATH=$HOME/.ccm/serverless/config_data.yaml RUSTFLAGS="--cfg scylla_cloud_tests" RUST_LOG=trace cargo test --verbose
 
diff --git a/.github/workflows/tls.yml b/.github/workflows/tls.yml
index e588a1ed2d..4d124ae821 100644
--- a/.github/workflows/tls.yml
+++ b/.github/workflows/tls.yml
@@ -26,14 +26,16 @@ jobs:
       run: rustup update
 
     - name: Check
-      run: cargo check --verbose --features "ssl"
+      run: cargo check --verbose --features "openssl-010" --features "rustls-023"
       working-directory: ${{env.working-directory}}
 
     - name: Start the cluster
       run: docker compose -f test/tls/docker-compose-tls.yml up -d
 
-    - name: Run tests
-      run: SCYLLA_URI=172.44.0.2 RUST_LOG=trace cargo run --example tls
+    - name: Run openssl example
+      run: SCYLLA_URI=172.44.0.2 RUST_LOG=trace cargo run --example tls-openssl
+    - name: Run rustls example
+      run: SCYLLA_URI=172.44.0.2 RUST_LOG=trace cargo run --example tls-rustls
 
     - name: Stop the cluster
       if: ${{ always() }}
diff --git a/Cargo.lock.msrv b/Cargo.lock.msrv
index a6ded1aec3..e22cc2f1a1 100644
--- a/Cargo.lock.msrv
+++ b/Cargo.lock.msrv
@@ -117,6 +117,31 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
 
+[[package]]
+name = "aws-lc-rs"
+version = "1.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd755adf9707cf671e31d944a189be3deaaeee11c8bc1d669bb8022ac90fbd0"
+dependencies = [
+ "aws-lc-sys",
+ "paste",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f9dd2e03ee80ca2822dd6ea431163d2ef259f2066a4d6ccaca6d9dcb386aa43"
+dependencies = [
+ "bindgen",
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+ "paste",
+]
+
 [[package]]
 name = "backtrace"
 version = "0.3.71"
@@ -151,6 +176,29 @@ dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "bindgen"
+version = "0.69.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088"
+dependencies = [
+ "bitflags 2.5.0",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.10.5",
+ "lazy_static",
+ "lazycell",
+ "log",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash",
+ "shlex",
+ "syn 2.0.90",
+ "which",
+]
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -189,9 +237,23 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
 
 [[package]]
 name = "cc"
-version = "1.0.97"
+version = "1.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c736e259eea577f443d5c86c304f9f4ae0295c43f3ba05c21f1d66b5f06001af"
+dependencies = [
+ "jobserver",
+ "libc",
+ "shlex",
+]
+
+[[package]]
+name = "cexpr"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "099a5357d84c4c61eb35fc8eafa9a79a902c2f76911e5747ced4e032edd8d9b4"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+dependencies = [
+ "nom",
+]
 
 [[package]]
 name = "cfg-if"
@@ -238,6 +300,17 @@ dependencies = [
  "half",
 ]
 
+[[package]]
+name = "clang-sys"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+dependencies = [
+ "glob",
+ "libc",
+ "libloading",
+]
+
 [[package]]
 name = "clap"
 version = "3.2.25"
@@ -288,6 +361,15 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "cmake"
+version = "0.1.54"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7caa3f9de89ddbe2c607f4101924c5abec803763ae9534e4f4d7d8f84aa81f0"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.6"
@@ -439,6 +521,12 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "either"
 version = "1.11.0"
@@ -501,6 +589,7 @@ dependencies = [
  "futures",
  "openssl",
  "rand",
+ "rustls",
  "rustyline",
  "rustyline-derive",
  "scylla",
@@ -554,6 +643,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futures"
 version = "0.3.30"
@@ -672,6 +767,12 @@ version = "0.28.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
 
+[[package]]
+name = "glob"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2"
+
 [[package]]
 name = "half"
 version = "2.4.1"
@@ -725,6 +826,15 @@ version = "0.6.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "12cb882ccb290b8646e554b157ab0b71e64e8d5bef775cd66b6531e52d302669"
 
+[[package]]
+name = "home"
+version = "0.5.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
+dependencies = [
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "humantime"
 version = "2.1.0"
@@ -825,6 +935,15 @@ version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
 
+[[package]]
+name = "jobserver"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "js-sys"
 version = "0.3.69"
@@ -840,11 +959,27 @@ version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
+[[package]]
+name = "lazycell"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
+
 [[package]]
 name = "libc"
-version = "0.2.154"
+version = "0.2.170"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346"
+checksum = "875b3680cb2f8f71bdcf9a30f38d48282f5d3c95cbf9b3fa57269bb5d5c06828"
+
+[[package]]
+name = "libloading"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
+dependencies = [
+ "cfg-if",
+ "windows-targets 0.48.5",
+]
 
 [[package]]
 name = "libm"
@@ -917,6 +1052,12 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
 [[package]]
 name = "miniz_oxide"
 version = "0.7.2"
@@ -959,6 +1100,16 @@ dependencies = [
  "memoffset",
 ]
 
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
 [[package]]
 name = "ntest"
 version = "0.9.3"
@@ -1080,9 +1231,9 @@ checksum = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"
 
 [[package]]
 name = "openssl"
-version = "0.10.64"
+version = "0.10.71"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f"
+checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd"
 dependencies = [
  "bitflags 2.5.0",
  "cfg-if",
@@ -1106,9 +1257,9 @@ dependencies = [
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.102"
+version = "0.9.106"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2"
+checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd"
 dependencies = [
  "cc",
  "libc",
@@ -1151,6 +1302,12 @@ dependencies = [
  "windows-targets 0.52.5",
 ]
 
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
 [[package]]
 name = "percent-encoding"
 version = "2.3.1"
@@ -1215,6 +1372,16 @@ version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
 
+[[package]]
+name = "prettyplease"
+version = "0.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033"
+dependencies = [
+ "proc-macro2",
+ "syn 2.0.90",
+]
+
 [[package]]
 name = "proc-macro-crate"
 version = "3.1.0"
@@ -1400,12 +1567,32 @@ version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adad44e29e4c806119491a7f06f03de4d1af22c3a680dd47f1e6e179439d1f56"
 
+[[package]]
+name = "ring"
+version = "0.17.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da5349ae27d3887ca812fb375b45a4fbb36d8d12d2df394968cd86e35683fe73"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.15",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "rustc-demangle"
 version = "0.1.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
 
+[[package]]
+name = "rustc-hash"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
+
 [[package]]
 name = "rustix"
 version = "0.38.34"
@@ -1419,6 +1606,39 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.23.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1"
+dependencies = [
+ "aws-lc-rs",
+ "log",
+ "once_cell",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c"
+
+[[package]]
+name = "rustls-webpki"
+version = "0.102.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+dependencies = [
+ "aws-lc-rs",
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
 [[package]]
 name = "rustyline"
 version = "9.1.2"
@@ -1501,6 +1721,7 @@ dependencies = [
  "rand",
  "rand_chacha",
  "rand_pcg",
+ "rustls",
  "scylla-cql",
  "scylla-macros",
  "scylla-proxy",
@@ -1513,6 +1734,7 @@ dependencies = [
  "time",
  "tokio",
  "tokio-openssl",
+ "tokio-rustls",
  "tracing",
  "tracing-subscriber",
  "url",
@@ -1640,6 +1862,12 @@ dependencies = [
  "lazy_static",
 ]
 
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.2"
@@ -1716,6 +1944,12 @@ version = "0.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
 [[package]]
 name = "syn"
 version = "1.0.109"
@@ -1911,6 +2145,16 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "tokio-rustls"
+version = "0.26.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37"
+dependencies = [
+ "rustls",
+ "tokio",
+]
+
 [[package]]
 name = "toml_datetime"
 version = "0.6.5"
@@ -2062,6 +2306,12 @@ version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
 
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
 [[package]]
 name = "url"
 version = "2.5.0"
@@ -2196,6 +2446,18 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "which"
+version = "4.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7"
+dependencies = [
+ "either",
+ "home",
+ "once_cell",
+ "rustix",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
diff --git a/README.md b/README.md
index e9f701fa66..9589e6cbe1 100644
--- a/README.md
+++ b/README.md
@@ -51,7 +51,7 @@ The driver supports the following:
 * Batch statements
 * Configurable load balancing policies
 * Driver-side metrics
-* TLS support - install openssl if you want to use it https://docs.rs/openssl/0.10.32/openssl/#automatic
+* TLS support. Supports either [OpenSSL](https://docs.rs/openssl/0.10.70/openssl/#automatic) or [rustls](https://docs.rs/rustls/latest/rustls/)
 * Configurable retry policies
 * Authentication support
 * CQL tracing
diff --git a/docs/source/connecting/connecting.md b/docs/source/connecting/connecting.md
index 5e27198657..3aca5a5aa5 100644
--- a/docs/source/connecting/connecting.md
+++ b/docs/source/connecting/connecting.md
@@ -68,20 +68,27 @@ specify the secure connection bundle as follows:
 use std::path::Path;
 use std::error::Error;
 use scylla::client::session_builder::CloudSessionBuilder;
+use scylla::cloud::CloudTlsProvider;
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn Error>> {
-    let session = CloudSessionBuilder::new(Path::new("config_data.yaml"))
-        .unwrap()
-        .build()
-        .await
-        .unwrap();
+    let session =
+        CloudSessionBuilder::new(Path::new("config_data.yaml"), CloudTlsProvider::OpenSsl010)
+            .unwrap()
+            .build()
+            .await
+            .unwrap();
 
     Ok(())
 }
 # }
 ```
 
+> ***Note***\
+> `CloudSessionBuilder::new()` accepts two parameters. The first is a path to the configuration file.
+> The second parameter is responsible for choosing the underlying TLS provider library.
+> For more information about providers supported currently by the driver, see [TLS](tls.md).
+
 Note that the bundle file will be provided after the serverless cluster is created. Here is an example of a
 configuration file for a serverless cluster:
 
diff --git a/docs/source/connecting/tls.md b/docs/source/connecting/tls.md
index 88e472315b..e6df0a0d46 100644
--- a/docs/source/connecting/tls.md
+++ b/docs/source/connecting/tls.md
@@ -1,21 +1,25 @@
 # TLS
 
-Driver uses the [`openssl`](https://github.com/sfackler/rust-openssl) crate for TLS functionality.\
-It was chosen because [`rustls`](https://github.com/ctz/rustls) doesn't support certificates for ip addresses
-(see [issue](https://github.com/briansmith/webpki/issues/54)), which is a common use case for Scylla.
+Driver uses either the
+[`openssl`](https://github.com/sfackler/rust-openssl) crate or the
+[`rustls`](https://github.com/rustls/rustls) crate for TLS functionality.
+
+Both of this features are behind their respective feature flag.
 
 
 ### Enabling feature
-`openssl` is not a pure Rust library so you need enable a feature and install the proper package.
 
-To enable the `tls` feature add in `Cargo.toml`:
+**_NOTE:_** `openssl` is not a pure Rust library, so you need to **both** enable a feature **and** install the proper package.
+
+To enable use of TLS using `openssl`, add in `Cargo.toml`:
+
 ```toml
-scylla = { version = "0.4", features = ["ssl"] }
-openssl = "0.10.32"
+scylla = { version = "0.4", features = ["openssl-010"] }
+openssl = "0.10.70"
 ```
 
 Then install the package with `openssl`:
-* Debian/Ubuntu: 
+* Debian/Ubuntu:
     ```bash
     apt install libssl-dev pkg-config
     ```
@@ -23,7 +27,7 @@ Then install the package with `openssl`:
     ```bash
     dnf install openssl-devel
     ```
-<!-- 
+<!--
  scylla-rust-driver doesn't build on Alpine, some strange cc linker errors in proc-macro-hack 0_o
  TODO: try building and add the section
 
@@ -38,9 +42,13 @@ Then install the package with `openssl`:
     ```
 
 ### Using TLS
-To use tls you will have to create an openssl 
+To use TLS you will have to a `TlsContext`. For convenience, both an
+openssl
 [`SslContext`](https://docs.rs/openssl/0.10.33/openssl/ssl/struct.SslContext.html)
-and pass it to `SessionBuilder`
+and a rustls
+[`ClientConfig`](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html)
+can be automatically converted to a `TlsContext` when passing to
+`SessionBuilder`.
 
 For example, if database certificate is in the file `ca.crt`:
 ```rust
@@ -59,7 +67,7 @@ context_builder.set_verify(SslVerifyMode::PEER);
 
 let session: Session = SessionBuilder::new()
     .known_node("127.0.0.1:9142") // The the port is now 9142
-    .ssl_context(Some(context_builder.build()))
+    .tls_context(Some(context_builder.build()))
     .build()
     .await?;
 
@@ -67,4 +75,4 @@ let session: Session = SessionBuilder::new()
 # }
 ```
 
-See the full [example](https://github.com/scylladb/scylla-rust-driver/blob/main/examples/tls.rs) for more details
+See the full [openssl example](https://github.com/scylladb/scylla-rust-driver/blob/main/examples/tls-openssl.rs) and [rustls example](https://github.com/scylladb/scylla-rust-driver/blob/main/examples/tls-rustls.rs) for more details.
diff --git a/examples/Cargo.toml b/examples/Cargo.toml
index e0477c3abb..4905a8ca24 100644
--- a/examples/Cargo.toml
+++ b/examples/Cargo.toml
@@ -7,12 +7,13 @@ version = "0.0.0"
 [dev-dependencies]
 anyhow = "1.0.33"
 futures = "0.3.6"
-openssl = "0.10.32"
+openssl = "0.10.70"
 rustyline = "9"
 rustyline-derive = "0.6"
 scylla = { path = "../scylla", features = [
-    "ssl",
-    "cloud",
+    "openssl-010",
+    "rustls-023",
+    "unstable-cloud",
     "chrono-04",
     "time-03",
     "num-bigint-03",
@@ -30,6 +31,7 @@ stats_alloc = "0.1"
 clap = { version = "3.2.4", features = ["derive"] }
 rand = "0.9.0"
 env_logger = "0.10"
+rustls = "0.23"
 
 [[example]]
 name = "auth"
@@ -47,10 +49,6 @@ path = "logging.rs"
 name = "logging_log"
 path = "logging_log.rs"
 
-[[example]]
-name = "tls"
-path = "tls.rs"
-
 [[example]]
 name = "cqlsh-rs"
 path = "cqlsh-rs.rs"
@@ -120,9 +118,20 @@ name = "query_history"
 path = "query_history.rs"
 
 [[example]]
-name = "cloud"
-path = "cloud.rs"
+name = "cloud-openssl"
+path = "cloud-openssl.rs"
+
+[[example]]
+name = "cloud-rustls"
+path = "cloud-rustls.rs"
 
+[[example]]
+name = "tls-openssl"
+path = "tls-openssl.rs"
+
+[[example]]
+name = "tls-rustls"
+path = "tls-rustls.rs"
 
 [[example]]
 name = "execution_profile"
diff --git a/examples/cloud-openssl.rs b/examples/cloud-openssl.rs
new file mode 100644
index 0000000000..2a83570d36
--- /dev/null
+++ b/examples/cloud-openssl.rs
@@ -0,0 +1,30 @@
+use std::env;
+use std::path::Path;
+
+use anyhow::Result;
+use scylla::client::session_builder::CloudSessionBuilder;
+use scylla::cloud::CloudTlsProvider;
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    println!("Connecting to SNI proxy as described in cloud config yaml ...");
+    let config_path = env::args()
+        .nth(1)
+        .unwrap_or("examples/config_data.yaml".to_owned());
+    let session = CloudSessionBuilder::new(Path::new(&config_path), CloudTlsProvider::OpenSsl010)
+        .unwrap()
+        .build()
+        .await
+        .unwrap();
+
+    session.query_unpaged("CREATE KEYSPACE IF NOT EXISTS examples_ks WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'replication_factor' : 1}",
+                    &[]).await.unwrap();
+    session
+        .query_unpaged("DROP TABLE IF EXISTS examples_ks.cloud;", &[])
+        .await
+        .unwrap();
+
+    println!("Ok.");
+
+    Ok(())
+}
diff --git a/examples/cloud.rs b/examples/cloud-rustls.rs
similarity index 92%
rename from examples/cloud.rs
rename to examples/cloud-rustls.rs
index 2a62067c1d..a531bea250 100644
--- a/examples/cloud.rs
+++ b/examples/cloud-rustls.rs
@@ -3,6 +3,7 @@ use std::path::Path;
 
 use anyhow::Result;
 use scylla::client::session_builder::CloudSessionBuilder;
+use scylla::cloud::CloudTlsProvider;
 
 #[tokio::main]
 async fn main() -> Result<()> {
@@ -10,7 +11,7 @@ async fn main() -> Result<()> {
     let config_path = env::args()
         .nth(1)
         .unwrap_or("examples/config_data.yaml".to_owned());
-    let session = CloudSessionBuilder::new(Path::new(&config_path))
+    let session = CloudSessionBuilder::new(Path::new(&config_path), CloudTlsProvider::Rustls023)
         .unwrap()
         .build()
         .await
diff --git a/examples/tls.rs b/examples/tls-openssl.rs
similarity index 97%
rename from examples/tls.rs
rename to examples/tls-openssl.rs
index 87334a2a9c..4f4de37892 100644
--- a/examples/tls.rs
+++ b/examples/tls-openssl.rs
@@ -9,6 +9,7 @@ use std::path::PathBuf;
 use openssl::ssl::{SslContextBuilder, SslMethod, SslVerifyMode};
 
 // How to run scylla instance with TLS:
+// FIXME(wprzytula): Adjust to rustls.
 //
 // Edit your scylla.yaml file and add paths to certificates
 // ex:
@@ -46,7 +47,7 @@ async fn main() -> Result<()> {
 
     let session: Session = SessionBuilder::new()
         .known_node(uri)
-        .ssl_context(Some(context_builder.build()))
+        .tls_context(Some(context_builder.build()))
         .build()
         .await?;
 
diff --git a/examples/tls-rustls.rs b/examples/tls-rustls.rs
new file mode 100644
index 0000000000..18e6270f29
--- /dev/null
+++ b/examples/tls-rustls.rs
@@ -0,0 +1,98 @@
+use std::{env, sync::Arc};
+
+use anyhow::Result;
+use futures::TryStreamExt as _;
+
+use rustls::pki_types::{pem::PemObject, CertificateDer};
+use scylla::client::{session::Session, session_builder::SessionBuilder};
+
+// How to run scylla instance with TLS:
+//
+// Edit your scylla.yaml file and add paths to certificates
+// ex:
+// client_encryption_options:
+//     enabled: true
+//     certificate: /etc/scylla/db.crt
+//     keyfile: /etc/scylla/db.key
+//
+// If using docker mount your scylla.yaml file and your cert files with option
+// --volume $(pwd)/tls.yaml:/etc/scylla/scylla.yaml
+//
+// If python returns permission error 13 use "Z" flag
+// --volume $(pwd)/tls.yaml:/etc/scylla/scylla.yaml:Z
+//
+// In your Rust program connect to port 9142 if it wasn't changed.
+// Create new rustls ConfigBuilder.
+// Optionally, configure RootCertStore with your ca.crt.
+// Build it and add to scylla-rust-driver's SessionBuilder.
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    // Create connection
+    let uri = env::var("SCYLLA_URI").unwrap_or_else(|_| "127.0.0.1:9142".to_string());
+
+    println!("Connecting to {} ...", uri);
+
+    let rustls_ca = CertificateDer::from_pem_file("./test/tls/ca.crt")?;
+    let mut root_store = rustls::RootCertStore::empty();
+    root_store.add(rustls_ca)?;
+
+    let session: Session = SessionBuilder::new()
+        .known_node(uri)
+        .tls_context(Some(Arc::new(
+            rustls::ClientConfig::builder()
+                .with_root_certificates(root_store)
+                .with_no_client_auth(),
+        )))
+        .build()
+        .await?;
+
+    session.query_unpaged("CREATE KEYSPACE IF NOT EXISTS examples_ks WITH REPLICATION = {'class' : 'NetworkTopologyStrategy', 'replication_factor' : 1}", &[]).await?;
+
+    session
+        .query_unpaged(
+            "CREATE TABLE IF NOT EXISTS examples_ks.tls (a int, b int, c text, primary key (a, b))",
+            &[],
+        )
+        .await?;
+
+    session
+        .query_unpaged(
+            "INSERT INTO examples_ks.tls (a, b, c) VALUES (?, ?, ?)",
+            (3, 4, "def"),
+        )
+        .await?;
+
+    session
+        .query_unpaged(
+            "INSERT INTO examples_ks.tls (a, b, c) VALUES (1, 2, 'abc')",
+            &[],
+        )
+        .await?;
+
+    let prepared = session
+        .prepare("INSERT INTO examples_ks.tls (a, b, c) VALUES (?, 7, ?)")
+        .await?;
+    session
+        .execute_unpaged(&prepared, (42_i32, "I'm prepared!"))
+        .await?;
+    session
+        .execute_unpaged(&prepared, (43_i32, "I'm prepared 2!"))
+        .await?;
+    session
+        .execute_unpaged(&prepared, (44_i32, "I'm prepared 3!"))
+        .await?;
+
+    // Rows can be parsed as tuples
+    let mut iter = session
+        .query_iter("SELECT a, b, c FROM examples_ks.tls", &[])
+        .await?
+        .rows_stream::<(i32, i32, String)>()?;
+    while let Some((a, b, c)) = iter.try_next().await? {
+        println!("a, b, c: {}, {}, {}", a, b, c);
+    }
+
+    println!("Ok.");
+
+    Ok(())
+}
diff --git a/scylla/Cargo.toml b/scylla/Cargo.toml
index be67b481c8..18a35efec0 100644
--- a/scylla/Cargo.toml
+++ b/scylla/Cargo.toml
@@ -16,9 +16,9 @@ rustdoc-args = ["--cfg", "docsrs"]
 
 [features]
 default = []
-ssl = ["dep:tokio-openssl", "dep:openssl"]
-cloud = [
-    "ssl",
+openssl-010 = ["dep:tokio-openssl", "dep:openssl"]
+rustls-023 = ["dep:tokio-rustls", "dep:rustls"]
+unstable-cloud = [
     "scylla-cql/serde",
     "dep:serde_yaml",
     "dep:serde",
@@ -63,8 +63,10 @@ thiserror = "2.0.6"
 itertools = "0.14.0"
 tracing = "0.1.36"
 chrono = { version = "0.4.32", default-features = false, features = ["clock"] }
-openssl = { version = "0.10.32", optional = true }
+openssl = { version = "0.10.70", optional = true }
 tokio-openssl = { version = "0.6.1", optional = true }
+tokio-rustls = { version = "0.26", optional = true }
+rustls = { version = "0.23", optional = true }
 arc-swap = "1.3.0"
 dashmap = "5.2"
 lz4_flex = { version = "0.11.1" }
diff --git a/scylla/src/client/session.rs b/scylla/src/client/session.rs
index 0861e799b9..3f8f98dd00 100644
--- a/scylla/src/client/session.rs
+++ b/scylla/src/client/session.rs
@@ -7,9 +7,9 @@ use super::{Compression, PoolSize, SelfIdentity};
 use crate::authentication::AuthenticatorProvider;
 use crate::batch::batch_values;
 use crate::batch::{Batch, BatchStatement};
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 use crate::cloud::CloudConfig;
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 use crate::cluster::node::CloudEndpoint;
 use crate::cluster::node::{InternalKnownNode, KnownNode, NodeRef};
 use crate::cluster::{Cluster, ClusterNeatDebug, ClusterState};
@@ -18,8 +18,7 @@ use crate::errors::{
     RequestAttemptError, RequestError, SchemaAgreementError, TracingError, UseKeyspaceError,
 };
 use crate::frame::response::result;
-#[cfg(feature = "ssl")]
-use crate::network::SslConfig;
+use crate::network::tls::TlsProvider;
 use crate::network::{Connection, ConnectionConfig, PoolConfig, VerifiedKeyspaceName};
 use crate::observability::driver_tracing::RequestSpan;
 use crate::observability::history::{self, HistoryListener};
@@ -42,8 +41,6 @@ use arc_swap::ArcSwapOption;
 use futures::future::join_all;
 use futures::future::try_join_all;
 use itertools::Itertools;
-#[cfg(feature = "ssl")]
-use openssl::ssl::SslContext;
 use scylla_cql::frame::response::NonErrorResponse;
 use scylla_cql::serialize::batch::BatchValues;
 use scylla_cql::serialize::row::{SerializeRow, SerializedValues};
@@ -54,6 +51,8 @@ use std::num::NonZeroU32;
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::time::timeout;
+#[cfg(feature = "unstable-cloud")]
+use tracing::warn;
 use tracing::{debug, error, trace, trace_span, Instrument};
 use uuid::Uuid;
 
@@ -96,6 +95,29 @@ impl std::fmt::Debug for Session {
     }
 }
 
+#[derive(Clone)] // Cheaply clonable - reference counted.
+#[non_exhaustive]
+pub enum TlsContext {
+    #[cfg(feature = "openssl-010")]
+    OpenSsl010(openssl::ssl::SslContext),
+    #[cfg(feature = "rustls-023")]
+    Rustls023(Arc<rustls::ClientConfig>),
+}
+
+#[cfg(feature = "openssl-010")]
+impl From<openssl::ssl::SslContext> for TlsContext {
+    fn from(value: openssl::ssl::SslContext) -> Self {
+        TlsContext::OpenSsl010(value)
+    }
+}
+
+#[cfg(feature = "rustls-023")]
+impl From<Arc<rustls::ClientConfig>> for TlsContext {
+    fn from(value: Arc<rustls::ClientConfig>) -> Self {
+        TlsContext::Rustls023(value)
+    }
+}
+
 /// Configuration options for [`Session`].
 /// Can be created manually, but usually it's easier to use
 /// [SessionBuilder](super::session_builder::SessionBuilder)
@@ -119,8 +141,7 @@ pub struct SessionConfig {
     pub keyspace_case_sensitive: bool,
 
     /// Provide our Session with TLS
-    #[cfg(feature = "ssl")]
-    pub ssl_context: Option<SslContext>,
+    pub tls_context: Option<TlsContext>,
 
     pub authenticator: Option<Arc<dyn AuthenticatorProvider>>,
 
@@ -180,7 +201,7 @@ pub struct SessionConfig {
     pub host_filter: Option<Arc<dyn HostFilter>>,
 
     /// If the driver is to connect to ScyllaCloud, there is a config for it.
-    #[cfg(feature = "cloud")]
+    #[cfg(feature = "unstable-cloud")]
     pub cloud_config: Option<Arc<CloudConfig>>,
 
     /// If true, the driver will inject a small delay before flushing data
@@ -244,8 +265,7 @@ impl SessionConfig {
                 .into_handle(),
             used_keyspace: None,
             keyspace_case_sensitive: false,
-            #[cfg(feature = "ssl")]
-            ssl_context: None,
+            tls_context: None,
             authenticator: None,
             connect_timeout: Duration::from_secs(5),
             connection_pool_size: Default::default(),
@@ -260,7 +280,7 @@ impl SessionConfig {
             address_translator: None,
             host_filter: None,
             refresh_metadata_on_auto_schema_agreement: true,
-            #[cfg(feature = "cloud")]
+            #[cfg(feature = "unstable-cloud")]
             cloud_config: None,
             enable_write_coalescing: true,
             tracing_info_fetch_attempts: NonZeroU32::new(10).unwrap(),
@@ -761,7 +781,7 @@ impl Session {
     pub async fn connect(config: SessionConfig) -> Result<Self, NewSessionError> {
         let known_nodes = config.known_nodes;
 
-        #[cfg(feature = "cloud")]
+        #[cfg(feature = "unstable-cloud")]
         let cloud_known_nodes: Option<Vec<InternalKnownNode>> =
             if let Some(ref cloud_config) = config.cloud_config {
                 let cloud_servers = cloud_config
@@ -779,7 +799,7 @@ impl Session {
                 None
             };
 
-        #[cfg(not(feature = "cloud"))]
+        #[cfg(not(feature = "unstable-cloud"))]
         let cloud_known_nodes: Option<Vec<InternalKnownNode>> = None;
 
         let known_nodes = cloud_known_nodes
@@ -792,20 +812,62 @@ impl Session {
 
         let (tablet_sender, tablet_receiver) = tokio::sync::mpsc::channel(TABLET_CHANNEL_SIZE);
 
+        #[allow(unused_labels)] // Triggers when `cloud` feature is disabled.
+        let address_translator = 'translator: {
+            #[cfg(feature = "unstable-cloud")]
+            if let Some(translator) = config.cloud_config.clone() {
+                if config.address_translator.is_some() {
+                    // This can only happen if the user builds SessionConfig by hand, as SessionBuilder in cloud mode prevents setting custom AddressTranslator.
+                    warn!(
+                        "Overriding user-provided AddressTranslator with Scylla Cloud AddressTranslator due \
+                            to CloudConfig being provided. This is certainly an API misuse - Cloud \
+                            may not be combined with user's own AddressTranslator."
+                    )
+                }
+
+                break 'translator Some(translator as Arc<dyn AddressTranslator>);
+            }
+
+            config.address_translator
+        };
+
+        let tls_provider = 'provider: {
+            #[cfg(feature = "unstable-cloud")]
+            if let Some(cloud_config) = config.cloud_config {
+                if config.tls_context.is_some() {
+                    // This can only happen if the user builds SessionConfig by hand, as SessionBuilder in cloud mode prevents setting custom TlsContext.
+                    warn!(
+                        "Overriding user-provided TlsContext with Scylla Cloud TlsContext due \
+                            to CloudConfig being provided. This is certainly an API misuse - Cloud \
+                            may not be combined with user's own TLS config."
+                    )
+                }
+
+                let provider = TlsProvider::new_cloud(cloud_config);
+                break 'provider Some(provider);
+            }
+            if let Some(tls_context) = config.tls_context {
+                // To silence warnings when TlsContext is an empty enum (tls features are disabled).
+                // In such case, TlsProvider is uninhabited.
+                #[allow(unused_variables)]
+                let provider = TlsProvider::new_with_global_context(tls_context);
+                #[allow(unreachable_code)]
+                break 'provider Some(provider);
+            }
+            None
+        };
+
         let connection_config = ConnectionConfig {
             compression: config.compression,
             tcp_nodelay: config.tcp_nodelay,
             tcp_keepalive_interval: config.tcp_keepalive_interval,
             timestamp_generator: config.timestamp_generator,
-            #[cfg(feature = "ssl")]
-            ssl_config: config.ssl_context.map(SslConfig::new_with_global_context),
+            tls_provider,
             authenticator: config.authenticator.clone(),
             connect_timeout: config.connect_timeout,
             event_sender: None,
             default_consistency: Default::default(),
-            address_translator: config.address_translator,
-            #[cfg(feature = "cloud")]
-            cloud_config: config.cloud_config,
+            address_translator,
             enable_write_coalescing: config.enable_write_coalescing,
             keepalive_interval: config.keepalive_interval,
             keepalive_timeout: config.keepalive_timeout,
@@ -817,7 +879,6 @@ impl Session {
             connection_config,
             pool_size: config.connection_pool_size,
             can_use_shard_aware_port: !config.disallow_shard_aware_port,
-            keepalive_interval: config.keepalive_interval,
         };
 
         let cluster = Cluster::new(
diff --git a/scylla/src/client/session_builder.rs b/scylla/src/client/session_builder.rs
index 7d65b2d959..bbf90e0dfa 100644
--- a/scylla/src/client/session_builder.rs
+++ b/scylla/src/client/session_builder.rs
@@ -1,25 +1,24 @@
 //! SessionBuilder provides an easy way to create new Sessions
 
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 use super::execution_profile::ExecutionProfile;
 use super::execution_profile::ExecutionProfileHandle;
 use super::session::{Session, SessionConfig};
 use super::{Compression, PoolSize, SelfIdentity};
 use crate::authentication::{AuthenticatorProvider, PlainTextAuthenticator};
-#[cfg(feature = "cloud")]
-use crate::cloud::{CloudConfig, CloudConfigError};
+use crate::client::session::TlsContext;
+#[cfg(feature = "unstable-cloud")]
+use crate::cloud::{CloudConfig, CloudConfigError, CloudTlsProvider};
 use crate::errors::NewSessionError;
 use crate::policies::address_translator::AddressTranslator;
 use crate::policies::host_filter::HostFilter;
 use crate::policies::timestamp_generator::TimestampGenerator;
 use crate::statement::Consistency;
-#[cfg(feature = "ssl")]
-use openssl::ssl::SslContext;
 use std::borrow::Borrow;
 use std::marker::PhantomData;
 use std::net::SocketAddr;
 use std::num::NonZeroU32;
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 use std::path::Path;
 use std::sync::Arc;
 use std::time::Duration;
@@ -41,15 +40,15 @@ impl SessionBuilderKind for DefaultMode {}
 
 pub type SessionBuilder = GenericSessionBuilder<DefaultMode>;
 
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 #[derive(Clone)]
 pub enum CloudMode {}
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 impl sealed::Sealed for CloudMode {}
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 impl SessionBuilderKind for CloudMode {}
 
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 pub type CloudSessionBuilder = GenericSessionBuilder<CloudMode>;
 
 /// SessionBuilder is used to create new Session instances
@@ -270,18 +269,17 @@ impl GenericSessionBuilder<DefaultMode> {
     /// # use std::sync::Arc;
     /// # use scylla::client::session::Session;
     /// # use scylla::client::session_builder::SessionBuilder;
-    /// # use scylla::cluster::metadata::UntranslatedPeer;
     /// # use scylla::errors::TranslationError;
-    /// # use scylla::policies::address_translator::AddressTranslator;
+    /// # use scylla::policies::address_translator::{AddressTranslator, UntranslatedPeer};
     /// struct IdentityTranslator;
     ///
     /// #[async_trait]
     /// impl AddressTranslator for IdentityTranslator {
     ///     async fn translate_address(
     ///         &self,
-    ///         untranslated_peer: &UntranslatedPeer
+    ///         untranslated_peer: &UntranslatedPeer,
     ///     ) -> Result<SocketAddr, TranslationError> {
-    ///         Ok(untranslated_peer.untranslated_address)
+    ///         Ok(untranslated_peer.untranslated_address())
     ///     }
     /// }
     ///
@@ -323,10 +321,12 @@ impl GenericSessionBuilder<DefaultMode> {
         self
     }
 
-    /// ssl feature
-    /// Provide SessionBuilder with SslContext from openssl crate that will be
-    /// used to create an ssl connection to the database.
-    /// If set to None SSL connection won't be used.
+    /// TLS feature
+    ///
+    /// Provide SessionBuilder with TlsContext that will be
+    /// used to create a TLS connection to the database.
+    /// If set to None TLS connection won't be used.
+    ///
     /// Default is None.
     ///
     /// # Example
@@ -344,15 +344,14 @@ impl GenericSessionBuilder<DefaultMode> {
     ///
     /// let session: Session = SessionBuilder::new()
     ///     .known_node("127.0.0.1:9042")
-    ///     .ssl_context(Some(context_builder.build()))
+    ///     .tls_context(Some(context_builder.build()))
     ///     .build()
     ///     .await?;
     /// # Ok(())
     /// # }
     /// ```
-    #[cfg(feature = "ssl")]
-    pub fn ssl_context(mut self, ssl_context: Option<SslContext>) -> Self {
-        self.config.ssl_context = ssl_context;
+    pub fn tls_context(mut self, tls_context: Option<impl Into<TlsContext>>) -> Self {
+        self.config.tls_context = tls_context.map(|t| t.into());
         self
     }
 }
@@ -360,13 +359,16 @@ impl GenericSessionBuilder<DefaultMode> {
 // NOTE: this `impl` block contains configuration options specific for **Cloud** [`Session`].
 // This means that if an option fits both non-Cloud and Cloud `Session`s, it should NOT be put
 // here, but rather in `impl<K> GenericSessionBuilder<K>` block.
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 impl CloudSessionBuilder {
     /// Creates a new SessionBuilder with default configuration,
     /// based on provided path to Scylla Cloud Config yaml.
-    pub fn new(cloud_config: impl AsRef<Path>) -> Result<Self, CloudConfigError> {
+    pub fn new(
+        cloud_config: impl AsRef<Path>,
+        tls_provider: CloudTlsProvider,
+    ) -> Result<Self, CloudConfigError> {
         let mut config = SessionConfig::new();
-        let cloud_config = CloudConfig::read_from_yaml(cloud_config)?;
+        let cloud_config = CloudConfig::read_from_yaml(cloud_config, tls_provider)?;
         let mut exec_profile_builder = ExecutionProfile::builder();
         if let Some(default_consistency) = cloud_config.get_default_consistency() {
             exec_profile_builder = exec_profile_builder.consistency(default_consistency);
diff --git a/scylla/src/cloud/config.rs b/scylla/src/cloud/config.rs
index e90b76fdbc..fc509e6ba4 100644
--- a/scylla/src/cloud/config.rs
+++ b/scylla/src/cloud/config.rs
@@ -1,11 +1,18 @@
+use std::net::SocketAddr;
+use std::sync::Arc;
 use std::{collections::HashMap, io};
 
-use openssl::{
-    pkey::{PKey, Private},
-    x509::X509,
-};
+use async_trait::async_trait;
 use scylla_cql::{frame::types::SerialConsistency, Consistency};
 use thiserror::Error;
+use tracing::warn;
+use uuid::Uuid;
+
+use crate::client::session::TlsContext;
+use crate::cluster::node::resolve_hostname;
+use crate::errors::TranslationError;
+use crate::network::tls::{TlsConfig, TlsError};
+use crate::policies::address_translator::{AddressTranslator, UntranslatedPeer};
 
 #[non_exhaustive]
 #[derive(Debug, Error)]
@@ -23,7 +30,7 @@ pub enum CloudConfigError {
     Validation(String),
 
     #[error("Error during key/cert parsing: {0}")]
-    Ssl(#[from] openssl::error::ErrorStack),
+    Tls(#[from] TlsError),
 }
 
 /// Configuration for creating a session to a serverless cluster.
@@ -68,27 +75,198 @@ impl CloudConfig {
             "BUG: Validation should have prevented current context's auth info pointing to unknown auth_info",
         )
     }
+
+    pub(crate) fn make_tls_config_for_scylla_cloud_host(
+        &self,
+        host_id: Option<Uuid>,
+        dc: Option<&str>,
+        proxy_address: SocketAddr,
+    ) -> Result<Option<TlsConfig>, TlsError> {
+        let Some(datacenter) = dc.and_then(|dc| self.get_datacenters().get(dc)) else {
+            warn!("Datacenter {:?} of node {:?} with addr {} not described in cloud config. Proceeding without setting SNI for the node, which will most probably result in nonworking connections,.",
+                   dc, host_id, proxy_address);
+            // FIXME: Consider returning error here.
+            return Ok(None);
+        };
+
+        let domain_name = datacenter.get_node_domain();
+        let auth_info = self.get_current_auth_info();
+
+        let tls_context = auth_info.get_tls().get_dc_tls_context(datacenter)?;
+
+        Ok(Some(TlsConfig::new_for_sni(
+            tls_context,
+            domain_name,
+            host_id,
+        )))
+    }
+}
+
+#[async_trait]
+impl AddressTranslator for CloudConfig {
+    async fn translate_address(
+        &self,
+        untranslated_peer: &UntranslatedPeer,
+    ) -> Result<SocketAddr, TranslationError> {
+        // If we operate in the serverless Cloud, then we substitute every node's address
+        // with the address of the proxy in the datacenter that the node resides in.
+        let UntranslatedPeer {
+            host_id,
+            untranslated_address,
+            ref datacenter,
+            ..
+        } = *untranslated_peer;
+
+        let Some(dc) = datacenter.as_deref() else {
+            warn!( // FIXME: perhaps error! would fit here better?
+                "Datacenter for node {} is empty in the Metadata fetched from the Cloud cluster; ; therefore address \
+                    broadcast by the node was left as address to open connection to.",
+                host_id
+            );
+            // FIXME: Is this acceptable to do such fallback?
+            return Ok(untranslated_address);
+        };
+
+        let Some(dc_config) = self.get_datacenters().get(dc) else {
+            warn!( // FIXME: perhaps error! would fit here better?
+                "Datacenter {} that node {} resides in not found in the Cloud config; ; therefore address \
+                    broadcast by the node was left as address to open connection to.",
+                dc, host_id
+            );
+            // FIXME: Is this acceptable to do such fallback?
+            return Ok(untranslated_address);
+        };
+
+        let hostname = dc_config.get_server();
+        let resolved = resolve_hostname(hostname).await
+            // inspect_err() is stable since 1.76.
+            // TODO: use inspect_err once we bump MSRV to at least 1.76.
+            .map_err(|err| {
+                warn!(
+                    "Couldn't resolve address: {} of datacenter {} that node {} resides in; therefore address \
+                        broadcast by the node was left as address to open connection to.",
+                    hostname, dc, host_id
+                );
+                err
+            })
+            .map_err(Arc::new)
+            .map_err(TranslationError::IoError)?;
+
+        Ok(resolved)
+    }
+}
+
+/// Choice of the TLS provider for the cloud connection.
+#[derive(Debug, Clone, Copy)]
+#[non_exhaustive]
+pub enum CloudTlsProvider {
+    #[cfg(feature = "openssl-010")]
+    OpenSsl010,
+    #[cfg(feature = "rustls-023")]
+    Rustls023,
 }
 
 /// Contains all authentication info for creating TLS connections using SNI proxy
 /// to connect to cloud nodes.
 #[derive(Debug)]
 pub(crate) struct AuthInfo {
-    key: PKey<Private>,
-    cert: X509,
+    tls: TlsInfo,
     #[allow(unused)]
     username: Option<String>,
     #[allow(unused)]
     password: Option<String>,
 }
 
-impl AuthInfo {
-    pub(crate) fn get_key(&self) -> &PKey<Private> {
-        &self.key
+#[derive(Debug)]
+pub(crate) enum TlsInfo {
+    #[cfg(feature = "openssl-010")]
+    OpenSsl010 {
+        key: openssl::pkey::PKey<openssl::pkey::Private>,
+        cert: openssl::x509::X509,
+    },
+    #[cfg(feature = "rustls-023")]
+    Rustls023 {
+        cert_chain: Vec<rustls::pki_types::CertificateDer<'static>>,
+        key: rustls::pki_types::PrivateKeyDer<'static>,
+    },
+}
+
+impl TlsInfo {
+    fn from_pem(cert: &[u8], key: &[u8], tls_provider: CloudTlsProvider) -> Result<Self, TlsError> {
+        match tls_provider {
+            #[cfg(feature = "openssl-010")]
+            CloudTlsProvider::OpenSsl010 => {
+                let cert = openssl::x509::X509::from_pem(cert)?;
+                let key = openssl::pkey::PKey::private_key_from_pem(key)?;
+                Ok(TlsInfo::OpenSsl010 { key, cert })
+            }
+            #[cfg(feature = "rustls-023")]
+            CloudTlsProvider::Rustls023 => {
+                use rustls::pki_types::pem::PemObject;
+                let key = rustls::pki_types::PrivateKeyDer::from_pem_slice(key)?;
+                let cert_chain: Vec<_> = rustls::pki_types::CertificateDer::pem_slice_iter(cert)
+                    .collect::<Result<_, _>>()?;
+                Ok(TlsInfo::Rustls023 { cert_chain, key })
+            }
+        }
     }
 
-    pub(crate) fn get_cert(&self) -> &X509 {
-        &self.cert
+    fn get_dc_tls_context(&self, datacenter: &Datacenter) -> Result<TlsContext, TlsError> {
+        match *self {
+            #[cfg(feature = "openssl-010")]
+            TlsInfo::OpenSsl010 { ref key, ref cert } => {
+                use openssl::ssl::{SslContext, SslMethod, SslVerifyMode};
+                let mut builder = SslContext::builder(SslMethod::tls())?;
+                builder.set_verify(if datacenter.get_insecure_skip_tls_verify() {
+                    SslVerifyMode::NONE
+                } else {
+                    SslVerifyMode::PEER
+                });
+                let ca = datacenter.ca_cert.openssl_ca().expect(
+                    "Driver bug! User chose OpenSSL
+                    provider, but datacenter CA cert is not OpenSSL",
+                );
+                builder.cert_store_mut().add_cert(ca.clone())?;
+                builder.set_certificate(cert)?;
+                builder.set_private_key(key)?;
+                let context = builder.build();
+                Ok(TlsContext::OpenSsl010(context))
+            }
+            #[cfg(feature = "rustls-023")]
+            TlsInfo::Rustls023 {
+                ref cert_chain,
+                ref key,
+            } => {
+                use rustls::ClientConfig;
+
+                let mut root_store = rustls::RootCertStore::empty();
+                let ca = datacenter.ca_cert.rustls_ca().expect(
+                    "Driver bug! User chose Rustls
+                    provider, but datacenter CA cert is not Rustls",
+                );
+                root_store.add(ca.clone())?;
+                let builder = ClientConfig::builder();
+                let builder = if datacenter.get_insecure_skip_tls_verify() {
+                    let supported = builder.crypto_provider().signature_verification_algorithms;
+                    builder
+                        .dangerous()
+                        .with_custom_certificate_verifier(Arc::new(NoCertificateVerification {
+                            supported,
+                        }))
+                } else {
+                    builder.with_root_certificates(root_store)
+                };
+
+                let config = builder.with_client_auth_cert(cert_chain.clone(), key.clone_key())?;
+                Ok(TlsContext::Rustls023(Arc::new(config)))
+            }
+        }
+    }
+}
+
+impl AuthInfo {
+    pub(crate) fn get_tls(&self) -> &TlsInfo {
+        &self.tls
     }
 
     #[allow(unused)]
@@ -102,10 +280,10 @@ impl AuthInfo {
     }
 }
 
-/// Contains cloud datacenter configuration for creating TLS connections to its nodes.  
+/// Contains cloud datacenter configuration for creating TLS connections to its nodes.
 #[derive(Debug)]
 pub(crate) struct Datacenter {
-    certificate_authority: X509,
+    ca_cert: TlsCert,
     server: String,
     #[allow(unused)]
     tls_server_name: Option<String>,
@@ -116,10 +294,6 @@ pub(crate) struct Datacenter {
 }
 
 impl Datacenter {
-    pub(crate) fn get_certificate_authority(&self) -> &X509 {
-        &self.certificate_authority
-    }
-
     pub(crate) fn get_server(&self) -> &str {
         &self.server
     }
@@ -143,6 +317,38 @@ impl Datacenter {
     }
 }
 
+#[derive(Debug)]
+pub(crate) enum TlsCert {
+    #[cfg(feature = "openssl-010")]
+    OpenSsl010(openssl::x509::X509),
+    #[cfg(feature = "rustls-023")]
+    Rustls023(rustls::pki_types::CertificateDer<'static>),
+}
+
+impl TlsCert {
+    #[cfg(feature = "openssl-010")]
+    fn openssl_ca(&self) -> Option<&openssl::x509::X509> {
+        // To silence the compiler warnings when enum consists of only one variant.
+        #[allow(irrefutable_let_patterns)]
+        if let TlsCert::OpenSsl010(ca) = self {
+            Some(ca)
+        } else {
+            None
+        }
+    }
+
+    #[cfg(feature = "rustls-023")]
+    fn rustls_ca(&self) -> Option<&rustls::pki_types::CertificateDer<'static>> {
+        // To silence the compiler warnings when enum consists of only one variant.
+        #[allow(irrefutable_let_patterns)]
+        if let TlsCert::Rustls023(ca) = self {
+            Some(ca)
+        } else {
+            None
+        }
+    }
+}
+
 /// Contains the names of the primary datacenter and authentication info.
 #[derive(Debug)]
 pub(crate) struct Context {
@@ -151,13 +357,11 @@ pub(crate) struct Context {
 }
 
 mod deserialize {
-    use super::CloudConfigError;
+    use super::{CloudConfigError, CloudTlsProvider, TlsCert, TlsError, TlsInfo};
     use base64::{engine::general_purpose, Engine as _};
     use scylla_cql::{frame::types::SerialConsistency, Consistency};
     use std::{collections::HashMap, fs::File, io::Read, path::Path};
 
-    use openssl::{pkey::PKey, x509::X509};
-
     use serde::Deserialize;
     use tracing::warn;
     use url::Url;
@@ -321,10 +525,11 @@ mod deserialize {
         Ok(pem.into_boxed_slice())
     }
 
-    impl TryFrom<RawCloudConfig> for super::CloudConfig {
+    impl TryFrom<(RawCloudConfig, CloudTlsProvider)> for super::CloudConfig {
         type Error = CloudConfigError;
 
-        fn try_from(config: RawCloudConfig) -> Result<Self, Self::Error> {
+        fn try_from(v: (RawCloudConfig, CloudTlsProvider)) -> Result<Self, Self::Error> {
+            let (config, tls_provider) = v;
             if let Some(ref api_version) = config.apiVersion {
                 if !SUPPORTED_API_VERSIONS
                     .iter()
@@ -346,7 +551,8 @@ mod deserialize {
                 .datacenters
                 .into_iter()
                 .map(|(dc_name, dc_data)| {
-                    super::Datacenter::try_from(dc_data).map(|dc_data| (dc_name, dc_data))
+                    super::Datacenter::try_from((dc_data, tls_provider))
+                        .map(|dc_data| (dc_name, dc_data))
                 })
                 .collect::<Result<HashMap<String, super::Datacenter>, CloudConfigError>>()?;
 
@@ -354,7 +560,7 @@ mod deserialize {
                 .authInfos
                 .into_iter()
                 .map(|(auth_info_name, auth_info_data)| {
-                    match super::AuthInfo::try_from(auth_info_data) {
+                    match super::AuthInfo::try_from((auth_info_data, tls_provider)) {
                         Ok(auth_info_data) => Ok((auth_info_name, auth_info_data)),
                         Err(err) => Err(err),
                     }
@@ -400,10 +606,11 @@ mod deserialize {
         }
     }
 
-    impl TryFrom<AuthInfo> for super::AuthInfo {
+    impl TryFrom<(AuthInfo, CloudTlsProvider)> for super::AuthInfo {
         type Error = CloudConfigError;
 
-        fn try_from(auth_info: AuthInfo) -> Result<Self, Self::Error> {
+        fn try_from(v: (AuthInfo, CloudTlsProvider)) -> Result<Self, Self::Error> {
+            let (auth_info, tls_provider) = v;
             let cert_pem = get_pem_data_from_string_or_load_from_file(
                 "clientCertificateData",
                 "clientCertificatePath",
@@ -417,23 +624,21 @@ mod deserialize {
                 auth_info.clientKeyPath.as_deref(),
             )?;
 
-            let cert = X509::from_pem(&cert_pem[..]).map_err(CloudConfigError::Ssl)?;
-
-            let key = PKey::private_key_from_pem(&key_pem[..]).map_err(CloudConfigError::Ssl)?;
+            let tls = TlsInfo::from_pem(cert_pem.as_ref(), key_pem.as_ref(), tls_provider)?;
 
             Ok(super::AuthInfo {
-                key,
-                cert,
+                tls,
                 username: auth_info.username,
                 password: auth_info.password,
             })
         }
     }
 
-    impl TryFrom<Datacenter> for super::Datacenter {
+    impl TryFrom<(Datacenter, CloudTlsProvider)> for super::Datacenter {
         type Error = CloudConfigError;
 
-        fn try_from(datacenter: Datacenter) -> Result<Self, Self::Error> {
+        fn try_from(v: (Datacenter, CloudTlsProvider)) -> Result<Self, Self::Error> {
+            let (datacenter, tls_provider) = v;
             // Validate node domain
             // Using parts relevant to hostnames as we're dealing with a part of hostname
             // RFC-1123 Section 2.1 and RFC-952 1.
@@ -517,11 +722,25 @@ mod deserialize {
                 datacenter.certificateAuthorityPath.as_deref(),
             )?;
 
-            let certificate_authority =
-                X509::from_pem(&cert_pem[..]).map_err(CloudConfigError::Ssl)?;
+            let ca_cert = match tls_provider {
+                #[cfg(feature = "openssl-010")]
+                CloudTlsProvider::OpenSsl010 => {
+                    let openssl_ca_cert =
+                        openssl::x509::X509::from_pem(&cert_pem[..]).map_err(TlsError::from)?;
+                    TlsCert::OpenSsl010(openssl_ca_cert)
+                }
+                #[cfg(feature = "rustls-023")]
+                CloudTlsProvider::Rustls023 => {
+                    use rustls::pki_types::pem::PemObject as _;
+                    let rustls_ca_cert =
+                        rustls::pki_types::CertificateDer::from_pem_slice(cert_pem.as_ref())
+                            .map_err(TlsError::from)?;
+                    TlsCert::Rustls023(rustls_ca_cert)
+                }
+            };
 
             Ok(super::Datacenter {
-                certificate_authority,
+                ca_cert,
                 server: datacenter.server,
                 node_domain,
                 insecure_skip_tls_verify: datacenter.insecureSkipTlsVerify.unwrap_or(false),
@@ -541,23 +760,27 @@ mod deserialize {
     }
 
     impl super::CloudConfig {
-        pub fn read_from_yaml(config_path: impl AsRef<Path>) -> Result<Self, CloudConfigError> {
+        pub fn read_from_yaml(
+            config_path: impl AsRef<Path>,
+            tls_provider: CloudTlsProvider,
+        ) -> Result<Self, CloudConfigError> {
             let mut yaml = File::open(config_path)?;
             let config = RawCloudConfig::try_from_reader(&mut yaml)?;
-            Self::try_from(config)
+            Self::try_from((config, tls_provider))
         }
     }
 
     #[cfg(test)]
     mod tests {
         use crate::cloud::config::deserialize::Parameters;
+        use crate::cloud::config::TlsInfo;
+        use crate::cloud::CloudTlsProvider;
         use crate::test_utils::setup_tracing;
 
         use super::super::CloudConfig;
         use super::RawCloudConfig;
         use assert_matches::assert_matches;
         use base64::{engine::general_purpose, Engine as _};
-        use openssl::x509::X509;
         use scylla_cql::frame::types::SerialConsistency;
         use scylla_cql::Consistency;
 
@@ -598,108 +821,231 @@ mod deserialize {
             }
         }
 
-        #[test]
-        fn test_cloud_config_dc_validation_no_cert_provided() {
-            setup_tracing();
+        fn test_cloud_config_dc_validation_no_cert_provided(tls_provider: CloudTlsProvider) {
             let dc_no_cert = super::Datacenter {
                 certificateAuthorityPath: None,
                 certificateAuthorityData: None,
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_no_cert).unwrap_err();
+            super::super::Datacenter::try_from((dc_no_cert, tls_provider)).unwrap_err();
         }
 
+        #[cfg(feature = "openssl-010")]
         #[test]
-        fn test_cloud_config_dc_validation_cert_not_found() {
+        fn test_cloud_config_dc_validation_no_cert_provided_openssl_010() {
             setup_tracing();
+            test_cloud_config_dc_validation_no_cert_provided(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_no_cert_provided_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_no_cert_provided(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_cert_not_found(tls_provider: CloudTlsProvider) {
             let dc_cert_nonfound = super::Datacenter {
                 certificateAuthorityPath: Some(NO_PEM_PATH.into()),
                 certificateAuthorityData: None,
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_cert_nonfound).unwrap_err();
+            super::super::Datacenter::try_from((dc_cert_nonfound, tls_provider)).unwrap_err();
         }
 
+        #[cfg(feature = "openssl-010")]
         #[test]
-        fn test_cloud_config_dc_validation_invalid_cert() {
+        fn test_cloud_config_dc_validation_cert_not_found_openssl_010() {
             setup_tracing();
+            test_cloud_config_dc_validation_cert_not_found(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_cert_not_found_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_cert_not_found(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_invalid_cert(tls_provider: CloudTlsProvider) {
             let dc_invalid_cert = super::Datacenter {
                 certificateAuthorityData: Some("INVALID CERFITICATE".into()),
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_invalid_cert).unwrap_err();
+            super::super::Datacenter::try_from((dc_invalid_cert, tls_provider)).unwrap_err();
         }
 
+        #[cfg(feature = "openssl-010")]
         #[test]
-        fn test_cloud_config_dc_validation_cert_found_bad() {
+        fn test_cloud_config_dc_validation_invalid_cert_openssl_010() {
             setup_tracing();
+            test_cloud_config_dc_validation_invalid_cert(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_invalid_cert_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_invalid_cert(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_cert_found_bad(tls_provider: CloudTlsProvider) {
             let dc_cert_found_bad = super::Datacenter {
                 certificateAuthorityPath: Some(BAD_PEM_PATH.into()),
                 certificateAuthorityData: None,
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_cert_found_bad).unwrap_err();
+            super::super::Datacenter::try_from((dc_cert_found_bad, tls_provider)).unwrap_err();
         }
 
+        #[cfg(feature = "openssl-010")]
         #[test]
-        fn test_cloud_config_dc_validation_cert_found_good() {
+        fn test_cloud_config_dc_validation_cert_found_bad_openssl_010() {
             setup_tracing();
+            test_cloud_config_dc_validation_cert_found_bad(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_cert_found_bad_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_cert_found_bad(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_cert_found_good(tls_provider: CloudTlsProvider) {
             let dc_cert_found_good = super::Datacenter {
                 certificateAuthorityPath: Some(GOOD_PEM_PATH.into()),
                 certificateAuthorityData: None,
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_cert_found_good).unwrap();
+            super::super::Datacenter::try_from((dc_cert_found_good, tls_provider)).unwrap();
         }
 
+        #[cfg(feature = "openssl-010")]
         #[test]
-        fn test_cloud_config_dc_validation_domain_empty() {
+        fn test_cloud_config_dc_validation_cert_found_good_openssl_010() {
             setup_tracing();
+            test_cloud_config_dc_validation_cert_found_good(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_cert_found_good_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_cert_found_good(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_domain_empty(tls_provider: CloudTlsProvider) {
             let dc_bad_domain_empty = super::Datacenter {
                 nodeDomain: "".into(),
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_bad_domain_empty).unwrap_err();
+            super::super::Datacenter::try_from((dc_bad_domain_empty, tls_provider)).unwrap_err();
+        }
+
+        #[cfg(feature = "openssl-010")]
+        #[test]
+        fn test_cloud_config_dc_validation_domain_empty_openssl_010() {
+            setup_tracing();
+            test_cloud_config_dc_validation_domain_empty(CloudTlsProvider::OpenSsl010);
         }
 
+        #[cfg(feature = "rustls-023")]
         #[test]
-        fn test_cloud_config_dc_validation_domain_trailing_minus() {
+        fn test_cloud_config_dc_validation_domain_empty_rustls_023() {
             setup_tracing();
+            test_cloud_config_dc_validation_domain_empty(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_domain_trailing_minus(tls_provider: CloudTlsProvider) {
             let dc_bad_domain_trailing_minus = super::Datacenter {
                 nodeDomain: "cql.scylla-.com".into(),
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_bad_domain_trailing_minus).unwrap_err();
+            super::super::Datacenter::try_from((dc_bad_domain_trailing_minus, tls_provider))
+                .unwrap_err();
+        }
+
+        #[cfg(feature = "openssl-010")]
+        #[test]
+        fn test_cloud_config_dc_validation_domain_trailing_minus_openssl_010() {
+            setup_tracing();
+            test_cloud_config_dc_validation_domain_trailing_minus(CloudTlsProvider::OpenSsl010);
         }
 
+        #[cfg(feature = "rustls-023")]
         #[test]
-        fn test_cloud_config_dc_validation_domain_interior_minus() {
+        fn test_cloud_config_dc_validation_domain_trailing_minus_rustls_023() {
             setup_tracing();
+            test_cloud_config_dc_validation_domain_trailing_minus(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_domain_interior_minus(tls_provider: CloudTlsProvider) {
             let dc_good_domain_interior_minus = super::Datacenter {
                 nodeDomain: "cql.scylla-cloud.com".into(),
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_good_domain_interior_minus).unwrap();
+            super::super::Datacenter::try_from((dc_good_domain_interior_minus, tls_provider))
+                .unwrap();
+        }
+
+        #[cfg(feature = "openssl-010")]
+        #[test]
+        fn test_cloud_config_dc_validation_domain_interior_minus_openssl_010() {
+            setup_tracing();
+            test_cloud_config_dc_validation_domain_interior_minus(CloudTlsProvider::OpenSsl010);
         }
 
+        #[cfg(feature = "rustls-023")]
         #[test]
-        fn test_cloud_config_dc_validation_domain_special_sign() {
+        fn test_cloud_config_dc_validation_domain_interior_minus_rustls_023() {
             setup_tracing();
+            test_cloud_config_dc_validation_domain_interior_minus(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_domain_special_sign(tls_provider: CloudTlsProvider) {
             let dc_bad_domain_special_sign = super::Datacenter {
                 nodeDomain: "cql.$cylla-cloud.com".into(),
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_bad_domain_special_sign).unwrap_err();
+            super::super::Datacenter::try_from((dc_bad_domain_special_sign, tls_provider))
+                .unwrap_err();
         }
 
+        #[cfg(feature = "openssl-010")]
         #[test]
-        fn test_cloud_config_dc_validation_bad_server_url() {
+        fn test_cloud_config_dc_validation_domain_special_sign_openssl_010() {
             setup_tracing();
+            test_cloud_config_dc_validation_domain_special_sign(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_domain_special_sign_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_domain_special_sign(CloudTlsProvider::Rustls023);
+        }
+
+        fn test_cloud_config_dc_validation_bad_server_url(tls_provider: CloudTlsProvider) {
             let dc_bad_server_not_url = super::Datacenter {
                 server: "NotAUrl".into(),
                 ..dc_valid()
             };
-            super::super::Datacenter::try_from(dc_bad_server_not_url).unwrap_err();
+            super::super::Datacenter::try_from((dc_bad_server_not_url, tls_provider)).unwrap_err();
+        }
+
+        #[cfg(feature = "openssl-010")]
+        #[test]
+        fn test_cloud_config_dc_validation_bad_server_url_openssl_010() {
+            setup_tracing();
+            test_cloud_config_dc_validation_bad_server_url(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_dc_validation_bad_server_url_rustls_023() {
+            setup_tracing();
+            test_cloud_config_dc_validation_bad_server_url(CloudTlsProvider::Rustls023);
         }
 
         static CCM_CONFIG: &str = include_str!("ccm_config.yaml");
@@ -708,13 +1054,25 @@ mod deserialize {
         static TEST_CA: &str = include_str!("test_ca");
         static TEST_KEY: &str = include_str!("test_key");
 
-        #[test]
-        fn test_cloud_config_unsupported_api_version() {
-            setup_tracing();
+        fn test_cloud_config_unsupported_api_version(tls_provider: CloudTlsProvider) {
             let mut config = RawCloudConfig::try_from(CCM_CONFIG).unwrap();
             config.apiVersion = Some("1.0".into());
             // The mere unknown api version should not be considered an erroneous input, but a warning will be logged.
-            super::super::CloudConfig::try_from(config).unwrap();
+            super::super::CloudConfig::try_from((config, tls_provider)).unwrap();
+        }
+
+        #[cfg(feature = "openssl-010")]
+        #[test]
+        fn test_cloud_config_unsupported_api_version_openssl_010() {
+            setup_tracing();
+            test_cloud_config_unsupported_api_version(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_unsupported_api_version_rustls_023() {
+            setup_tracing();
+            test_cloud_config_unsupported_api_version(CloudTlsProvider::Rustls023);
         }
 
         #[test]
@@ -797,13 +1155,12 @@ mod deserialize {
             }
         }
 
-        #[test]
-        fn test_cloud_config_validation() {
-            setup_tracing();
+        fn test_cloud_config_validation(tls_provider: CloudTlsProvider) {
             {
                 // CCM standard config
                 let config = RawCloudConfig::try_from(CCM_CONFIG).unwrap();
-                let validated_config: CloudConfig = config.try_into().unwrap();
+                let validated_config: CloudConfig =
+                    CloudConfig::try_from((config, tls_provider)).unwrap();
                 assert_matches!(validated_config.default_consistency, None);
                 assert_matches!(validated_config.default_serial_consistency, None);
                 assert_eq!(validated_config.current_context, "default");
@@ -819,7 +1176,8 @@ mod deserialize {
             {
                 // crafted fully-fledged config
                 let config = RawCloudConfig::try_from(FULL_CONFIG).unwrap();
-                let validated_config: CloudConfig = config.try_into().unwrap();
+                let validated_config: CloudConfig =
+                    CloudConfig::try_from((config, tls_provider)).unwrap();
                 assert_eq!(
                     validated_config.default_consistency,
                     Some(Consistency::LocalQuorum)
@@ -833,38 +1191,104 @@ mod deserialize {
                 assert_eq!(validated_config.datacenters.len(), 2);
                 assert_eq!(validated_config.auth_infos.len(), 2);
 
-                let auth_info = validated_config.auth_infos.get("one").unwrap();
-
-                assert_eq!(
-                    auth_info.cert,
-                    X509::from_pem(
-                        &general_purpose::STANDARD
-                            .decode(TEST_CA.as_bytes())
-                            .unwrap()
-                    )
-                    .unwrap()
-                );
-                // comparison of PKey<Private> is not possible, so auth_info.key won't be tested here.
-
-                assert_eq!(auth_info.username, Some(String::from("cassandra1")));
-                assert_eq!(auth_info.password, Some(String::from("scylla1")));
-
                 let datacenter = validated_config.datacenters.get("eu-west-1").unwrap();
-                assert_eq!(
-                    datacenter.certificate_authority,
-                    X509::from_pem(
-                        &general_purpose::STANDARD
-                            .decode(TEST_CA.as_bytes())
-                            .unwrap()
-                    )
-                    .unwrap()
-                );
                 assert_eq!(datacenter.server.as_str(), "127.0.1.12:9142");
                 assert_eq!(datacenter.node_domain, "cql.my-cluster-id.scylla.com");
                 assert!(datacenter.insecure_skip_tls_verify);
                 assert_eq!(datacenter.proxy_url, Some("proxy.example.com".into()));
                 assert_eq!(datacenter.tls_server_name, Some("tls_server".into()));
+
+                let auth_info = validated_config.auth_infos.get("one").unwrap();
+                assert_eq!(auth_info.username, Some(String::from("cassandra1")));
+                assert_eq!(auth_info.password, Some(String::from("scylla1")));
+
+                let decoded_raw_ca = general_purpose::STANDARD
+                    .decode(TEST_CA.as_bytes())
+                    .unwrap();
+
+                match auth_info.tls {
+                    #[cfg(feature = "openssl-010")]
+                    TlsInfo::OpenSsl010 { ref cert, .. } => {
+                        let decoded_openssl_ca =
+                            openssl::x509::X509::from_pem(&decoded_raw_ca).unwrap();
+
+                        assert_eq!(*cert, decoded_openssl_ca);
+                        // comparison of PKey<Private> is not possible, so auth_info.key won't be tested here.
+
+                        assert_eq!(
+                            *datacenter.ca_cert.openssl_ca().unwrap(),
+                            decoded_openssl_ca
+                        );
+                    }
+                    #[cfg(feature = "rustls-023")]
+                    TlsInfo::Rustls023 { ref cert_chain, .. } => {
+                        let cert = cert_chain.first().unwrap();
+                        let decoded_rustls_ca = {
+                            use rustls::pki_types::pem::PemObject as _;
+                            rustls::pki_types::CertificateDer::from_pem_slice(&decoded_raw_ca)
+                                .unwrap()
+                        };
+                        assert_eq!(*cert, decoded_rustls_ca);
+                        assert_eq!(*datacenter.ca_cert.rustls_ca().unwrap(), decoded_rustls_ca);
+                    }
+                }
             }
         }
+
+        #[cfg(feature = "openssl-010")]
+        #[test]
+        fn test_cloud_config_validation_openssl_010() {
+            setup_tracing();
+            test_cloud_config_validation(CloudTlsProvider::OpenSsl010);
+        }
+
+        #[cfg(feature = "rustls-023")]
+        #[test]
+        fn test_cloud_config_validation_rustls_023() {
+            setup_tracing();
+            test_cloud_config_validation(CloudTlsProvider::Rustls023);
+        }
+    }
+}
+
+#[cfg(feature = "rustls-023")]
+#[derive(Debug)]
+struct NoCertificateVerification {
+    supported: rustls::crypto::WebPkiSupportedAlgorithms,
+}
+
+#[cfg(feature = "rustls-023")]
+impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        _server_name: &rustls::pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: rustls::pki_types::UnixTime,
+    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+        Ok(rustls::client::danger::ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &rustls::pki_types::CertificateDer<'_>,
+        _dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
+        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        self.supported.supported_schemes()
     }
 }
diff --git a/scylla/src/cloud/mod.rs b/scylla/src/cloud/mod.rs
index 8e773890d8..94e77cebf5 100644
--- a/scylla/src/cloud/mod.rs
+++ b/scylla/src/cloud/mod.rs
@@ -1,62 +1,13 @@
 mod config;
 
-use std::net::SocketAddr;
-
 pub use config::CloudConfig;
 pub use config::CloudConfigError;
-use openssl::{
-    error::ErrorStack,
-    ssl::{SslContext, SslMethod, SslVerifyMode},
-};
-use tracing::warn;
-use uuid::Uuid;
-
-use crate::network::{ConnectionConfig, SslConfig};
-
-pub(crate) fn set_ssl_config_for_scylla_cloud_host(
-    host_id: Option<Uuid>,
-    dc: Option<&str>,
-    proxy_address: SocketAddr,
-    connection_config: &mut ConnectionConfig,
-) -> Result<(), ErrorStack> {
-    if connection_config.ssl_config.is_some() {
-        // This can only happen if the user builds SessionConfig by hand, as SessionBuilder in cloud mode prevents setting custom SslContext.
-        warn!(
-            "Overriding user-provided SslContext with Scylla Cloud SslContext due \
-                to CloudConfig being provided. This is certainly an API misuse - Cloud \
-                may not be combined with user's own SSL config."
-        )
-    }
-
-    let cloud_config = connection_config
-        .cloud_config
-        .as_deref()
-        .expect("BUG: CloudConfig presence in ConnectionConfig should have been checked before calling this function");
-    let datacenter = dc.and_then(|dc| cloud_config.get_datacenters().get(dc));
-    if let Some(datacenter) = datacenter {
-        let domain_name = datacenter.get_node_domain();
-        let ca = datacenter.get_certificate_authority();
-        let auth_info = cloud_config.get_current_auth_info();
-        let key = auth_info.get_key();
-        let cert = auth_info.get_cert();
-
-        let ssl_context = {
-            let mut builder = SslContext::builder(SslMethod::tls())?;
-            builder.set_verify(if datacenter.get_insecure_skip_tls_verify() {
-                SslVerifyMode::NONE
-            } else {
-                SslVerifyMode::PEER
-            });
-            builder.cert_store_mut().add_cert(ca.clone())?;
-            builder.set_certificate(cert)?;
-            builder.set_private_key(key)?;
-            builder.build()
-        };
-        let ssl_config = SslConfig::new_for_sni(ssl_context, domain_name, host_id);
-        connection_config.ssl_config = Some(ssl_config);
-    } else {
-        warn!("Datacenter {:?} of node {:?} with addr {} not described in cloud config. Proceeding without setting SNI for the node, which will most probably result in nonworking connections,.",
-               dc, host_id, proxy_address);
-    }
-    Ok(())
-}
+pub use config::CloudTlsProvider;
+
+#[cfg(all(
+    feature = "unstable-cloud",
+    not(any(feature = "rustls-023", feature = "openssl-010"))
+))]
+compile_error!(
+    r#""unstable-cloud" feature requires a TLS backend: at least one of ["rustls-023", "openssl-010"] is needed"#
+);
diff --git a/scylla/src/cluster/metadata.rs b/scylla/src/cluster/metadata.rs
index 6161b46693..bcf9f69e59 100644
--- a/scylla/src/cluster/metadata.rs
+++ b/scylla/src/cluster/metadata.rs
@@ -44,7 +44,7 @@ use std::net::{IpAddr, SocketAddr};
 use std::num::NonZeroUsize;
 use std::str::FromStr;
 use std::sync::Arc;
-use std::time::{Duration, Instant};
+use std::time::Instant;
 use thiserror::Error;
 use tokio::sync::{broadcast, mpsc};
 use tracing::{debug, error, trace, warn};
@@ -69,8 +69,7 @@ type PerKsTableResult<T, E> = PerKsTable<Result<T, E>>;
 
 /// Allows to read current metadata from the cluster
 pub(crate) struct MetadataReader {
-    connection_config: ConnectionConfig,
-    keepalive_interval: Option<Duration>,
+    control_connection_pool_config: PoolConfig,
 
     control_connection_endpoint: UntranslatedEndpoint,
     control_connection: NodeConnectionPool,
@@ -168,17 +167,6 @@ impl Peer {
     }
 }
 
-/// Data used to issue connections to a node that is possibly subject to address translation.
-///
-/// Built from `PeerEndpoint` if its `NodeAddr` variant implies address translation possibility.
-#[non_exhaustive] // <- so that we can add more fields in a backwards-compatible way
-pub struct UntranslatedPeer {
-    pub host_id: Uuid,
-    pub untranslated_address: SocketAddr,
-    pub datacenter: Option<String>,
-    pub rack: Option<String>,
-}
-
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct Keyspace {
     pub strategy: Strategy,
@@ -399,7 +387,6 @@ impl MetadataReader {
         initial_known_nodes: Vec<InternalKnownNode>,
         control_connection_repair_requester: broadcast::Sender<()>,
         mut connection_config: ConnectionConfig,
-        keepalive_interval: Option<Duration>,
         server_event_sender: mpsc::Sender<Event>,
         keyspaces_to_fetch: Vec<String>,
         fetch_schema: bool,
@@ -426,18 +413,27 @@ impl MetadataReader {
         // - send received events via server_event_sender
         connection_config.event_sender = Some(server_event_sender);
 
+        let control_connection_pool_config = PoolConfig {
+            connection_config,
+
+            // We want to have only one connection to receive events from
+            pool_size: PoolSize::PerHost(NonZeroUsize::new(1).unwrap()),
+
+            // The shard-aware port won't be used with PerHost pool size anyway,
+            // so explicitly disable it here
+            can_use_shard_aware_port: false,
+        };
+
         let control_connection = Self::make_control_connection_pool(
             control_connection_endpoint.clone(),
-            connection_config.clone(),
-            keepalive_interval,
+            &control_connection_pool_config,
             control_connection_repair_requester.clone(),
         );
 
         Ok(MetadataReader {
+            control_connection_pool_config,
             control_connection_endpoint,
             control_connection,
-            keepalive_interval,
-            connection_config,
             known_peers: initial_peers
                 .into_iter()
                 .map(UntranslatedEndpoint::ContactPoint)
@@ -546,8 +542,7 @@ impl MetadataReader {
             self.control_connection_endpoint = peer.clone();
             self.control_connection = Self::make_control_connection_pool(
                 self.control_connection_endpoint.clone(),
-                self.connection_config.clone(),
-                self.keepalive_interval,
+                &self.control_connection_pool_config,
                 self.control_connection_repair_requester.clone(),
             );
 
@@ -645,8 +640,7 @@ impl MetadataReader {
 
                     self.control_connection = Self::make_control_connection_pool(
                         self.control_connection_endpoint.clone(),
-                        self.connection_config.clone(),
-                        self.keepalive_interval,
+                        &self.control_connection_pool_config,
                         self.control_connection_repair_requester.clone(),
                     );
                 }
@@ -656,22 +650,9 @@ impl MetadataReader {
 
     fn make_control_connection_pool(
         endpoint: UntranslatedEndpoint,
-        connection_config: ConnectionConfig,
-        keepalive_interval: Option<Duration>,
+        pool_config: &PoolConfig,
         refresh_requester: broadcast::Sender<()>,
     ) -> NodeConnectionPool {
-        let pool_config = PoolConfig {
-            connection_config,
-            keepalive_interval,
-
-            // We want to have only one connection to receive events from
-            pool_size: PoolSize::PerHost(NonZeroUsize::new(1).unwrap()),
-
-            // The shard-aware port won't be used with PerHost pool size anyway,
-            // so explicitly disable it here
-            can_use_shard_aware_port: false,
-        };
-
         NodeConnectionPool::new(endpoint, pool_config, None, refresh_requester)
     }
 }
diff --git a/scylla/src/cluster/node.rs b/scylla/src/cluster/node.rs
index 73c927a019..c03b9bb097 100644
--- a/scylla/src/cluster/node.rs
+++ b/scylla/src/cluster/node.rs
@@ -96,7 +96,7 @@ impl Node {
     /// `rack` - optional rack name
     pub(crate) fn new(
         peer: PeerEndpoint,
-        pool_config: PoolConfig,
+        pool_config: &PoolConfig,
         keyspace_name: Option<VerifiedKeyspaceName>,
         enabled: bool,
     ) -> Self {
@@ -132,8 +132,8 @@ impl Node {
     /// The underlying pool is preserved and notified about the IP change.
     /// # Arguments
     ///
-    /// `node` - previous definition of that node
-    /// `address` - new address to connect to
+    /// - `node` - previous definition of that node
+    /// - `address` - new address to connect to
     pub(crate) fn inherit_with_ip_changed(node: &Node, endpoint: PeerEndpoint) -> Self {
         let address = endpoint.address;
         if let Some(ref pool) = node.pool {
@@ -253,7 +253,7 @@ pub enum KnownNode {
 pub(crate) enum InternalKnownNode {
     Hostname(String),
     Address(SocketAddr),
-    #[cfg(feature = "cloud")]
+    #[cfg(feature = "unstable-cloud")]
     CloudEndpoint(CloudEndpoint),
 }
 
@@ -267,7 +267,7 @@ impl From<KnownNode> for InternalKnownNode {
 }
 
 /// Describes a database server in the serverless Scylla Cloud.
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 #[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Debug)]
 pub(crate) struct CloudEndpoint {
     pub(crate) hostname: String,
@@ -278,7 +278,7 @@ pub(crate) struct CloudEndpoint {
 #[derive(Debug, Clone)]
 pub(crate) struct ResolvedContactPoint {
     pub(crate) address: SocketAddr,
-    #[cfg_attr(not(feature = "cloud"), allow(unused))]
+    #[cfg_attr(not(feature = "unstable-cloud"), allow(unused))]
     pub(crate) datacenter: Option<String>,
 }
 
@@ -328,7 +328,7 @@ pub(crate) async fn resolve_contact_points(
                 address: *address,
                 datacenter: None,
             }),
-            #[cfg(feature = "cloud")]
+            #[cfg(feature = "unstable-cloud")]
             InternalKnownNode::CloudEndpoint(CloudEndpoint {
                 hostname,
                 datacenter,
diff --git a/scylla/src/cluster/state.rs b/scylla/src/cluster/state.rs
index 2e72f78638..46acde993a 100644
--- a/scylla/src/cluster/state.rs
+++ b/scylla/src/cluster/state.rs
@@ -96,7 +96,7 @@ impl ClusterState {
                     peer_tokens = tokens;
                     Arc::new(Node::new(
                         peer_endpoint,
-                        pool_config.clone(),
+                        pool_config,
                         used_keyspace.clone(),
                         is_enabled,
                     ))
diff --git a/scylla/src/cluster/worker.rs b/scylla/src/cluster/worker.rs
index 145fea5ff2..0659b7d655 100644
--- a/scylla/src/cluster/worker.rs
+++ b/scylla/src/cluster/worker.rs
@@ -112,7 +112,6 @@ impl Cluster {
             known_nodes,
             control_connection_repair_sender,
             pool_config.connection_config.clone(),
-            pool_config.keepalive_interval,
             server_events_sender,
             keyspaces_to_fetch,
             fetch_schema_metadata,
diff --git a/scylla/src/errors.rs b/scylla/src/errors.rs
index 2830537398..366016480d 100644
--- a/scylla/src/errors.rs
+++ b/scylla/src/errors.rs
@@ -5,7 +5,6 @@ use std::io::ErrorKind;
 use std::net::{AddrParseError, IpAddr, SocketAddr};
 use std::num::ParseIntError;
 use std::sync::Arc;
-
 use thiserror::Error;
 
 use crate::frame::response;
@@ -22,6 +21,9 @@ pub use crate::response::query_result::{
 // Re-export error type from authentication module.
 pub use crate::authentication::AuthError;
 
+// Re-export error type from network module.
+pub use crate::network::tls::TlsError;
+
 // Re-export error types from scylla-cql.
 pub use scylla_cql::deserialize::{DeserializationError, TypeCheckError};
 pub use scylla_cql::frame::frame_errors::{
@@ -540,6 +542,10 @@ pub enum TranslationError {
         translated_addr_str: &'static str,
         reason: AddrParseError,
     },
+
+    /// An I/O error occurred during address translation.
+    #[error("An I/O error occurred during address translation: {0}")]
+    IoError(Arc<std::io::Error>),
 }
 
 /// An error that occurred during connection setup request execution.
diff --git a/scylla/src/lib.rs b/scylla/src/lib.rs
index bbaf09e66d..dfc9767004 100644
--- a/scylla/src/lib.rs
+++ b/scylla/src/lib.rs
@@ -82,7 +82,7 @@
 //!     .query_unpaged("SELECT a, b FROM ks.tab", &[])
 //!     .await?
 //!     .into_rows_result()?;
-//!     
+//!
 //! for row in query_rows.rows()? {
 //!     // Parse row as int and text \
 //!     let (int_val, text_val): (i32, &str) = row?;
@@ -241,7 +241,7 @@ pub mod deserialize {
 
 pub mod authentication;
 pub mod client;
-#[cfg(feature = "cloud")]
+#[cfg(feature = "unstable-cloud")]
 pub mod cloud;
 
 pub mod cluster;
diff --git a/scylla/src/network/connection.rs b/scylla/src/network/connection.rs
index 4fc59db158..33cdc67e0a 100644
--- a/scylla/src/network/connection.rs
+++ b/scylla/src/network/connection.rs
@@ -1,11 +1,10 @@
+use super::tls::{TlsConfig, TlsProvider};
 use crate::authentication::AuthenticatorProvider;
 use crate::batch::{Batch, BatchStatement};
 use crate::client::pager::{NextRowError, QueryPager};
 use crate::client::Compression;
 use crate::client::SelfIdentity;
-#[cfg(feature = "cloud")]
-use crate::cloud::CloudConfig;
-use crate::cluster::metadata::{PeerEndpoint, UntranslatedEndpoint, UntranslatedPeer};
+use crate::cluster::metadata::{PeerEndpoint, UntranslatedEndpoint};
 use crate::cluster::NodeAddr;
 use crate::errors::{
     BadKeyspaceName, BrokenConnectionError, BrokenConnectionErrorKind, ConnectionError,
@@ -21,7 +20,7 @@ use crate::frame::{
     server_event_type::EventType,
     FrameParams, SerializedRequest,
 };
-use crate::policies::address_translator::AddressTranslator;
+use crate::policies::address_translator::{AddressTranslator, UntranslatedPeer};
 use crate::policies::timestamp_generator::TimestampGenerator;
 use crate::query::Query;
 use crate::response::query_result::QueryResult;
@@ -46,14 +45,10 @@ use scylla_cql::serialize::batch::{BatchValues, BatchValuesIterator};
 use scylla_cql::serialize::raw_batch::RawBatchValuesAdapter;
 use scylla_cql::serialize::row::{RowSerializationContext, SerializedValues};
 use socket2::{SockRef, TcpKeepalive};
-#[cfg(feature = "ssl")]
-pub(crate) use ssl_config::SslConfig;
 use std::borrow::Cow;
 use std::collections::{BTreeSet, HashMap, HashSet};
 use std::convert::TryFrom;
 use std::net::{IpAddr, SocketAddr};
-#[cfg(feature = "ssl")]
-use std::pin::Pin;
 use std::sync::atomic::AtomicU64;
 use std::sync::Arc;
 use std::sync::Mutex as StdMutex;
@@ -66,8 +61,6 @@ use tokio::io::{split, AsyncRead, AsyncWrite, AsyncWriteExt, BufReader, BufWrite
 use tokio::net::{TcpSocket, TcpStream};
 use tokio::sync::{mpsc, oneshot};
 use tokio::time::Instant;
-#[cfg(feature = "ssl")]
-use tokio_openssl::SslStream;
 use tracing::{debug, error, trace, warn};
 use uuid::Uuid;
 
@@ -87,7 +80,7 @@ pub(crate) struct Connection {
     _worker_handle: RemoteHandle<()>,
 
     connect_address: SocketAddr,
-    config: ConnectionConfig,
+    config: HostConnectionConfig,
     features: ConnectionFeatures,
     router_handle: Arc<RouterHandle>,
 }
@@ -212,73 +205,6 @@ struct TaskResponse {
     body: Bytes,
 }
 
-#[cfg(feature = "ssl")]
-mod ssl_config {
-    use openssl::{
-        error::ErrorStack,
-        ssl::{Ssl, SslContext},
-    };
-    #[cfg(feature = "cloud")]
-    use uuid::Uuid;
-
-    /// This struct encapsulates all Ssl-regarding configuration and helps pass it tidily through the code.
-    //
-    // There are 3 possible options for SslConfig, whose behaviour is somewhat subtle.
-    // Option 1: No ssl configuration. Then it is None every time.
-    // Option 2: User-provided global SslContext. Then, a SslConfig is created upon Session creation
-    // and henceforth stored in the ConnectionConfig.
-    // Option 3: Serverless Cloud. The Option<SslConfig> remains None in ConnectionConfig until it reaches
-    // NodeConnectionPool::new(). Inside that function, the field is mutated to contain SslConfig specific
-    // for the particular node. (The SslConfig must be different, because SNIs differ for different nodes.)
-    // Thenceforth, all connections to that node share the same SslConfig.
-    #[derive(Clone)]
-    pub(crate) struct SslConfig {
-        context: SslContext,
-        #[cfg(feature = "cloud")]
-        sni: Option<String>,
-    }
-
-    impl SslConfig {
-        // Used in case when the user provided their own SslContext to be used in all connections.
-        pub(crate) fn new_with_global_context(context: SslContext) -> Self {
-            Self {
-                context,
-                #[cfg(feature = "cloud")]
-                sni: None,
-            }
-        }
-
-        // Used in case of Serverless Cloud connections.
-        #[cfg(feature = "cloud")]
-        pub(crate) fn new_for_sni(
-            context: SslContext,
-            domain_name: &str,
-            host_id: Option<Uuid>,
-        ) -> Self {
-            Self {
-                context,
-                #[cfg(feature = "cloud")]
-                sni: Some(if let Some(host_id) = host_id {
-                    format!("{}.{}", host_id, domain_name)
-                } else {
-                    domain_name.into()
-                }),
-            }
-        }
-
-        // Produces a new Ssl object that is able to wrap a TCP stream.
-        pub(crate) fn new_ssl(&self) -> Result<Ssl, ErrorStack> {
-            #[allow(unused_mut)]
-            let mut ssl = Ssl::new(&self.context)?;
-            #[cfg(feature = "cloud")]
-            if let Some(sni) = self.sni.as_ref() {
-                ssl.set_hostname(sni)?;
-            }
-            Ok(ssl)
-        }
-    }
-}
-
 impl<'id: 'map, 'map> SelfIdentity<'id> {
     fn add_startup_options(&'id self, options: &'map mut HashMap<Cow<'id, str>, Cow<'id, str>>) {
         /* Driver identity. */
@@ -320,20 +246,22 @@ impl<'id: 'map, 'map> SelfIdentity<'id> {
     }
 }
 
+/// Configuration used for new connections.
+///
+/// Before being used for a particular connection, should be customized
+/// for a specific endpoint by converting to [HostConnectionConfig]
+/// using [ConnectionConfig::to_host_connection_config].
 #[derive(Clone)]
 pub(crate) struct ConnectionConfig {
     pub(crate) compression: Option<Compression>,
     pub(crate) tcp_nodelay: bool,
     pub(crate) tcp_keepalive_interval: Option<Duration>,
     pub(crate) timestamp_generator: Option<Arc<dyn TimestampGenerator>>,
-    #[cfg(feature = "ssl")]
-    pub(crate) ssl_config: Option<SslConfig>,
+    pub(crate) tls_provider: Option<TlsProvider>,
     pub(crate) connect_timeout: std::time::Duration,
     // should be Some only in control connections,
     pub(crate) event_sender: Option<mpsc::Sender<Event>>,
     pub(crate) default_consistency: Consistency,
-    #[cfg(feature = "cloud")]
-    pub(crate) cloud_config: Option<Arc<CloudConfig>>,
     pub(crate) authenticator: Option<Arc<dyn AuthenticatorProvider>>,
     pub(crate) address_translator: Option<Arc<dyn AddressTranslator>>,
     pub(crate) enable_write_coalescing: bool,
@@ -345,7 +273,66 @@ pub(crate) struct ConnectionConfig {
     pub(crate) identity: SelfIdentity<'static>,
 }
 
-impl Default for ConnectionConfig {
+impl ConnectionConfig {
+    /// Customizes the config for a specific endpoint.
+    pub(crate) fn to_host_connection_config(
+        &self,
+        // Currently, this is only used for cloud; but it makes abstract sense to pass endpoint here
+        // also for non-cloud cases, so let's just allow(unused).
+        #[allow(unused)] endpoint: &UntranslatedEndpoint,
+    ) -> HostConnectionConfig {
+        let tls_config = self
+            .tls_provider
+            .as_ref()
+            .and_then(|provider| provider.make_tls_config(endpoint));
+
+        HostConnectionConfig {
+            compression: self.compression,
+            tcp_nodelay: self.tcp_nodelay,
+            tcp_keepalive_interval: self.tcp_keepalive_interval,
+            timestamp_generator: self.timestamp_generator.clone(),
+            tls_config,
+            connect_timeout: self.connect_timeout,
+            event_sender: self.event_sender.clone(),
+            default_consistency: self.default_consistency,
+            authenticator: self.authenticator.clone(),
+            address_translator: self.address_translator.clone(),
+            enable_write_coalescing: self.enable_write_coalescing,
+            keepalive_interval: self.keepalive_interval,
+            keepalive_timeout: self.keepalive_timeout,
+            tablet_sender: self.tablet_sender.clone(),
+            identity: self.identity.clone(),
+        }
+    }
+}
+
+/// Configuration used for new connections, customized for a specific endpoint.
+///
+/// Created from [ConnectionConfig] using [ConnectionConfig::to_host_connection_config].
+#[derive(Clone)]
+pub(crate) struct HostConnectionConfig {
+    pub(crate) compression: Option<Compression>,
+    pub(crate) tcp_nodelay: bool,
+    pub(crate) tcp_keepalive_interval: Option<Duration>,
+    pub(crate) timestamp_generator: Option<Arc<dyn TimestampGenerator>>,
+    pub(crate) tls_config: Option<TlsConfig>,
+    pub(crate) connect_timeout: std::time::Duration,
+    // should be Some only in control connections,
+    pub(crate) event_sender: Option<mpsc::Sender<Event>>,
+    pub(crate) default_consistency: Consistency,
+    pub(crate) authenticator: Option<Arc<dyn AuthenticatorProvider>>,
+    pub(crate) address_translator: Option<Arc<dyn AddressTranslator>>,
+    pub(crate) enable_write_coalescing: bool,
+
+    pub(crate) keepalive_interval: Option<Duration>,
+    pub(crate) keepalive_timeout: Option<Duration>,
+    pub(crate) tablet_sender: Option<mpsc::Sender<(TableSpec<'static>, RawTablet)>>,
+
+    pub(crate) identity: SelfIdentity<'static>,
+}
+
+#[cfg(test)]
+impl Default for HostConnectionConfig {
     fn default() -> Self {
         Self {
             compression: None,
@@ -353,14 +340,11 @@ impl Default for ConnectionConfig {
             tcp_keepalive_interval: None,
             timestamp_generator: None,
             event_sender: None,
-            #[cfg(feature = "ssl")]
-            ssl_config: None,
+            tls_config: None,
             connect_timeout: std::time::Duration::from_secs(5),
             default_consistency: Default::default(),
             authenticator: None,
             address_translator: None,
-            #[cfg(feature = "cloud")]
-            cloud_config: None,
             enable_write_coalescing: true,
 
             // Note: this is different than SessionConfig default values.
@@ -374,19 +358,36 @@ impl Default for ConnectionConfig {
     }
 }
 
-impl ConnectionConfig {
-    #[cfg(feature = "ssl")]
-    fn is_ssl(&self) -> bool {
-        #[cfg(feature = "cloud")]
-        if self.cloud_config.is_some() {
-            return true;
+#[cfg(test)]
+impl Default for ConnectionConfig {
+    fn default() -> Self {
+        Self {
+            compression: None,
+            tcp_nodelay: true,
+            tcp_keepalive_interval: None,
+            timestamp_generator: None,
+            event_sender: None,
+            tls_provider: None,
+            connect_timeout: std::time::Duration::from_secs(5),
+            default_consistency: Default::default(),
+            authenticator: None,
+            address_translator: None,
+            enable_write_coalescing: true,
+
+            // Note: this is different than SessionConfig default values.
+            keepalive_interval: None,
+            keepalive_timeout: None,
+
+            tablet_sender: None,
+
+            identity: SelfIdentity::default(),
         }
-        self.ssl_config.is_some()
     }
+}
 
-    #[cfg(not(feature = "ssl"))]
-    fn is_ssl(&self) -> bool {
-        false
+impl HostConnectionConfig {
+    fn is_tls(&self) -> bool {
+        self.tls_config.is_some()
     }
 }
 
@@ -400,7 +401,7 @@ impl Connection {
     async fn new(
         addr: SocketAddr,
         source_port: Option<u16>,
-        config: ConnectionConfig,
+        config: HostConnectionConfig,
     ) -> Result<(Self, ErrorReceiver), ConnectionError> {
         let stream_connector = match source_port {
             Some(p) => {
@@ -1336,7 +1337,7 @@ impl Connection {
     }
 
     async fn run_router(
-        config: ConnectionConfig,
+        config: HostConnectionConfig,
         stream: TcpStream,
         receiver: mpsc::Receiver<Task>,
         error_sender: tokio::sync::oneshot::Sender<ConnectionError>,
@@ -1344,13 +1345,16 @@ impl Connection {
         router_handle: Arc<RouterHandle>,
         node_address: IpAddr,
     ) -> Result<RemoteHandle<()>, std::io::Error> {
-        #[cfg(feature = "ssl")]
-        if let Some(ssl_config) = &config.ssl_config {
-            let ssl = ssl_config.new_ssl()?;
-            let mut stream = SslStream::new(ssl, stream)?;
-            let _pin = Pin::new(&mut stream).connect().await;
-
-            let (task, handle) = Self::router(
+        async fn spawn_router_and_get_handle(
+            config: HostConnectionConfig,
+            stream: (impl AsyncRead + AsyncWrite + Send + 'static),
+            receiver: mpsc::Receiver<Task>,
+            error_sender: tokio::sync::oneshot::Sender<ConnectionError>,
+            orphan_notification_receiver: mpsc::UnboundedReceiver<RequestId>,
+            router_handle: Arc<RouterHandle>,
+            node_address: IpAddr,
+        ) -> RemoteHandle<()> {
+            let (task, handle) = Connection::router(
                 config,
                 stream,
                 receiver,
@@ -1361,10 +1365,60 @@ impl Connection {
             )
             .remote_handle();
             tokio::task::spawn(task);
-            return Ok(handle);
+            handle
         }
 
-        let (task, handle) = Self::router(
+        if let Some(tls_config) = &config.tls_config {
+            // To silence warnings when TlsContext is an empty enum (tls features are disabled).
+            #[allow(unreachable_code)]
+            match tls_config.new_tls()? {
+                #[cfg(feature = "openssl-010")]
+                crate::network::tls::Tls::OpenSsl010(ssl) => {
+                    let mut stream = tokio_openssl::SslStream::new(ssl, stream)
+                        .map_err(crate::network::tls::TlsError::OpenSsl010)?;
+                    std::pin::Pin::new(&mut stream)
+                        .connect()
+                        .await
+                        .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?;
+                    return Ok(spawn_router_and_get_handle(
+                        config,
+                        stream,
+                        receiver,
+                        error_sender,
+                        orphan_notification_receiver,
+                        router_handle,
+                        node_address,
+                    )
+                    .await);
+                }
+                #[cfg(feature = "rustls-023")]
+                crate::network::tls::Tls::Rustls023 {
+                    connector,
+                    #[cfg(feature = "unstable-cloud")]
+                    sni,
+                } => {
+                    use rustls::pki_types::ServerName;
+                    #[cfg(feature = "unstable-cloud")]
+                    let server_name =
+                        sni.unwrap_or_else(|| ServerName::IpAddress(node_address.into()));
+                    #[cfg(not(feature = "unstable-cloud"))]
+                    let server_name = ServerName::IpAddress(node_address.into());
+                    let stream = connector.connect(server_name, stream).await?;
+                    return Ok(spawn_router_and_get_handle(
+                        config,
+                        stream,
+                        receiver,
+                        error_sender,
+                        orphan_notification_receiver,
+                        router_handle,
+                        node_address,
+                    )
+                    .await);
+                }
+            }
+        }
+
+        Ok(spawn_router_and_get_handle(
             config,
             stream,
             receiver,
@@ -1373,13 +1427,11 @@ impl Connection {
             router_handle,
             node_address,
         )
-        .remote_handle();
-        tokio::task::spawn(task);
-        Ok(handle)
+        .await)
     }
 
     async fn router(
-        config: ConnectionConfig,
+        config: HostConnectionConfig,
         stream: (impl AsyncRead + AsyncWrite),
         receiver: mpsc::Receiver<Task>,
         error_sender: tokio::sync::oneshot::Sender<ConnectionError>,
@@ -1447,7 +1499,7 @@ impl Connection {
     async fn reader(
         mut read_half: (impl AsyncRead + Unpin),
         handler_map: &StdMutex<ResponseHandlerMap>,
-        config: ConnectionConfig,
+        config: HostConnectionConfig,
     ) -> Result<(), BrokenConnectionError> {
         loop {
             let (params, opcode, body) = frame::read_response_frame(&mut read_half)
@@ -1768,16 +1820,16 @@ impl Connection {
 }
 
 async fn maybe_translated_addr(
-    endpoint: UntranslatedEndpoint,
+    endpoint: &UntranslatedEndpoint,
     address_translator: Option<&dyn AddressTranslator>,
 ) -> Result<SocketAddr, TranslationError> {
-    match endpoint {
-        UntranslatedEndpoint::ContactPoint(addr) => Ok(addr.address),
+    match *endpoint {
+        UntranslatedEndpoint::ContactPoint(ref addr) => Ok(addr.address),
         UntranslatedEndpoint::Peer(PeerEndpoint {
             host_id,
             address,
-            datacenter,
-            rack,
+            ref datacenter,
+            ref rack,
         }) => match address {
             NodeAddr::Translatable(addr) => {
                 // In this case, addr is subject to AddressTranslator.
@@ -1786,8 +1838,8 @@ async fn maybe_translated_addr(
                         .translate_address(&UntranslatedPeer {
                             host_id,
                             untranslated_address: addr,
-                            datacenter,
-                            rack,
+                            datacenter: datacenter.as_deref(),
+                            rack: rack.as_deref(),
                         })
                         .await;
                     if let Err(ref err) = res {
@@ -1812,9 +1864,9 @@ async fn maybe_translated_addr(
 ///
 /// At the beginning, translates node's address, if it is subject to address translation.
 pub(super) async fn open_connection(
-    endpoint: UntranslatedEndpoint,
+    endpoint: &UntranslatedEndpoint,
     source_port: Option<u16>,
-    config: &ConnectionConfig,
+    config: &HostConnectionConfig,
 ) -> Result<(Connection, ErrorReceiver), ConnectionError> {
     /* Translate the address, if applicable. */
     let addr = maybe_translated_addr(endpoint, config.address_translator.as_deref()).await?;
@@ -1828,7 +1880,7 @@ pub(super) async fn open_connection(
     // Get OPTIONS SUPPORTED by the cluster.
     let mut supported = connection.get_options().await?;
 
-    let shard_aware_port_key = match config.is_ssl() {
+    let shard_aware_port_key = match config.is_tls() {
         true => options::SCYLLA_SHARD_AWARE_PORT_SSL,
         false => options::SCYLLA_SHARD_AWARE_PORT,
     };
@@ -1930,16 +1982,16 @@ pub(super) async fn open_connection(
 }
 
 pub(super) async fn open_connection_to_shard_aware_port(
-    endpoint: UntranslatedEndpoint,
+    endpoint: &UntranslatedEndpoint,
     shard: Shard,
     sharder: Sharder,
-    connection_config: &ConnectionConfig,
+    config: &HostConnectionConfig,
 ) -> Result<(Connection, ErrorReceiver), ConnectionError> {
     // Create iterator over all possible source ports for this shard
     let source_port_iter = sharder.iter_source_ports_for_shard(shard);
 
     for port in source_port_iter {
-        let connect_result = open_connection(endpoint.clone(), Some(port), connection_config).await;
+        let connect_result = open_connection(endpoint, Some(port), config).await;
 
         match connect_result {
             Err(err) if err.is_address_unavailable_for_use() => continue, // If we can't use this port, try the next one
@@ -2207,7 +2259,7 @@ mod tests {
     use tokio::select;
     use tokio::sync::mpsc;
 
-    use super::{open_connection, ConnectionConfig};
+    use super::{open_connection, HostConnectionConfig};
     use crate::cluster::metadata::UntranslatedEndpoint;
     use crate::cluster::node::ResolvedContactPoint;
     use crate::query::Query;
@@ -2248,12 +2300,12 @@ mod tests {
         let addr: SocketAddr = resolve_hostname(&uri).await;
 
         let (connection, _) = super::open_connection(
-            UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
+            &UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
                 address: addr,
                 datacenter: None,
             }),
             None,
-            &ConnectionConfig::default(),
+            &HostConnectionConfig::default(),
         )
         .await
         .unwrap();
@@ -2373,14 +2425,14 @@ mod tests {
 
         let subtest = |enable_coalescing: bool, ks: String| async move {
             let (connection, _) = super::open_connection(
-                UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
+                &UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
                     address: addr,
                     datacenter: None,
                 }),
                 None,
-                &ConnectionConfig {
+                &HostConnectionConfig {
                     enable_write_coalescing: enable_coalescing,
-                    ..ConnectionConfig::default()
+                    ..HostConnectionConfig::default()
                 },
             )
             .await
@@ -2465,7 +2517,7 @@ mod tests {
 
         let proxy_addr = SocketAddr::new(scylla_proxy::get_exclusive_local_address(), 9042);
 
-        let config = ConnectionConfig::default();
+        let config = HostConnectionConfig::default();
 
         let (startup_tx, mut startup_rx) = mpsc::unbounded_channel();
 
@@ -2505,8 +2557,12 @@ mod tests {
             .unwrap();
 
         // We must interrupt the driver's full connection opening, because our proxy does not interact further after Startup.
+        let endpoint = UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
+            address: proxy_addr,
+            datacenter: None,
+        });
         let (startup_without_lwt_optimisation, _shard) = select! {
-            _ = open_connection(UntranslatedEndpoint::ContactPoint(ResolvedContactPoint{address: proxy_addr, datacenter: None}), None, &config) => unreachable!(),
+            _ = open_connection(&endpoint, None, &config) => unreachable!(),
             startup = startup_rx.recv() => startup.unwrap(),
         };
 
@@ -2514,7 +2570,7 @@ mod tests {
             .change_request_rules(Some(make_rules(options_with_lwt_optimisation_support)));
 
         let (startup_with_lwt_optimisation, _shard) = select! {
-            _ = open_connection(UntranslatedEndpoint::ContactPoint(ResolvedContactPoint{address: proxy_addr, datacenter: None}), None, &config) => unreachable!(),
+            _ = open_connection(&endpoint, None, &config) => unreachable!(),
             startup = startup_rx.recv() => startup.unwrap(),
         };
 
@@ -2552,7 +2608,7 @@ mod tests {
             RequestReaction::drop_frame(),
         );
 
-        let config = ConnectionConfig {
+        let config = HostConnectionConfig {
             keepalive_interval: Some(Duration::from_millis(500)),
             keepalive_timeout: Some(Duration::from_secs(1)),
             ..Default::default()
@@ -2573,7 +2629,7 @@ mod tests {
 
         // Setup connection normally, without obstruction
         let (conn, mut error_receiver) = open_connection(
-            UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
+            &UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
                 address: proxy_addr,
                 datacenter: None,
             }),
diff --git a/scylla/src/network/connection_pool.rs b/scylla/src/network/connection_pool.rs
index 322b63107f..93667eebfd 100644
--- a/scylla/src/network/connection_pool.rs
+++ b/scylla/src/network/connection_pool.rs
@@ -1,9 +1,6 @@
-#[cfg(feature = "cloud")]
-use crate::cloud::set_ssl_config_for_scylla_cloud_host;
-
 use super::connection::{
     open_connection, open_connection_to_shard_aware_port, Connection, ConnectionConfig,
-    ErrorReceiver, VerifiedKeyspaceName,
+    ErrorReceiver, HostConnectionConfig, VerifiedKeyspaceName,
 };
 
 use crate::errors::{
@@ -13,11 +10,6 @@ use crate::routing::{Shard, ShardCount, Sharder};
 
 use crate::cluster::metadata::{PeerEndpoint, UntranslatedEndpoint};
 
-#[cfg(feature = "cloud")]
-use crate::cluster::node::resolve_hostname;
-
-#[cfg(feature = "cloud")]
-use crate::cluster::node::ResolvedContactPoint;
 use crate::cluster::NodeAddr;
 
 use arc_swap::ArcSwap;
@@ -62,16 +54,43 @@ pub(crate) struct PoolConfig {
     pub(crate) connection_config: ConnectionConfig,
     pub(crate) pool_size: PoolSize,
     pub(crate) can_use_shard_aware_port: bool,
-    pub(crate) keepalive_interval: Option<Duration>,
 }
 
+#[cfg(test)]
 impl Default for PoolConfig {
     fn default() -> Self {
         Self {
             connection_config: Default::default(),
             pool_size: Default::default(),
             can_use_shard_aware_port: true,
-            keepalive_interval: None,
+        }
+    }
+}
+
+impl PoolConfig {
+    fn to_host_pool_config(&self, endpoint: &UntranslatedEndpoint) -> HostPoolConfig {
+        HostPoolConfig {
+            connection_config: self.connection_config.to_host_connection_config(endpoint),
+            pool_size: self.pool_size,
+            can_use_shard_aware_port: self.can_use_shard_aware_port,
+        }
+    }
+}
+
+#[derive(Clone)]
+struct HostPoolConfig {
+    pub(crate) connection_config: HostConnectionConfig,
+    pub(crate) pool_size: PoolSize,
+    pub(crate) can_use_shard_aware_port: bool,
+}
+
+#[cfg(test)]
+impl Default for HostPoolConfig {
+    fn default() -> Self {
+        Self {
+            connection_config: Default::default(),
+            pool_size: Default::default(),
+            can_use_shard_aware_port: true,
         }
     }
 }
@@ -171,43 +190,20 @@ impl std::fmt::Debug for NodeConnectionPool {
 impl NodeConnectionPool {
     pub(crate) fn new(
         endpoint: UntranslatedEndpoint,
-        #[allow(unused_mut)] mut pool_config: PoolConfig, // `mut` needed only with "cloud" feature
+        pool_config: &PoolConfig,
         current_keyspace: Option<VerifiedKeyspaceName>,
         pool_empty_notifier: broadcast::Sender<()>,
     ) -> Self {
         let (use_keyspace_request_sender, use_keyspace_request_receiver) = mpsc::channel(1);
         let pool_updated_notify = Arc::new(Notify::new());
 
-        #[cfg(feature = "cloud")]
-        if pool_config.connection_config.cloud_config.is_some() {
-            let (host_id, address, dc) = match endpoint {
-                UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
-                    address,
-                    ref datacenter,
-                }) => (None, address, datacenter.as_deref()), // FIXME: Pass DC in ContactPoint
-                UntranslatedEndpoint::Peer(PeerEndpoint {
-                    host_id,
-                    address,
-                    ref datacenter,
-                    ..
-                }) => (Some(host_id), address.into_inner(), datacenter.as_deref()),
-            };
-            set_ssl_config_for_scylla_cloud_host(host_id, dc, address, &mut pool_config.connection_config)
-                .unwrap_or_else(|err| warn!(
-                    "SslContext for SNI connection to Scylla Cloud node {{ host_id={:?}, dc={:?} at {} }} could not be set up: {}\n Proceeding with attempting probably nonworking connection",
-                    host_id,
-                    dc,
-                    address,
-                    err
-                )
-            );
-        }
+        let host_pool_config = pool_config.to_host_pool_config(&endpoint);
 
         let arced_endpoint = Arc::new(RwLock::new(endpoint));
 
         let refiller = PoolRefiller::new(
             arced_endpoint.clone(),
-            pool_config,
+            host_pool_config,
             current_keyspace,
             pool_updated_notify.clone(),
             pool_empty_notifier,
@@ -338,10 +334,10 @@ impl NodeConnectionPool {
                 response_sender,
             })
             .await
-            .expect("Bug in ConnectionKeeper::use_keyspace sending");
-        // Other end of this channel is in the Refiller, can't be dropped while we have &self to _refiller_handle
+            .expect("Bug in NodeConnectionPool::use_keyspace sending");
+        // Other end of this channel is in the PoolRefiller, can't be dropped while we have &self to _refiller_handle
 
-        response_receiver.await.unwrap() // NodePoolRefiller always responds
+        response_receiver.await.unwrap() // PoolRefiller always responds
     }
 
     // Waits until the pool becomes initialized.
@@ -438,7 +434,7 @@ impl RefillDelayStrategy {
 
 struct PoolRefiller {
     // Following information identify the pool and do not change
-    pool_config: PoolConfig,
+    pool_config: HostPoolConfig,
 
     // Following information is subject to updates on topology refresh
     endpoint: Arc<RwLock<UntranslatedEndpoint>>,
@@ -499,7 +495,7 @@ struct UseKeyspaceRequest {
 impl PoolRefiller {
     pub(crate) fn new(
         endpoint: Arc<RwLock<UntranslatedEndpoint>>,
-        pool_config: PoolConfig,
+        pool_config: HostPoolConfig,
         current_keyspace: Option<VerifiedKeyspaceName>,
         pool_updated_notify: Arc<Notify>,
         pool_empty_notifier: broadcast::Sender<()>,
@@ -860,89 +856,22 @@ impl PoolRefiller {
         }
     }
 
-    #[cfg(not(feature = "cloud"))]
-    fn maybe_translate_for_serverless(
-        &self,
-        endpoint: UntranslatedEndpoint,
-    ) -> impl Future<Output = UntranslatedEndpoint> {
-        // We are not in serverless Cloud, so no modifications are necessary here.
-        async move { endpoint }
-    }
-
-    #[cfg(feature = "cloud")]
-    fn maybe_translate_for_serverless(
-        &self,
-        mut endpoint: UntranslatedEndpoint,
-    ) -> impl Future<Output = UntranslatedEndpoint> {
-        let cloud_config = self.pool_config.connection_config.cloud_config.clone();
-        async move {
-            if let Some(cloud_config) = cloud_config {
-                // If we operate in the serverless Cloud, then we substitute every node's address
-                // with the address of the proxy in the datacenter that the node resides in.
-                if let UntranslatedEndpoint::Peer(PeerEndpoint {
-                    host_id,
-                    ref mut address,
-                    ref datacenter,
-                    ..
-                }) = endpoint
-                {
-                    if let Some(dc) = datacenter.as_deref() {
-                        if let Some(dc_config) = cloud_config.get_datacenters().get(dc) {
-                            let hostname = dc_config.get_server();
-                            if let Ok(resolved) = resolve_hostname(hostname).await {
-                                *address = NodeAddr::Untranslatable(resolved)
-                            } else {
-                                warn!(
-                                        "Couldn't resolve address: {} of datacenter {} that node {} resides in; therefore address \
-                                         broadcast by the node was left as address to open connection to.",
-                                        hostname, dc, host_id
-                                    );
-                            }
-                        } else {
-                            warn!( // FIXME: perhaps error! would fit here better?
-                                    "Datacenter {} that node {} resides in not found in the Cloud config; ; therefore address \
-                                     broadcast by the node was left as address to open connection to.",
-                                    dc, host_id
-                                );
-                        }
-                    } else {
-                        warn!( // FIXME: perhaps error! would fit here better?
-                                "Datacenter for node {} is empty in the Metadata fetched from the Cloud cluster; ; therefore address \
-                                 broadcast by the node was left as address to open connection to.",
-                                host_id
-                            );
-                    }
-                }
-                endpoint
-            } else {
-                // We are not in serverless Cloud, so no modifications are necessary here.
-                endpoint
-            }
-        }
-    }
-
     // Starts opening a new connection in the background. The result of connecting
     // will be available on `ready_connections`. If the shard is specified and
     // the shard aware port is available, it will attempt to connect directly
     // to the shard using the port.
     fn start_opening_connection(&self, shard: Option<Shard>) {
         let cfg = self.pool_config.connection_config.clone();
-        let endpoint = self.endpoint.read().unwrap().clone();
-
-        // If we operate in the serverless Cloud, then we substitute every node's address
-        // with the address of the proxy in the datacenter that the node resides in.
-        // As this may may involve resolving a hostname, the whole operation is async.
-        let endpoint_fut = self.maybe_translate_for_serverless(endpoint);
+        let mut endpoint = self.endpoint.read().unwrap().clone();
 
         let fut = match (self.sharder.clone(), self.shard_aware_port, shard) {
             (Some(sharder), Some(port), Some(shard)) => async move {
                 let shard_aware_endpoint = {
-                    let mut endpoint = endpoint_fut.await;
                     endpoint.set_port(port);
                     endpoint
                 };
                 let result = open_connection_to_shard_aware_port(
-                    shard_aware_endpoint,
+                    &shard_aware_endpoint,
                     shard,
                     sharder.clone(),
                     &cfg,
@@ -956,8 +885,8 @@ impl PoolRefiller {
             }
             .boxed(),
             _ => async move {
-                let non_shard_aware_endpoint = endpoint_fut.await;
-                let result = open_connection(non_shard_aware_endpoint, None, &cfg).await;
+                let non_shard_aware_endpoint = endpoint;
+                let result = open_connection(&non_shard_aware_endpoint, None, &cfg).await;
                 OpenedConnectionEvent {
                     result,
                     requested_shard: None,
@@ -1206,8 +1135,7 @@ struct OpenedConnectionEvent {
 
 #[cfg(test)]
 mod tests {
-    use super::super::connection::open_connection_to_shard_aware_port;
-    use super::ConnectionConfig;
+    use super::super::connection::{open_connection_to_shard_aware_port, HostConnectionConfig};
     use crate::cluster::metadata::UntranslatedEndpoint;
     use crate::cluster::node::ResolvedContactPoint;
     use crate::routing::{ShardCount, Sharder};
@@ -1230,11 +1158,10 @@ mod tests {
             .next()
             .unwrap();
 
-        let connection_config = ConnectionConfig {
+        let connection_config = HostConnectionConfig {
             compression: None,
             tcp_nodelay: true,
-            #[cfg(feature = "ssl")]
-            ssl_config: None,
+            tls_config: None,
             ..Default::default()
         };
 
@@ -1243,20 +1170,15 @@ mod tests {
         // to the right shard
         let sharder = Sharder::new(ShardCount::new(3).unwrap(), 12);
 
+        let endpoint = UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
+            address: connect_address,
+            datacenter: None,
+        });
+
         // Open the connections
-        let mut conns = Vec::new();
-
-        for _ in 0..connections_number {
-            conns.push(open_connection_to_shard_aware_port(
-                UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
-                    address: connect_address,
-                    datacenter: None,
-                }),
-                0,
-                sharder.clone(),
-                &connection_config,
-            ));
-        }
+        let conns = (0..connections_number).map(|_| {
+            open_connection_to_shard_aware_port(&endpoint, 0, sharder.clone(), &connection_config)
+        });
 
         let joined = futures::future::join_all(conns).await;
 
diff --git a/scylla/src/network/mod.rs b/scylla/src/network/mod.rs
index 308e65a7ab..5cd0e2fc7e 100644
--- a/scylla/src/network/mod.rs
+++ b/scylla/src/network/mod.rs
@@ -5,11 +5,11 @@
 //! - NodeConnectionPool - a manager that keeps a desired number of connections opened to each shard.
 
 mod connection;
-#[cfg(feature = "ssl")]
-pub(crate) use connection::SslConfig;
 pub(crate) use connection::{Connection, ConnectionConfig, VerifiedKeyspaceName};
 
 mod connection_pool;
 
 pub use connection_pool::PoolSize;
 pub(crate) use connection_pool::{NodeConnectionPool, PoolConfig};
+
+pub(crate) mod tls;
diff --git a/scylla/src/network/tls.rs b/scylla/src/network/tls.rs
new file mode 100644
index 0000000000..0d84a302eb
--- /dev/null
+++ b/scylla/src/network/tls.rs
@@ -0,0 +1,221 @@
+//! This module contains abstractions related to the TLS layer of driver connections.
+//!
+//! The full picture looks like this:
+//!
+//! ┌─←─ TlsContext (openssl::SslContext / rustls::ClientConfig)
+//! │
+//! ├─←─ CloudConfig (powered by either TLS backend)
+//! │
+//! │ gets wrapped in
+//! │
+//! ↳TlsProvider (same for all connections)
+//!   │
+//!   │ produces
+//!   │
+//!   ↳TlsConfig (specific for the particular connection)
+//!     │
+//!     │ produces
+//!     │
+//!     ↳Tls (wrapper over TCP stream which adds encryption)
+
+use std::io;
+#[cfg(feature = "unstable-cloud")]
+use std::sync::Arc;
+
+#[cfg(feature = "unstable-cloud")]
+use tracing::warn;
+#[cfg(feature = "unstable-cloud")]
+use uuid::Uuid;
+
+use crate::client::session::TlsContext;
+#[cfg(feature = "unstable-cloud")]
+use crate::cloud::CloudConfig;
+#[cfg(feature = "unstable-cloud")]
+use crate::cluster::metadata::PeerEndpoint;
+use crate::cluster::metadata::UntranslatedEndpoint;
+#[cfg(feature = "unstable-cloud")]
+use crate::cluster::node::ResolvedContactPoint;
+
+/// Abstraction capable of producing [TlsConfig] for connections on-demand.
+#[derive(Clone)] // Cheaply clonable (reference-counted)
+pub(crate) enum TlsProvider {
+    GlobalContext(TlsContext),
+    #[cfg(feature = "unstable-cloud")]
+    ScyllaCloud(Arc<CloudConfig>),
+}
+
+impl TlsProvider {
+    /// Used in case when the user provided their own [TlsContext] to be used in all connections.
+    pub(crate) fn new_with_global_context(context: TlsContext) -> Self {
+        Self::GlobalContext(context)
+    }
+
+    /// Used in the cloud case.
+    #[cfg(feature = "unstable-cloud")]
+    pub(crate) fn new_cloud(cloud_config: Arc<CloudConfig>) -> Self {
+        Self::ScyllaCloud(cloud_config)
+    }
+
+    /// Produces a [TlsConfig] that is specific for the given endpoint.
+    pub(crate) fn make_tls_config(
+        &self,
+        // Currently, this is only used for cloud; but it makes abstract sense to pass endpoint here
+        // also for non-cloud cases, so let's just allow(unused).
+        #[allow(unused)] endpoint: &UntranslatedEndpoint,
+    ) -> Option<TlsConfig> {
+        match self {
+            TlsProvider::GlobalContext(context) => {
+                Some(TlsConfig::new_with_global_context(context.clone()))
+            }
+            #[cfg(feature = "unstable-cloud")]
+            TlsProvider::ScyllaCloud(cloud_config) => {
+                let (host_id, address, dc) = match *endpoint {
+                    UntranslatedEndpoint::ContactPoint(ResolvedContactPoint {
+                        address,
+                        ref datacenter,
+                    }) => (None, address, datacenter.as_deref()), // FIXME: Pass DC in ContactPoint
+                    UntranslatedEndpoint::Peer(PeerEndpoint {
+                        host_id,
+                        address,
+                        ref datacenter,
+                        ..
+                    }) => (Some(host_id), address.into_inner(), datacenter.as_deref()),
+                };
+
+                cloud_config.make_tls_config_for_scylla_cloud_host(host_id, dc, address)
+                    // inspect_err() is stable since 1.76.
+                    // TODO: use inspect_err once we bump MSRV to at least 1.76.
+                    .map_err(|err| {
+                        warn!(
+                            "TlsProvider for SNI connection to Scylla Cloud node {{ host_id={:?}, dc={:?} at {} }} could not be set up: {}\n Proceeding with attempting probably nonworking connection",
+                            host_id,
+                            dc,
+                            address,
+                            err
+                        );
+                    }).ok().flatten()
+            }
+        }
+    }
+}
+
+/// Encapsulates TLS-regarding configuration that is specific for a particular endpoint.
+///
+/// Both use cases are supported:
+/// 1. User-provided global TlsContext. Then, the global TlsContext is simply cloned here.
+/// 2. Serverless Cloud. Then the TlsContext is customized for the given endpoint,
+///    and its SNI information is stored alongside.
+#[derive(Clone)]
+pub(crate) struct TlsConfig {
+    context: TlsContext,
+    #[cfg(feature = "unstable-cloud")]
+    sni: Option<String>,
+}
+
+/// An abstraction over connection's TLS layer which holds its state and configuration.
+pub(crate) enum Tls {
+    #[cfg(feature = "openssl-010")]
+    OpenSsl010(openssl::ssl::Ssl),
+    #[cfg(feature = "rustls-023")]
+    Rustls023 {
+        connector: tokio_rustls::TlsConnector,
+        #[cfg(feature = "unstable-cloud")]
+        sni: Option<rustls::pki_types::ServerName<'static>>,
+    },
+}
+
+/// A wrapper around a TLS error.
+///
+/// The original error came from one of the supported TLS backends.
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+#[non_exhaustive]
+pub enum TlsError {
+    #[cfg(feature = "openssl-010")]
+    OpenSsl010(#[from] openssl::error::ErrorStack),
+    #[cfg(feature = "rustls-023")]
+    InvalidName(#[from] rustls::pki_types::InvalidDnsNameError),
+    #[cfg(feature = "rustls-023")]
+    PemParse(#[from] rustls::pki_types::pem::Error),
+    #[cfg(feature = "rustls-023")]
+    Rustls023(#[from] rustls::Error),
+}
+
+impl From<TlsError> for io::Error {
+    fn from(value: TlsError) -> Self {
+        match value {
+            #[cfg(feature = "openssl-010")]
+            TlsError::OpenSsl010(e) => e.into(),
+            #[cfg(feature = "rustls-023")]
+            TlsError::InvalidName(e) => io::Error::new(io::ErrorKind::Other, e),
+            #[cfg(feature = "rustls-023")]
+            TlsError::PemParse(e) => io::Error::new(io::ErrorKind::Other, e),
+            #[cfg(feature = "rustls-023")]
+            TlsError::Rustls023(e) => io::Error::new(io::ErrorKind::Other, e),
+        }
+    }
+}
+
+impl TlsConfig {
+    /// Used in case when the user provided their own TlsContext to be used in all connections.
+    pub(crate) fn new_with_global_context(context: TlsContext) -> Self {
+        Self {
+            context,
+            #[cfg(feature = "unstable-cloud")]
+            sni: None,
+        }
+    }
+
+    /// Used in case of Serverless Cloud connections.
+    #[cfg(feature = "unstable-cloud")]
+    pub(crate) fn new_for_sni(
+        context: TlsContext,
+        domain_name: &str,
+        host_id: Option<Uuid>,
+    ) -> Self {
+        Self {
+            context,
+            #[cfg(feature = "unstable-cloud")]
+            sni: Some(if let Some(host_id) = host_id {
+                format!("{}.{}", host_id, domain_name)
+            } else {
+                domain_name.into()
+            }),
+        }
+    }
+
+    /// Produces a new Tls object that is able to wrap a TCP stream.
+    pub(crate) fn new_tls(&self) -> Result<Tls, TlsError> {
+        // To silence warnings when TlsContext is an empty enum (tls features are disabled).
+        #[allow(unreachable_code)]
+        match self.context {
+            #[cfg(feature = "openssl-010")]
+            TlsContext::OpenSsl010(ref context) => {
+                #[allow(unused_mut)]
+                let mut ssl = openssl::ssl::Ssl::new(context)?;
+                #[cfg(feature = "unstable-cloud")]
+                if let Some(sni) = self.sni.as_ref() {
+                    ssl.set_hostname(sni)?;
+                }
+                Ok(Tls::OpenSsl010(ssl))
+            }
+            #[cfg(feature = "rustls-023")]
+            TlsContext::Rustls023(ref config) => {
+                let connector = tokio_rustls::TlsConnector::from(config.clone());
+                #[cfg(feature = "unstable-cloud")]
+                let sni = self
+                    .sni
+                    .as_deref()
+                    .map(rustls::pki_types::ServerName::try_from)
+                    .transpose()?
+                    .map(|s| s.to_owned());
+
+                Ok(Tls::Rustls023 {
+                    connector,
+                    #[cfg(feature = "unstable-cloud")]
+                    sni,
+                })
+            }
+        }
+    }
+}
diff --git a/scylla/src/policies/address_translator.rs b/scylla/src/policies/address_translator.rs
index db88068092..59b7885126 100644
--- a/scylla/src/policies/address_translator.rs
+++ b/scylla/src/policies/address_translator.rs
@@ -3,10 +3,48 @@ use std::net::SocketAddr;
 use std::str::FromStr as _;
 
 use async_trait::async_trait;
+use uuid::Uuid;
 
-use crate::cluster::metadata::UntranslatedPeer;
 use crate::errors::TranslationError;
 
+/// Data used to issue connections to a node that is possibly subject to address translation.
+///
+/// Built from `PeerEndpoint` if its `NodeAddr` variant implies address translation possibility.
+#[derive(Debug)]
+pub struct UntranslatedPeer<'a> {
+    pub(crate) host_id: Uuid,
+    pub(crate) untranslated_address: SocketAddr,
+    pub(crate) datacenter: Option<&'a str>,
+    pub(crate) rack: Option<&'a str>,
+}
+
+impl UntranslatedPeer<'_> {
+    /// The unique identifier of the node in the cluster.
+    #[inline]
+    pub fn host_id(&self) -> Uuid {
+        self.host_id
+    }
+
+    /// The address of the node in the cluster as broadcast by the node itself.
+    /// It may be subject to address translation.
+    #[inline]
+    pub fn untranslated_address(&self) -> SocketAddr {
+        self.untranslated_address
+    }
+
+    /// The datacenter the node resides in.
+    #[inline]
+    pub fn datacenter(&self) -> Option<&str> {
+        self.datacenter
+    }
+
+    /// The rack the node resides in.
+    #[inline]
+    pub fn rack(&self) -> Option<&str> {
+        self.rack
+    }
+}
+
 /// Translates IP addresses received from ScyllaDB nodes into locally reachable addresses.
 ///
 /// The driver auto-detects new ScyllaDB nodes added to the cluster through server side pushed
@@ -37,10 +75,10 @@ impl AddressTranslator for HashMap<SocketAddr, SocketAddr> {
         &self,
         untranslated_peer: &UntranslatedPeer,
     ) -> Result<SocketAddr, TranslationError> {
-        match self.get(&untranslated_peer.untranslated_address) {
+        match self.get(&untranslated_peer.untranslated_address()) {
             Some(&translated_addr) => Ok(translated_addr),
             None => Err(TranslationError::NoRuleForAddress(
-                untranslated_peer.untranslated_address,
+                untranslated_peer.untranslated_address(),
             )),
         }
     }
@@ -56,7 +94,7 @@ impl AddressTranslator for HashMap<&'static str, &'static str> {
     ) -> Result<SocketAddr, TranslationError> {
         for (&rule_addr_str, &translated_addr_str) in self.iter() {
             if let Ok(rule_addr) = SocketAddr::from_str(rule_addr_str) {
-                if rule_addr == untranslated_peer.untranslated_address {
+                if rule_addr == untranslated_peer.untranslated_address() {
                     return SocketAddr::from_str(translated_addr_str).map_err(|reason| {
                         TranslationError::InvalidAddressInRule {
                             translated_addr_str,
@@ -67,7 +105,7 @@ impl AddressTranslator for HashMap<&'static str, &'static str> {
             }
         }
         Err(TranslationError::NoRuleForAddress(
-            untranslated_peer.untranslated_address,
+            untranslated_peer.untranslated_address(),
         ))
     }
 }
diff --git a/scylla/src/routing/locator/test.rs b/scylla/src/routing/locator/test.rs
index e0205c101e..a14d9f3632 100644
--- a/scylla/src/routing/locator/test.rs
+++ b/scylla/src/routing/locator/test.rs
@@ -182,12 +182,7 @@ pub(crate) fn create_ring(metadata: &Metadata) -> impl Iterator<Item = (Token, A
     let mut ring: Vec<(Token, Arc<Node>)> = Vec::new();
 
     for peer in &metadata.peers {
-        let node = Arc::new(Node::new(
-            peer.to_peer_endpoint(),
-            pool_config.clone(),
-            None,
-            true,
-        ));
+        let node = Arc::new(Node::new(peer.to_peer_endpoint(), &pool_config, None, true));
 
         for token in &peer.tokens {
             ring.push((*token, node.clone()));
diff --git a/scylla/src/utils/test_utils.rs b/scylla/src/utils/test_utils.rs
index 45f3486988..c99a21d1da 100644
--- a/scylla/src/utils/test_utils.rs
+++ b/scylla/src/utils/test_utils.rs
@@ -91,7 +91,12 @@ pub(crate) fn create_new_session_builder() -> GenericSessionBuilder<impl Session
             use std::path::Path;
 
             std::env::var("CLOUD_CONFIG_PATH")
-                .map(|config_path| CloudSessionBuilder::new(Path::new(&config_path)))
+                .map(|config_path| {
+                    CloudSessionBuilder::new(
+                        Path::new(&config_path),
+                        crate::cloud::CloudTlsProvider::OpenSsl010,
+                    )
+                })
                 .expect("Failed to initialize CloudSessionBuilder")
                 .expect("CLOUD_CONFIG_PATH environment variable is missing")
         }
diff --git a/scylla/tests/integration/utils.rs b/scylla/tests/integration/utils.rs
index 3d18f509cb..137440ebf6 100644
--- a/scylla/tests/integration/utils.rs
+++ b/scylla/tests/integration/utils.rs
@@ -154,7 +154,12 @@ pub(crate) fn create_new_session_builder() -> GenericSessionBuilder<impl Session
             use std::path::Path;
 
             std::env::var("CLOUD_CONFIG_PATH")
-                .map(|config_path| CloudSessionBuilder::new(Path::new(&config_path)))
+                .map(|config_path| {
+                    CloudSessionBuilder::new(
+                        Path::new(&config_path),
+                        scylla::cloud::CloudTlsProvider::OpenSsl010,
+                    )
+                })
                 .expect("Failed to initialize CloudSessionBuilder")
                 .expect("CLOUD_CONFIG_PATH environment variable is missing")
         }
diff --git a/test/tls/ca.crt b/test/tls/ca.crt
index 83304e18b9..0a53b8eccb 100644
--- a/test/tls/ca.crt
+++ b/test/tls/ca.crt
@@ -1,23 +1,38 @@
 -----BEGIN CERTIFICATE-----
-MIID5TCCAs2gAwIBAgIUIz5sdjquoebzlA6s3gQNRsYV5jUwDQYJKoZIhvcNAQEL
-BQAwgYExCzAJBgNVBAYTAlBMMQowCAYDVQQIDAFNMQ8wDQYDVQQHDAZXYXJzYXcx
-DzANBgNVBAoMBlNjeWxsYTEVMBMGA1UECwwMdGVzdGluZ19yb290MRUwEwYDVQQD
-DAx0ZXN0aW5nX3Jvb3QxFjAUBgkqhkiG9w0BCQEWB2Zvb0BiYXIwHhcNMjEwMzMw
-MTI1ODUwWhcNNDEwMzI1MTI1ODUwWjCBgTELMAkGA1UEBhMCUEwxCjAIBgNVBAgM
-AU0xDzANBgNVBAcMBldhcnNhdzEPMA0GA1UECgwGU2N5bGxhMRUwEwYDVQQLDAx0
-ZXN0aW5nX3Jvb3QxFTATBgNVBAMMDHRlc3Rpbmdfcm9vdDEWMBQGCSqGSIb3DQEJ
-ARYHZm9vQGJhcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANlzsXih
-nryaSUSf/sXD6oDeU2m0/Fn/HvKL97BwdDKBz3kbs7fyztDCJyvRa24f679cQ1Av
-5RqmemTU7m0KaTmJy9cXewjD7P1gDF8K4GumiekBgIsPNyBwVk5TQJBkvPPwjreP
-JSj2wlXA7FXc9uUuNVx1ku6ElpK0pWt18uU8+nVRAeZTVZ7ppgmh/aRmMOFNPs6z
-Lb9liNJAKPCR7iIALLnpiQOXHMnj+6+o8wMOMD4ehFY8XHYd0TYj5w+OD4tNOjfb
-6m21gBaqoMjVVvBq+pmuHDT+oiLyBXpIQ9LNFBXnd/LyqTFiFjoT4yEPgWtpgScQ
-CVqi+EJBryRXmUMCAwEAAaNTMFEwHQYDVR0OBBYEFL5PBn2IWZvz5Ce259Z7vym1
-tNKDMB8GA1UdIwQYMBaAFL5PBn2IWZvz5Ce259Z7vym1tNKDMA8GA1UdEwEB/wQF
-MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAojwm/3pqAYSBKdq2dqRYvMrVF2a1yE
-d5R8AnR/r0vfJEvw9pa+Y8kC/XRezODSiA2HSTTRDI3HxEyixMwLewyS+VcDHYvp
-pLZQuCD5zzuq6hWj22o0XklX441TZbkfimzAVhCxlSoufj0l9AG8Ae/xHrOy/Dcd
-uzPmnrw9XDb9PkoJHjji3Apb2HjSjO3b17+Pb9TA1YZNiil+jOjwJ8L5UdLw/dYQ
-gu5MSxQOerq3wMTY8CUIDMrJMdKenQSGoCEcgLpF27utuUbZGJhFnRe9j1H4der1
-RSFMXoVZLI/69iQHmNC3+3keHK1W+CgMliWQ5cF2cly2otAxATriOxM=
+MIIGrzCCBJegAwIBAgIUXuD+AmFl/IIcbc1gL9MrYgCJaRcwDQYJKoZIhvcNAQEL
+BQAwgY4xCzAJBgNVBAYTAlBMMQwwCgYDVQQIDANNYXoxDzANBgNVBAcMBldhcnNh
+dzEWMBQGA1UECgwNc2N5bGxhX3NlcnZlcjEVMBMGA1UECwwMdGVzdGluZ19tYWlu
+MRUwEwYDVQQDDAx0ZXN0aW5nX21haW4xGjAYBgkqhkiG9w0BCQEWC2JhckBiYXIu
+Y29tMB4XDTI1MDIxMzEzMzk1NVoXDTM1MDIxMTEzMzk1NVowgY4xCzAJBgNVBAYT
+AlBMMQwwCgYDVQQIDANNYXoxDzANBgNVBAcMBldhcnNhdzEWMBQGA1UECgwNc2N5
+bGxhX3NlcnZlcjEVMBMGA1UECwwMdGVzdGluZ19tYWluMRUwEwYDVQQDDAx0ZXN0
+aW5nX21haW4xGjAYBgkqhkiG9w0BCQEWC2JhckBiYXIuY29tMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAtxSyRPCXzfK0oj6JNAMBgN64fVuU+VuDD/2+
+xi7HCiCyw4ynXFSUQpfyU6oyhSTCoc1fQKOIdKk2/9U7WaLOvaBXcp/rEfnts6j9
+e3vaq1rOBLs0ezAPYpBNqGXRjhNeJaF0FbYz1Uewn2ObKbvxJslbTEYIh8yI9N45
+zKaPHB9oFmY/KONKX7NFfKcb/qnpRc+zamKBjkcTFJo7AXHNmEj0H4prgQWKCoz0
+X8TJo3xWvS6/AP9g5M+kTXTDZ2mroJ5BTvXekYBkGuhUz6/t6rET7judgwHKQcHs
+lTSyqo6MqS07bHIaCr2f5mcafT1BWnq8Aya2tiGbbG8tRQF2gKeBQ982TMSiSspo
+z6fXF3ZSdkXNIoflaEQ9xA2X1QYcEnn+OgI3HWC3R5tjMFGjMjsJa4zhVHCuChqV
+a8zHolgcuGUdBn0/cRCu+rJe0/OYflH4cSnXfP8z6JuDBMRzAc3RLCqJapcs7Wd3
+Bl0MC6oKCJ4i5urEto2yhyLnV0zr5fs2S8+StCZuT5aw7bdyP5q1ZTyllRHw7gjW
+jhNOjLNOpIvckcwyRHgyQRfJz68Hr403yFlnLbczULhFldovIAjQuIExu/Z78G1a
+n6ldwqGIoCGz+yM5KI6yymBJu6jQ6DZnhu4UcaECJbr+CQdeYPTqSZHG/zLCM6Ra
+XVs7wvUCAwEAAaOCAQEwgf4wHQYDVR0OBBYEFE/iqxGdcPWUyAwe+xJUmt/21f7U
+MIHOBgNVHSMEgcYwgcOAFE/iqxGdcPWUyAwe+xJUmt/21f7UoYGUpIGRMIGOMQsw
+CQYDVQQGEwJQTDEMMAoGA1UECAwDTWF6MQ8wDQYDVQQHDAZXYXJzYXcxFjAUBgNV
+BAoMDXNjeWxsYV9zZXJ2ZXIxFTATBgNVBAsMDHRlc3RpbmdfbWFpbjEVMBMGA1UE
+AwwMdGVzdGluZ19tYWluMRowGAYJKoZIhvcNAQkBFgtiYXJAYmFyLmNvbYIUXuD+
+AmFl/IIcbc1gL9MrYgCJaRcwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEAqhCo5YTQ/tw8/c261jE43BUuv6q1cSBzOQedasTWuwGiz1GWWMY8x06rWisn
+YSc1KJF8zzHYFzDFTPGksIFrKpX2p/pPW2xPJWzD0rs96sx+un9vo6CSXNmWYZty
+LSulDjeWYYimLZgtvkASnzhoXeeyr2/0dNxuKa9cJSDmH7pe+aAoDPEO5dGEBArb
+D2zQnwyZb0Ycgt51jHjH+0N6sApWWp69oe8GevNlsjsMcenUVUiKujBBu7bEhMHW
+7P6tteaJ9zCwhRnapKyQdZ1v44viF3UNi2xGqeML0t6QEn5/2ODWZkd0VnGM2AsU
+25+uEWscBAKpGPLCzbUkkcwfxzbRN82jvvhGCrucdbB3XTbRXshC1Z5RYcUQz48Z
++kD+B9SZvP8Pj7s6u/6ILegw5MknBMBcaHwd6HNwJQ2Ud1439XSjV6c+JTHgHYbs
+JxjpWddXreqsO4oTE+3QY5seZlcSRxZvN5zadfCJZV4g8bc7QMwZVmNKC8un1iqN
+6LxnbTx0zwlo+Ha7wVW3toxBb92UZdEmSklOSRftfawD1Dw/21e3/xy4wp0tfZBE
+rre6ZaOQIENV3RqJ3QNJdiK55PQjC6n2aoLv57pHPHJtdbwkhl0tLYPcpKMDFRTB
+g+DxOE3K6/vGN7F2qC/kxzVM79BbxP1mIBxSdQoNW2QLZXM=
 -----END CERTIFICATE-----
diff --git a/test/tls/ca.key b/test/tls/ca.key
index 33c77f3d04..5135745408 100644
--- a/test/tls/ca.key
+++ b/test/tls/ca.key
@@ -1,30 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,12F7BC95B6632DA5D2ABBA7EA0D79175
-
-6OPwx09lrxuK6XnSB4tVGcpwZy9aV+yDME7F8NgEyNPYc9M/Pggbl4uBUBBFmRng
-/VqcXlNxTqRy60b4iONdTbWC1QcRM7Ef9S5JfC6Vwf37mu5BKl11fdd0R+HmRzLT
-HL7GxbkxpOmMmj6zKRCFX4h4v8BN2QHzuYqLn7tD90CFNuVdBud5YYO0KUCV9t8h
-FOV1aPzHLTrzzIZ3IqsY5aza573v/YExbmmkrBNaTB5Oebq7vBlblRp+3BZvuxGr
-MhgsMSjL5+BdpYrYhQga3IcDqJMFEOMxy+qNbDxhkPVPWq4ko0IRpr8ko+SvxVvJ
-Vt6VqK0A3daVdaqMPQqLFAFxf5poixATEQDIb2nWOGPQ7qqfZrBdnKFFwc/DYq5S
-flUpLg/WA1YDt7tpx/j+pQrz1ER6vuHDxQa4MKzXSpDvk2vEuhQVibvAT9AEowIZ
-0Q6TLaidyft5EOA0C4zGygiI4A5rW4gTx70M/iuHBfb81t6/6LfMmHJDcOm7z6l5
-nB4akd2gG1rkOLWNP9vMdyx7NbitRgCl7ukENpjdoGry1B3Ty5QSz4W7HoeifWNM
-t9JoM5OaLWiooMjUKlwhLjmiTBOXkTJcfaDzH+W5tYwWHSSM8xWGGrlqP7srdt7z
-PZxquIlDSM3RNLHIOV0wPOLhk22AMGqt9ey6sN5W4lmHUUwjRjgb/pA4cZMqNNXe
-9GobVCaWdHqbU9HYvyk6cdLoCdq+D1oRWoVVooTZhFT6PJKHR4KUgniIZTnJDnDZ
-fCyxMqBsRWJAmw4b6jzEza0XPx/RQCoOWI1Y3CECawE//WYht2BExvJmBzHokLeT
-JpMETxSzTA2ZCUwH++kaloBwpvnvu8mhhLVhAAIaoEy05Ay5peEINU8bFxy2XpS4
-69w2oUIa4FSxAo7l5rVISYfArVYU8b7PmYgKxAAUzZRH26ubkiQmssUJpO7pe0sK
-rpWBS5yXicPHqNAk98PG300JqQAoPWW1isPWkz21+xUC3SeqfAUChwSD5fN4rLhd
-pVJB5trCEQ9OC+CjeVvEMrm9M9CP1Im4tANwivlAgpuAEXNxSk87ZLSMvC567LjQ
-efdLMpZcvuLlR/gGul3CO3QaqlYJDys23T7V/WVuMyIqpohEtYf0u8nRB79H9HUT
-sc2eQHktHfw8SqRSUxRpW7gLLZDpedbLL0XJBFqz2VaJMWwPplAWBOdn89izjziV
-YGR+A0pSPbKkVp99DQ68cn4sZGb/4MXwTtcLk719WV4MGG+2/0V6z+R9GbKxMCMd
-+HR7gGB5zzQDeNydSS17fqe04a1HcatbWhoDusktbPIlcL0PHHa6qDj5HmwuCRdW
-lEoMumMfTdXB309liM6QQaR/4wSxJPdVkcpyEsD4+37u+Cts2tN1XS5aRm5xnt7V
-ENlundCisQNEtS04XjMoyTVYLc/YEBfLGmix9/JlFYzDeQQymCE39MZWd46y64x+
-3ERB8KXjifp5HmVj1D0WtYR3z5KyIEMR25NR6qor8OYkceJz+3N3pYP+sl18DH3s
-5PmgWcGS34iNMU0E9XK/P1Ydvyp5U93zDi/eoxMG1WT778Rx5uBiA69EXN2yCJZ1
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC3FLJE8JfN8rSi
+Pok0AwGA3rh9W5T5W4MP/b7GLscKILLDjKdcVJRCl/JTqjKFJMKhzV9Ao4h0qTb/
+1TtZos69oFdyn+sR+e2zqP17e9qrWs4EuzR7MA9ikE2oZdGOE14loXQVtjPVR7Cf
+Y5spu/EmyVtMRgiHzIj03jnMpo8cH2gWZj8o40pfs0V8pxv+qelFz7NqYoGORxMU
+mjsBcc2YSPQfimuBBYoKjPRfxMmjfFa9Lr8A/2Dkz6RNdMNnaaugnkFO9d6RgGQa
+6FTPr+3qsRPuO52DAcpBweyVNLKqjoypLTtschoKvZ/mZxp9PUFaerwDJra2IZts
+by1FAXaAp4FD3zZMxKJKymjPp9cXdlJ2Rc0ih+VoRD3EDZfVBhwSef46AjcdYLdH
+m2MwUaMyOwlrjOFUcK4KGpVrzMeiWBy4ZR0GfT9xEK76sl7T85h+UfhxKdd8/zPo
+m4MExHMBzdEsKolqlyztZ3cGXQwLqgoIniLm6sS2jbKHIudXTOvl+zZLz5K0Jm5P
+lrDtt3I/mrVlPKWVEfDuCNaOE06Ms06ki9yRzDJEeDJBF8nPrwevjTfIWWcttzNQ
+uEWV2i8gCNC4gTG79nvwbVqfqV3CoYigIbP7IzkojrLKYEm7qNDoNmeG7hRxoQIl
+uv4JB15g9OpJkcb/MsIzpFpdWzvC9QIDAQABAoICAASW/T0jNvsPyZ2Dqdbm+GOt
+sbxazmpN9AQznVPEmnLTjQe///YdnLXqr0WPr8KMwGBkEK5DK0mZcGqLgvhlT3+L
+hIW4IqGJvX7SjsBIw5umJCIUO2WXN9uFuJyvKMjCDYst+AYPUk9Xg8MLMTmjn5EU
+XTiVTONyqkBRTeumhVH0K5zcJVs2D4hEq0pLujTxN4rrgRj6rTrO51iN4UrQ+pGF
+yrD7vGQ4qlRHYl0ARvnVRStq/5jbzicOWZUjhz6RdJ8LOKHtIg5NxLSz/GRUicdn
+dxNy5SkCo3pwjSjUcGI8PqSDIMlANwzr4hVZol1fasME7q+5ib0ZLJdUVjMzrS/T
+ofjNkTMNiRIjuLCvI1av2x+F5epqRASzmfQ4Ky+IDYjxJLgfOTZe5K8mqAV8bpY8
+xiUAS/7qYIMrOr86GKD3UUu0D6CO00bbj+lmkmHQy3NEdZ4uztc0NaAyqKfPtH3N
+q4WpkXwdkRK3tijxO0wYZk080l2Sth2wys9WlUnP+K4fKp7yrVLpxaKvj0GIcVkA
+dK4iC9amnhJeeGQpgAd6d5wl74CzxOeWk1nZdJL2DsWXAg+A4sVfjL7RyEq/aFWa
+P2Tp8JLe1hjtohQzUIQYvZBO/yLrOFlBhf7s1yi5rOfBTaacLxef+klFulTuJWKq
+UEYGlpu6vgqL0ylB8c+lAoIBAQDnpvz0G/lR86QrqlebmwxeIU0JkEHfWNiZiEtf
+pq0wdUcNGkFVc5TdulhFaU+GlK3IZI/VkMUjcbSSLaXFORahyQEq83P10F5yljGn
+A3w0mq3CUGAVwMCDTimp25/hjiwM2ixeXlcu64AT5meuPHdSETCHZor9InDINf4u
+lGaO2ffLLqCQclydlS9fTQAs9dbsfqGzvtcDtngKIaqkasNX3hmpIl9lJ4P+oS1F
+5Q7qlxo7fMl3tH5sirOe/CHmLscVrKmYxlt4Pdl25nFfktxWsMqPw7YnqaI5gx67
+B+la+mskL8IksdBDR54wrl4M0iKPfbJe3kM4V9z3UDwE83aLAoIBAQDKUs7b1TRT
+qABmhbCiby1Xywt4x9BFEriMiO/bYEvyJ6cD7PeX1TQLeKSmCW/qDVKIFitEezgk
++Ciy9I6Vrip+WXo/uFslJFUE0C628LTk9+JWfb3O54XxGFJMXBA5UpqFFQTs3a+t
+39gXcLtyeV07tUcp9mpoJqaLmh55ImvLPMOsuFevRN2smXul3tl88um5U39U3Uj4
+JW2nBYAyj37NK0QPz8FlY6pGUFlXq6kkJnivHdtdXtE1cxzIZyFrV0oOkHqFttHc
+W7sTRy1KxYmzInX4PPFBepJZqmGBGHFqGPQUVgKDoKxq/I4VC8lxihd9bcjEzoId
++fPpYnaMzlx/AoIBACQikUzG3FJjThWdocLdIcXBLhIy1YOwiUER2KgYCOYJNUce
+9FgPCoa33bMeJVCZ+q3KugEXbxkDUKaIxlYIfLZJ84uupEUQ9tqrAR3LVmGiSz6H
+aSWbhqw00hzz7HGzyr1KfydNUg44oCb6huvP9NDxa3+DiGTKLYudmIPNlF3uNFAW
+eudtX3MZZWVZTpC03IzRiAnQ2Bt1KC50Z/jzynr3Y0tV2EmgK1/Z5oUDoRsI7Qeg
+hJDOr/XggPpo3CTa4SVJZL83GeecxkJc2gyNjR9cvoxEfDKdrHeKM437QvR1Iado
+Z8Fvl0wXbN6tJHCditSVR/CyfQvZ8NcHRgWDsNcCggEBAK9ZC1ztL/ec8BPqpAZz
+conXOO8JxdBHhFiQSckIcWnCwfYeBwu5ROz4N0KLhUoFF9VH2WH1pNgtlyBZ4cWJ
+99wfclsNTTkofuK4BvSYMz8KM0igm8NZVvV4DcOOOqVjmPXkHKupChwYl3DhTCPP
+WWVpG+8bWGdBsC/nd6emlGPFGxVzgtMtTS3Mq6Q7OqUW5kevPPjw+8/MqHcLxmqL
+gOsSJ1/IwCU+NpHQC053QRVKnmeu6bLHfWvkgzqQXx9nvJBY2UdQBhwECGOR2Ygn
+Ict1/2YQc0s7juFVUEIRTCIW1FtXm8A2nZfvoLhOydy0QN19K3aeP5j5S1Km+nXY
+V8MCggEAURBlSjkcZXwouXOkL6XbMEviPcIX2ZCCUliI7f1ee9IOXe5LSBIJKc/E
+u8MJ0eBpVXFtYiobu9NCwlz05d/RTw7oF3KsIvLf3NIdbIbIgcWnipVB9ojb1BOY
+AO9aZI+Ge5I7/zfWBjrQDyPrHnp/KZuWJtMMsYkkoE5B/GATmC/xq0dVdEmOPevO
+8L08GkvFDpNWjezExlBUP/HFUnSgopTQbMlrWq1ooikF9enI522pNgrxYVY7I2a8
+77Po8MwAvTKZ6I2FAntvabLI8NwArpKRnEeb/8/fMQ7iVnO6M+qU2ep+f8VGbds2
+PVgAaaQxmCHOofBjUurLR0Qlr0qSVw==
+-----END PRIVATE KEY-----
diff --git a/test/tls/ca.srl b/test/tls/ca.srl
index 65ec40292b..37b5727530 100644
--- a/test/tls/ca.srl
+++ b/test/tls/ca.srl
@@ -1 +1 @@
-1BF81D82E90AEC955A16129E68BF85258F237480
+5B5AD1217E2F86A765ECB6D780FA8120BE9BE703
diff --git a/test/tls/db.crt b/test/tls/db.crt
index 54693705fc..3102fad11b 100644
--- a/test/tls/db.crt
+++ b/test/tls/db.crt
@@ -1,22 +1,35 @@
 -----BEGIN CERTIFICATE-----
-MIIDmDCCAoACFBv4HYLpCuyVWhYSnmi/hSWPI3SAMA0GCSqGSIb3DQEBCwUAMIGB
-MQswCQYDVQQGEwJQTDEKMAgGA1UECAwBTTEPMA0GA1UEBwwGV2Fyc2F3MQ8wDQYD
-VQQKDAZTY3lsbGExFTATBgNVBAsMDHRlc3Rpbmdfcm9vdDEVMBMGA1UEAwwMdGVz
-dGluZ19yb290MRYwFAYJKoZIhvcNAQkBFgdmb29AYmFyMB4XDTIxMDMzMDEzMDA0
-MVoXDTQxMDMyNTEzMDA0MVowgY4xCzAJBgNVBAYTAlBMMQwwCgYDVQQIDANNYXox
-DzANBgNVBAcMBldBUlNBVzEWMBQGA1UECgwNc2N5bGxhX3NlcnZlcjEVMBMGA1UE
-CwwMdGVzdGluZ19tYWluMRUwEwYDVQQDDAx0ZXN0aW5nX21haW4xGjAYBgkqhkiG
-9w0BCQEWC2JhckBmb28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAxeutm4HYEhX2tGJEynZI31ql9iG5SzKGt44dnyrRaR1Owc3epz72e4Tjvtvg
-N81QkQr8BzE9q8Uhrh10DL0ggi9URDXTj5j28ozUoArvi8igF2c7jiuTBKpPDZJY
-/D4+g/JzoHbVvjXdshduCYHi/M5aDqd2pINBxzVeJv9nysrXxWLW3UHDFNvxtmyr
-WKhsFD7R01gfO5MD7h8t7FBRZOxPEqMfy6yZT4i49Le3KyKvxQn0AxofVrUNabVb
-b6NPN1okWT3A97LFF+VCA04KPknS4PdQjq8pV7y7govlISKHpXJD3ov+1uAX1TON
-vk8QoByDj60mCH54j/z0Z+c4HwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAepiL2
-7tkyhjbZfbEELycfMDDs1jHE1klgwksW0gtYm/D180lxGmae7qWRuGQo0Oj6lMth
-cUtnmHo2aosyvx15ch5DMh0WPsN3LHn2JRLz0Kg0nOZBc8njkKelzIY4VJAUwape
-x1UfUyE5ae6Ra0/Rdiz76qJjeTKu3CrWj2umD9GQXfvB7OIXjo2c/UpmVnqzuhoV
-/xMMoCCvfmySPoUEcozyxYTjNtAaDyrTxCMriUOCmRRihGc8SpL4kvtxQEEn0C4/
-CZ0JdLe6XGtcAGY0Aj0cquiX8PSmWw0Lzj5mictMn3LjsVcvVITM+LTQ0+jAiI3T
-fGLUhPS/TsExg8I4
+MIIGFzCCA/+gAwIBAgIUW1rRIX4vhqdl7LbXgPqBIL6b5wMwDQYJKoZIhvcNAQEL
+BQAwgY4xCzAJBgNVBAYTAlBMMQwwCgYDVQQIDANNYXoxDzANBgNVBAcMBldhcnNh
+dzEWMBQGA1UECgwNc2N5bGxhX3NlcnZlcjEVMBMGA1UECwwMdGVzdGluZ19tYWlu
+MRUwEwYDVQQDDAx0ZXN0aW5nX21haW4xGjAYBgkqhkiG9w0BCQEWC2JhckBiYXIu
+Y29tMB4XDTI1MDIxMzE1NDc0N1oXDTM1MDIxMTE1NDc0N1owgY4xCzAJBgNVBAYT
+AlBMMQwwCgYDVQQIDANNYXoxDzANBgNVBAcMBldhcnNhdzEWMBQGA1UECgwNc2N5
+bGxhX3NlcnZlcjEVMBMGA1UECwwMdGVzdGluZ19tYWluMRUwEwYDVQQDDAx0ZXN0
+aW5nX21haW4xGjAYBgkqhkiG9w0BCQEWC2JhckBiYXIuY29tMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAwAIpNp4RtlohTtbQe8y1oX1+5DsvmkmsCEi1
+5PDE6v9lW9lKWL4z6Rhqyp3WuddWO7zPHWDjDA8e1MNmQs53D8NWYi3fEzFbbqfa
+EAAOrL3syBCNkWuRSIolTJvbNtX19q2WHvzWAnsVpgZTUE1gFPQBbwR//4KVOwF3
+HkiBtowq24egkr1cozxL08XZz7+WVcpJ2PH6emOhhqBWj6VXLqFqr4AkC3CGSv2m
+MxpiXbqkTzmaV6nI1LdXZ3d4INhrQEiVSMNgxFv91lqyYCuugBz+MSDb5p7LkYE9
+tA9giXPHQvzCQNFzEZZrwmporSuMInJbuNiDAlmwrC75+SY1Bjb11qrDg7MZ6AIS
+sW8IGa2EiRXHVSC5j7xA2ZpK/adsoBHiu1juIwZO7bxNLaVww7Y1PwyNBYWfygKF
+Gma991OGmRI1oB91c5hKIymwLERbb6YVrCMcTMEVY9t+lCrTl7FiTbprzA2D1ryY
+AQWn4nbBexa4oWFRO00xcVvvoz4oy4XM3AgCNcZtaRtPTTWI10vlycquLOJt1TG/
+4bu6V7gU5c0Yu0zoc/HDcJELdS8KsYmL33+c/hK1NAtdvsn7Lqd0sVLybzbHOPQ1
+eJi+v0ZVSKJltCEPTNoKpRrpYscrHUG5/iCjtzH01BZdsnRuJP9JlVPnfxIb5xgh
+WL5LFwUCAwEAAaNrMGkwCQYDVR0TBAIwADAPBgNVHREECDAGhwSsLAACMAsGA1Ud
+DwQEAwIF4DAdBgNVHQ4EFgQUmsNJoeaIs9mje89l/36FX0WJOwIwHwYDVR0jBBgw
+FoAUT+KrEZ1w9ZTIDB77ElSa3/bV/tQwDQYJKoZIhvcNAQELBQADggIBACbN35Ea
+GqIpDfxp2bCSyu03R7JYPqdu/SenEmOYQeubBjnuOR+ZFnLLeDIqWJMbYqQw2dc+
+eo/uohRL3pa2hV/KrC7+vGQ/Mt9WZUMvG6PQ+SSSsKOHAxhGARN+KfvA3mGbNuY7
+sQ4iLg3UlP2+Q1hvSb9Yo28M6+kByIWqw7Tk4Gmb3zDTSNib46hzcxAccfSF4Y8i
+0L4iPhbrpYMa+CmJqKvTMrb8sBid0+v9qsQ8MMJwFON66oIDWk7odqdbpkXK2CtB
+w26RDy4v8QsInmeXz+snuZUwqkmLc6LYcoT8uRQTGL451Gyod4MDrbhNjWpOpGFE
+8dQramKlClDwhIUuzhWMRFvqQfoL9CE7hlCpzR6OQQFoyEMnQpTPa/GMJFSxg/xg
+H3xgr449EyqNqcQK0Lc+3Q+whtQpsxny7TyyEjXC7yuUJGZ6mWSV+tJDj1zwEz9D
+LOK31dUtOp5p+eTXkabuS4uqKAVD/RTmE4/YZPg3SdHQAoJ+56BNtICRJO5VEuiq
+rRtlK5K0HRtjQvt/FpGvkUkp5aPmtxDN44iF4IVl5AfYxZAuQpfz4wLkNfS9hHVT
+fe+ESWbF0wg8P8tT7Gw6GAkLtiAxpp2ndFozoDKatwIyuB6Wzy3Q0ZKiyJI+wslZ
+WqRmMNt7wb1Kgj2sd3UtwrUrxvW9J8pKckMv
 -----END CERTIFICATE-----
diff --git a/test/tls/db.key b/test/tls/db.key
index de3fa78b50..a128cc12d2 100644
--- a/test/tls/db.key
+++ b/test/tls/db.key
@@ -1,27 +1,52 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAxeutm4HYEhX2tGJEynZI31ql9iG5SzKGt44dnyrRaR1Owc3e
-pz72e4TjvtvgN81QkQr8BzE9q8Uhrh10DL0ggi9URDXTj5j28ozUoArvi8igF2c7
-jiuTBKpPDZJY/D4+g/JzoHbVvjXdshduCYHi/M5aDqd2pINBxzVeJv9nysrXxWLW
-3UHDFNvxtmyrWKhsFD7R01gfO5MD7h8t7FBRZOxPEqMfy6yZT4i49Le3KyKvxQn0
-AxofVrUNabVbb6NPN1okWT3A97LFF+VCA04KPknS4PdQjq8pV7y7govlISKHpXJD
-3ov+1uAX1TONvk8QoByDj60mCH54j/z0Z+c4HwIDAQABAoIBAG+LzGSAYY6P4mL3
-n12cHKYFKNP3Xb8L0vFQn1E9iJh9dA22QW5xBenHk7PVqCDLDkUws6o6Dk/o4nqH
-Dwi+7rtwgUWQMJQV2dgJlyw7/ZYClHecLuyJkmpmsfcsLAq96e3jj1c4om55XWEp
-41Joac2hXxAzQaKmd0QWx+GiwJSBkCtAQQgG6NNO8qNMOu89Fv81L0tfvDs/v0nE
-n0GDCsj+Cc95OEoqN+qSyb2nL8p8D7ICEJKR0alolb20BqznwocYHfHOdWfKpvn/
-MI/qXEwjOsz9CuexWsMHfn3QhXzw4gPar4UB+G9k22bvnTRkh70urRMrNWtarXLW
-7bykMcECgYEA4+YNpaa6CmItNd9IOhOdz26P0KMRQBFwnzsWLYeM7o0Ab0UGYBj0
-nK0lpnDlyEPGkQe/pQS/G9T1WGx3DIoLpEoxzyuRS71Gz6T+iAUg2KqVJtbn/0tR
-Aw7f2oYIZYO7V6aFf+wWV42kx6xvW/+2WQC3lmimYHau//sH7bwjUW0CgYEA3lNT
-VTJC2Z5Hj4XA7Uf64IpRsoFKwXrIVFT4MaTJ9F1SYHVDiSuFWV1H7cAVtR26Fovu
-FPav7fiOh/pZDxISbo1hvb0V0CyBCYtBXXUlZt9InNhhUx2UI174eyX+vCAagttL
-jo2zmxQFZiVAltpAsZ9Zi0Z2jKKcO3DUpA+cxDsCgYAZM2RI8BHcehTDw0gKXAb0
-XCZ9DLsomYUZpoACUt3rtx3YMArPb5MFDESAjjVqmswHV5MCnW7AliD3QS887Lry
-1N2DKi8r7+c3qOgYhHCoZNyPae5Hlb2EmA167Z1aFGIQBDL4/VNPJTOWfOPniXRR
-jTm/4RycyCL73Xd3+3jwVQKBgDw8HyvJ/kqvk3vTJT4kblg/oXrXhMV+2p/elY/9
-sam/Tv5LRwz2+Z4Io+BKVpdHgo9xQgP0Ah5bZWJ59X8bylqhe4XIoQxRwnQvgnor
-rwJ8JFQ6W8QFE4mxxWi4FpgpqoUhnQr2YV72wa+3EBTO9RAquDv/z0azF9kS7Mm2
-YSbZAoGAFw1q20/rmlpELoOjjvRh+TGJzOiwRiiSiGFBPdG8xuusC454pFFJLzmm
-ADLyOZ7e6qazCySIEbLMGAfdeVByGTE0wh2U6Mm6nUakZoRw5vVwOF2qy5zhobPZ
-begkR70f1TwtZrY0ltfWx/mgzXYIjWMylDBdEmj/18Ht/tcsUtA=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDAAik2nhG2WiFO
+1tB7zLWhfX7kOy+aSawISLXk8MTq/2Vb2UpYvjPpGGrKnda511Y7vM8dYOMMDx7U
+w2ZCzncPw1ZiLd8TMVtup9oQAA6svezIEI2Ra5FIiiVMm9s21fX2rZYe/NYCexWm
+BlNQTWAU9AFvBH//gpU7AXceSIG2jCrbh6CSvVyjPEvTxdnPv5ZVyknY8fp6Y6GG
+oFaPpVcuoWqvgCQLcIZK/aYzGmJduqRPOZpXqcjUt1dnd3gg2GtASJVIw2DEW/3W
+WrJgK66AHP4xINvmnsuRgT20D2CJc8dC/MJA0XMRlmvCamitK4wiclu42IMCWbCs
+Lvn5JjUGNvXWqsODsxnoAhKxbwgZrYSJFcdVILmPvEDZmkr9p2ygEeK7WO4jBk7t
+vE0tpXDDtjU/DI0FhZ/KAoUaZr33U4aZEjWgH3VzmEojKbAsRFtvphWsIxxMwRVj
+236UKtOXsWJNumvMDYPWvJgBBafidsF7FrihYVE7TTFxW++jPijLhczcCAI1xm1p
+G09NNYjXS+XJyq4s4m3VMb/hu7pXuBTlzRi7TOhz8cNwkQt1LwqxiYvff5z+ErU0
+C12+yfsup3SxUvJvNsc49DV4mL6/RlVIomW0IQ9M2gqlGulixysdQbn+IKO3MfTU
+Fl2ydG4k/0mVU+d/EhvnGCFYvksXBQIDAQABAoICABS45vvHCYBVr9yTYILL8BpS
+sfwtyxBqvQ9T0ZW4ynfWQnksNVLojC+u+++MI12BOQRPd0bjav2lMB2kTQgOwljI
+Ky2DZ9zpacXChc1OREcuZDyfVLgKFO7wQeBHvdvoMZiC2X3UqcAwyoBVlG5JO4Jn
+ZzQ1Fx9bV4G7wcBZ8O3jqMhylcjgePwBCOn9I2nBcpclstygGPlWgVtHOLBeFs+o
+ihwQx1MYvNWhFGvVgCI/f3YxcE/fuhYDB4LaKPPah5CzhLEKrQnkJ7wXo8KvVDDt
+cB2bP0BfiPbWLPOe6TtMbIf1QX2/XRzb0Bt2Yn+2AHTDRNTpQRJi3adnloDmN7iY
+7v7A3w7D08WbwAhZYtZzZ0CWL2quTsx0fzNdXzfyDtHb6WW6F570CnTTKjMfGPyU
+eA2J7Y8b+90rnWHuptWZbE+np5W9HZ1/G0+hHAKz4xdNtBMlDMVjNb9Cjd0ykavx
+0DFXTE5a2Y+f0QFhLKmeWS1wAX2DdboHEXXVnkcd0NgAuOifPMCiCsnKdsf9/8tn
+5N4kVG7sD1SUIao+l2Lz6TsbJnKI/zJDfjsaxOUnUj75NQlHA1KNhvb0lJp/DQz+
+ge+A96InfrT/FPwhttPby0UkonsnewAB4ftkLV0KXKtX+qD0/4i7t7QsMwRA+qKI
+z7OIKB2dw75hoQcLc5SBAoIBAQDyoJSoRaMmM0T+TjfC5+hZHmsPFjh51TQsB8Xk
+y1EreQ0J4IB1anhE6RNRFlW4Gasu2P9HzBzK309NhcsY8sm0Vgb/GV4eHNwer1Za
+1C0OBO4ICiKmiXe5Q27Aj/eXHdEKqZL81LThWL5lWHvYpHf8UsC9qEIolZ5Z/nZi
+lkQPdpoXWLvdGurURRc0HDitwrLOYE5Gw7Z5WLkvNZN1PA5HKjz/Fe+kb4TdKSCe
+TyV7/Ne6mU/3TkAXNXspjUgsIhbNXqM0yO0Bk7vQPqOH9OvDAz6aJqyGRUAKeAfW
+JqOvui3yCXM539L8UsI/nCuGroFS6CmCZkziq8edWmPTTTRlAoIBAQDKl1wAeMAy
+eAxkhufeLN3SStPQCe/RS0QGzpAoyqf8ctXa5tgiQxhmNd1mghST1B8ZfRzqGil/
+P/wxFiDdoxDyZyX26BaMEJRomblIxhH25bgPf964CxbCbnF08Sd5Sw67a2ndj+/J
+sAS1w5W/BLCxtUcZgouPoDuYerhpE2sffvw0sPSMbsWBlDhgksv4KfywLt52ZQrc
+PhgVkcjIXuMS4McfGgHcT9glDZrMHdtdOUXeAPwKS22QmXBLHlmZ/d1XnAI2qRaG
+rcU/HD/GvKrFshBn4mF5xlcxlh1/gy6UNljwI3X1Z+6pE3gpq2VpyhSw5XHCY2qm
++UG0ovScbZ4hAoIBAD3NtdBfXL3AVZTJ695UIJWC8BZ5vI0cSBvnJvuu5tBCF5Yq
+f85o/pXfITKIk/E/aKGYWP66+aKb26GNsTx7q/Gp8EJO/fCBvXh7hW3BmnB1xQR7
+QHRXlA23JaEbiyANUlB6/Zw1upWke2tpbLK0wnOdyMcG80NPSXT3IsTeLhwaRAoq
+akBaOPM1XkHB5pYsgEudsJLKC9NBTHrAFP3J/IEYO01nExI57ghAD7UDyDKbJ4C6
+yOngHudKkkL1YCsNy+0obD5n6Cd8sFzNd+6L7vpP+0RdEZlqTnPcO3LLiOqcbFO5
+IIbfgukPU7fMWjIGhZ7O0LQMxwz+YOyuN7t9cRkCggEBAJQ8FdxefjsvbdnsgCIn
+8BLcH4nci3Y3vUnBwOeoCSyFlgb62/CN6X94MEy+J3JXRn4u9oYwqGZsmgoMp/Wk
+SFUltjiobz8DLqQuvs0J6MEgKwJkTMGbk4amqyum/HwauGfYW3j7xbdsrLWWq64+
+L0+IVcLLq3RnCNQ0D1ULGVnNX5rqU7Who7CBlJLNNqOZjUQYtzwoCL9IS/UUW7aI
+/1ujzu7p56ydW4kZIEf0HLtkmcOsMr8Rm9SvAORmC6fKgjeFdnUqWconwejAscWn
+7MiE1s48bZhd0RT+Qw03HlDiR0dGmxv6dT2Pel/7AlRawbMB37AdcD9GqJYUmikP
+aCECggEBAMvWnqfqgJzTIpQYmxh9mJxUh0QsjvMV1qYTyh5JBlpxeqvEwGdH9DCi
+Hl9AgN/bruuQfZEtP9KA5oriC/C74EcWan8AbAWnKnClMwbndqh+cTj129hyaA3M
+KZT79oqPc61BonOmnFrrmkZQKVcB0hnm8NIOt7hVvNNX2tM7Qr+VXZpSwhQkT5C7
+48iLF2fYX7j/2B3C7We6GOb42SM42dbK9ABINBSy1GHHRGSOEXwaohP/noL4Q9VU
+js0jnWGBsMIJFzNzKcwJxfGaau4yaIDEbVgCbfHLfoCUJy35mlNTkJt6Z+5s174I
+Mop5XAehuUgY3q/nMbLuIngTjPRQxbQ=
+-----END PRIVATE KEY-----