Hi Nikolay, 1) You can update KIP-553 to disable old protocols. This would mean: 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2
2) When the testing for TLSv1.3 has been done, open a new KIP to enable TLSv1.3 by default. This would mean adding TLSv1.3 to SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <nizhi...@apache.org> wrote: > Hello, Rajini. > > Yes, we can! > > I have to write another KIP that goal will be keep only TLSv1.2 and > TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS > Is it correct? > > > > 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> > написал(а): > > > > Hi Nikolay, > > > > Can we split this KIP into two: > > 1) Remove insecure TLS protocols from the default values > > 2) Enable TLSv1.3 > > > > Since we are coming up to KIP freeze for 2.5.0 release, it will be good > if > > we can get at least the first one into 2.5.0. It would be a much smaller > > change and won't get blocked behind TLSv1.3 testing. > > > > Thank you, > > > > Rajini > > > > On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <rajinisiva...@gmail.com> > > wrote: > > > >> Hi Nikolay, > >> > >> There a couple of things you could do: > >> > >> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, > but > >> it will be good to run all of them. You can do this locally using docker > >> with JDK 11 by updating the files in tests/docker. You will need to > update > >> tests/kafkatest/services/security/security_config.py to enable only > >> TLSv1.3. Instructions for running system tests using docker are in > >> https://github.com/apache/kafka/blob/trunk/tests/README.md. > >> 2) For integration tests, we run a small number of tests using TLSv1.3 > if > >> the tests are run using JDK 11 and above. We need to do this for system > >> tests as well. There is an open JIRA: > >> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign > >> this to yourself if you have time to do this. > >> > >> Regards, > >> > >> Rajini > >> > >> > >> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> > wrote: > >> > >>> Hello, Rajini. > >>> > >>> Can you, please, clarify, what should be done? > >>> I can try to do tests by myself. > >>> > >>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> > >>> написал(а): > >>>> > >>>> Hi Brajesh. > >>>> > >>>> No one is working on this yet, but will follow up with the Confluent > >>> tools > >>>> team to see when this can be done. > >>>> > >>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> > >>> wrote: > >>>> > >>>>> Hello Rajini, > >>>>> > >>>>> What is the plan to run system tests using JDK 11? Is someone working > >>> on > >>>>> this? > >>>>> > >>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < > rajinisiva...@gmail.com > >>>> > >>>>> wrote: > >>>>> > >>>>>> Hi Nikolay, > >>>>>> > >>>>>> We can leave the KIP open and restart the discussion once system > tests > >>>>> are > >>>>>> running. > >>>>>> > >>>>>> Thanks, > >>>>>> > >>>>>> Rajini > >>>>>> > >>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org> > >>>>> wrote: > >>>>>> > >>>>>>> Hello, Rajini. > >>>>>>> > >>>>>>> Thanks, for the feedback. > >>>>>>> > >>>>>>> Should I mark this KIP as declined? > >>>>>>> Or just wait for the system tests results? > >>>>>>> > >>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com> > >>>>>>> написал(а): > >>>>>>>> > >>>>>>>> Hi Nikolay, > >>>>>>>> > >>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and > >>>>> hence > >>>>>>> we > >>>>>>>> don't yet have full system test results with TLS 1.3 which > requires > >>>>> JDK > >>>>>>> 11. > >>>>>>>> We should wait until that is done before enabling TLS1.3 by > default. > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> > >>>>>>>> Rajini > >>>>>>>> > >>>>>>>> > >>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < > nizhi...@apache.org > >>>> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>>> Hello, Team. > >>>>>>>>> > >>>>>>>>> Any feedback on this KIP? > >>>>>>>>> Do we need this in Kafka? > >>>>>>>>> > >>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org> > >>>>>>>>> написал(а): > >>>>>>>>>> > >>>>>>>>>> Hello, > >>>>>>>>>> > >>>>>>>>>> I'd like to start a discussion of KIP. > >>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by > >>>>>> default. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > >>>>>>>>>> > >>>>>>>>>> Your comments and suggestions are welcome. > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Regards, > >>>>> Brajesh Kumar > >>>>> > >>> > >>> > >
