Thanks, Rajini. Will do it, shortly.
> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> написал(а): > > Hi Nikolay, > > 1) You can update KIP-553 to disable old protocols. This would mean: > 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 > 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 > > 2) When the testing for TLSv1.3 has been done, open a new KIP to enable > TLSv1.3 by default. This would mean adding TLSv1.3 to > SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. > > > On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <nizhi...@apache.org> wrote: > >> Hello, Rajini. >> >> Yes, we can! >> >> I have to write another KIP that goal will be keep only TLSv1.2 and >> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS >> Is it correct? >> >> >>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> >> написал(а): >>> >>> Hi Nikolay, >>> >>> Can we split this KIP into two: >>> 1) Remove insecure TLS protocols from the default values >>> 2) Enable TLSv1.3 >>> >>> Since we are coming up to KIP freeze for 2.5.0 release, it will be good >> if >>> we can get at least the first one into 2.5.0. It would be a much smaller >>> change and won't get blocked behind TLSv1.3 testing. >>> >>> Thank you, >>> >>> Rajini >>> >>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <rajinisiva...@gmail.com> >>> wrote: >>> >>>> Hi Nikolay, >>>> >>>> There a couple of things you could do: >>>> >>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, >> but >>>> it will be good to run all of them. You can do this locally using docker >>>> with JDK 11 by updating the files in tests/docker. You will need to >> update >>>> tests/kafkatest/services/security/security_config.py to enable only >>>> TLSv1.3. Instructions for running system tests using docker are in >>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>> 2) For integration tests, we run a small number of tests using TLSv1.3 >> if >>>> the tests are run using JDK 11 and above. We need to do this for system >>>> tests as well. There is an open JIRA: >>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign >>>> this to yourself if you have time to do this. >>>> >>>> Regards, >>>> >>>> Rajini >>>> >>>> >>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> >> wrote: >>>> >>>>> Hello, Rajini. >>>>> >>>>> Can you, please, clarify, what should be done? >>>>> I can try to do tests by myself. >>>>> >>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> >>>>> написал(а): >>>>>> >>>>>> Hi Brajesh. >>>>>> >>>>>> No one is working on this yet, but will follow up with the Confluent >>>>> tools >>>>>> team to see when this can be done. >>>>>> >>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> >>>>> wrote: >>>>>> >>>>>>> Hello Rajini, >>>>>>> >>>>>>> What is the plan to run system tests using JDK 11? Is someone working >>>>> on >>>>>>> this? >>>>>>> >>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >> rajinisiva...@gmail.com >>>>>> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Nikolay, >>>>>>>> >>>>>>>> We can leave the KIP open and restart the discussion once system >> tests >>>>>>> are >>>>>>>> running. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Rajini >>>>>>>> >>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org> >>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello, Rajini. >>>>>>>>> >>>>>>>>> Thanks, for the feedback. >>>>>>>>> >>>>>>>>> Should I mark this KIP as declined? >>>>>>>>> Or just wait for the system tests results? >>>>>>>>> >>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>> написал(а): >>>>>>>>>> >>>>>>>>>> Hi Nikolay, >>>>>>>>>> >>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and >>>>>>> hence >>>>>>>>> we >>>>>>>>>> don't yet have full system test results with TLS 1.3 which >> requires >>>>>>> JDK >>>>>>>>> 11. >>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >> default. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> Rajini >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >> nizhi...@apache.org >>>>>> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hello, Team. >>>>>>>>>>> >>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>> >>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org> >>>>>>>>>>> написал(а): >>>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by >>>>>>>> default. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>> >>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Brajesh Kumar >>>>>>> >>>>> >>>>> >> >>
