Hello. KIP [1] updated. Only TLSv1.2 will be enabled by default, as Rajini suggested.
Any objections to it? https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com> написал(а): > > Thanks, Rajini. > > Will do it, shortly. > >> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> >> написал(а): >> >> Hi Nikolay, >> >> 1) You can update KIP-553 to disable old protocols. This would mean: >> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 >> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 >> >> 2) When the testing for TLSv1.3 has been done, open a new KIP to enable >> TLSv1.3 by default. This would mean adding TLSv1.3 to >> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. >> >> >> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <nizhi...@apache.org> wrote: >> >>> Hello, Rajini. >>> >>> Yes, we can! >>> >>> I have to write another KIP that goal will be keep only TLSv1.2 and >>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS >>> Is it correct? >>> >>> >>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> >>> написал(а): >>>> >>>> Hi Nikolay, >>>> >>>> Can we split this KIP into two: >>>> 1) Remove insecure TLS protocols from the default values >>>> 2) Enable TLSv1.3 >>>> >>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be good >>> if >>>> we can get at least the first one into 2.5.0. It would be a much smaller >>>> change and won't get blocked behind TLSv1.3 testing. >>>> >>>> Thank you, >>>> >>>> Rajini >>>> >>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <rajinisiva...@gmail.com> >>>> wrote: >>>> >>>>> Hi Nikolay, >>>>> >>>>> There a couple of things you could do: >>>>> >>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, >>> but >>>>> it will be good to run all of them. You can do this locally using docker >>>>> with JDK 11 by updating the files in tests/docker. You will need to >>> update >>>>> tests/kafkatest/services/security/security_config.py to enable only >>>>> TLSv1.3. Instructions for running system tests using docker are in >>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>>> 2) For integration tests, we run a small number of tests using TLSv1.3 >>> if >>>>> the tests are run using JDK 11 and above. We need to do this for system >>>>> tests as well. There is an open JIRA: >>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign >>>>> this to yourself if you have time to do this. >>>>> >>>>> Regards, >>>>> >>>>> Rajini >>>>> >>>>> >>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> >>> wrote: >>>>> >>>>>> Hello, Rajini. >>>>>> >>>>>> Can you, please, clarify, what should be done? >>>>>> I can try to do tests by myself. >>>>>> >>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>> написал(а): >>>>>>> >>>>>>> Hi Brajesh. >>>>>>> >>>>>>> No one is working on this yet, but will follow up with the Confluent >>>>>> tools >>>>>>> team to see when this can be done. >>>>>>> >>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> >>>>>> wrote: >>>>>>> >>>>>>>> Hello Rajini, >>>>>>>> >>>>>>>> What is the plan to run system tests using JDK 11? Is someone working >>>>>> on >>>>>>>> this? >>>>>>>> >>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >>> rajinisiva...@gmail.com >>>>>>> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Nikolay, >>>>>>>>> >>>>>>>>> We can leave the KIP open and restart the discussion once system >>> tests >>>>>>>> are >>>>>>>>> running. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Rajini >>>>>>>>> >>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hello, Rajini. >>>>>>>>>> >>>>>>>>>> Thanks, for the feedback. >>>>>>>>>> >>>>>>>>>> Should I mark this KIP as declined? >>>>>>>>>> Or just wait for the system tests results? >>>>>>>>>> >>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>>> написал(а): >>>>>>>>>>> >>>>>>>>>>> Hi Nikolay, >>>>>>>>>>> >>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and >>>>>>>> hence >>>>>>>>>> we >>>>>>>>>>> don't yet have full system test results with TLS 1.3 which >>> requires >>>>>>>> JDK >>>>>>>>>> 11. >>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >>> default. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Rajini >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >>> nizhi...@apache.org >>>>>>> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, Team. >>>>>>>>>>>> >>>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>>> >>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org> >>>>>>>>>>>> написал(а): >>>>>>>>>>>>> >>>>>>>>>>>>> Hello, >>>>>>>>>>>>> >>>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by >>>>>>>>> default. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>>> >>>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Brajesh Kumar >>>>>>>> >>>>>> >>>>>> >>> >>> >
