Hi Nikolay, Do you have time to submit a PR for this before 2.5.0 feature freeze on Jan 29th?
On Tue, Jan 21, 2020 at 1:09 PM Ron Dagostino <rndg...@gmail.com> wrote: > Sure, go for it. > > > On Jan 21, 2020, at 8:05 AM, Николай Ижиков <nizhi...@apache.org> wrote: > > > > Hello, Ron. > > > > Let’s start vote right now. > > What do you think? > > > >> 21 янв. 2020 г., в 15:48, Ron Dagostino <rndg...@gmail.com> написал(а): > >> > >> LGTM. The KIP freeze for 2.5 is officially upon us tomorrow, but > hopefully this is such a simple and straightforward change with obvious > security benefits that it can be added anyway. I would put it up for a > vote very quickly — tomorrow at the latest. > >> > >> Ron > >> > >>> On Jan 21, 2020, at 7:38 AM, Николай Ижиков <nizhi...@apache.org> > wrote: > >>> > >>> Hello. > >>> > >>> KIP [1] updated. > >>> Only TLSv1.2 will be enabled by default, as Rajini suggested. > >>> > >>> Any objections to it? > >>> > >>> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > >>> > >>> > >>>> 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com> > написал(а): > >>>> > >>>> Thanks, Rajini. > >>>> > >>>> Will do it, shortly. > >>>> > >>>>> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> > написал(а): > >>>>> > >>>>> Hi Nikolay, > >>>>> > >>>>> 1) You can update KIP-553 to disable old protocols. This would mean: > >>>>> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 > >>>>> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 > >>>>> > >>>>> 2) When the testing for TLSv1.3 has been done, open a new KIP to > enable > >>>>> TLSv1.3 by default. This would mean adding TLSv1.3 to > >>>>> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. > >>>>> > >>>>> > >>>>>> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков < > nizhi...@apache.org> wrote: > >>>>>> > >>>>>> Hello, Rajini. > >>>>>> > >>>>>> Yes, we can! > >>>>>> > >>>>>> I have to write another KIP that goal will be keep only TLSv1.2 and > >>>>>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS > >>>>>> Is it correct? > >>>>>> > >>>>>> > >>>>>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> > >>>>>> написал(а): > >>>>>>> > >>>>>>> Hi Nikolay, > >>>>>>> > >>>>>>> Can we split this KIP into two: > >>>>>>> 1) Remove insecure TLS protocols from the default values > >>>>>>> 2) Enable TLSv1.3 > >>>>>>> > >>>>>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be > good > >>>>>> if > >>>>>>> we can get at least the first one into 2.5.0. It would be a much > smaller > >>>>>>> change and won't get blocked behind TLSv1.3 testing. > >>>>>>> > >>>>>>> Thank you, > >>>>>>> > >>>>>>> Rajini > >>>>>>> > >>>>>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram < > rajinisiva...@gmail.com> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hi Nikolay, > >>>>>>>> > >>>>>>>> There a couple of things you could do: > >>>>>>>> > >>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a > subset, > >>>>>> but > >>>>>>>> it will be good to run all of them. You can do this locally using > docker > >>>>>>>> with JDK 11 by updating the files in tests/docker. You will need > to > >>>>>> update > >>>>>>>> tests/kafkatest/services/security/security_config.py to enable > only > >>>>>>>> TLSv1.3. Instructions for running system tests using docker are in > >>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. > >>>>>>>> 2) For integration tests, we run a small number of tests using > TLSv1.3 > >>>>>> if > >>>>>>>> the tests are run using JDK 11 and above. We need to do this for > system > >>>>>>>> tests as well. There is an open JIRA: > >>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to > assign > >>>>>>>> this to yourself if you have time to do this. > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> > >>>>>>>> Rajini > >>>>>>>> > >>>>>>>> > >>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков < > nizhi...@apache.org> > >>>>>> wrote: > >>>>>>>> > >>>>>>>>> Hello, Rajini. > >>>>>>>>> > >>>>>>>>> Can you, please, clarify, what should be done? > >>>>>>>>> I can try to do tests by myself. > >>>>>>>>> > >>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram < > rajinisiva...@gmail.com> > >>>>>>>>> написал(а): > >>>>>>>>>> > >>>>>>>>>> Hi Brajesh. > >>>>>>>>>> > >>>>>>>>>> No one is working on this yet, but will follow up with the > Confluent > >>>>>>>>> tools > >>>>>>>>>> team to see when this can be done. > >>>>>>>>>> > >>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar < > kbrajesh...@gmail.com> > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>>> Hello Rajini, > >>>>>>>>>>> > >>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone > working > >>>>>>>>> on > >>>>>>>>>>> this? > >>>>>>>>>>> > >>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < > >>>>>> rajinisiva...@gmail.com > >>>>>>>>>> > >>>>>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> Hi Nikolay, > >>>>>>>>>>>> > >>>>>>>>>>>> We can leave the KIP open and restart the discussion once > system > >>>>>> tests > >>>>>>>>>>> are > >>>>>>>>>>>> running. > >>>>>>>>>>>> > >>>>>>>>>>>> Thanks, > >>>>>>>>>>>> > >>>>>>>>>>>> Rajini > >>>>>>>>>>>> > >>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков < > nizhi...@apache.org> > >>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> Hello, Rajini. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Thanks, for the feedback. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Should I mark this KIP as declined? > >>>>>>>>>>>>> Or just wait for the system tests results? > >>>>>>>>>>>>> > >>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram < > rajinisiva...@gmail.com> > >>>>>>>>>>>>> написал(а): > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Hi Nikolay, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK > 8 and > >>>>>>>>>>> hence > >>>>>>>>>>>>> we > >>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which > >>>>>> requires > >>>>>>>>>>> JDK > >>>>>>>>>>>>> 11. > >>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by > >>>>>> default. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Rajini > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < > >>>>>> nizhi...@apache.org > >>>>>>>>>> > >>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hello, Team. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Any feedback on this KIP? > >>>>>>>>>>>>>>> Do we need this in Kafka? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov < > nizhi...@apache.org> > >>>>>>>>>>>>>>> написал(а): > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Hello, > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> I'd like to start a discussion of KIP. > >>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete > versions by > >>>>>>>>>>>> default. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> > >>>>>> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Your comments and suggestions are welcome. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> Regards, > >>>>>>>>>>> Brajesh Kumar > >>>>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>> > >>>>>> > >>>> > >>> > > >
