Sounds good, that's the one I meant to use. :) Ismael
On Mon, May 18, 2020, 6:34 AM Nikolay Izhikov <nizhi...@apache.org> wrote: > Hello, Ismael. > > I think we should move ongoing discussion into KIP-573 discussion [1] > > I will respond here and is KIP-573 discussion thread, because, this KIP > already adopted by [2] > > [1] > https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default > [2] > https://github.com/apache/kafka/commit/172409c44b8551e2315bd93044a8a95ccda4699f > > > 18 мая 2020 г., в 01:34, Ismael Juma <ism...@juma.me.uk> написал(а): > > > > Hi Nikolay, > > > > Quick question, the following is meant to include TLSv1.3 as well, right? > > > > Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to > >> "TLSv1.2" > > > > > > In addition, two more questions: > > > > 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good > > to explain why that's OK. > > 2. What is the behavior for people who have configured > `ssl.cipher.suites`? > > The cipher suite names are different in TLS 1.3. What would be the > behavior > > if the client requests TLS 1.3, but the server only has cipher suites for > > TLS 1.2? It would be good to explain the expected behavior and add tests > to > > verify it. > > > > Ismael > > > > On Thu, Apr 30, 2020 at 9:47 AM Nikolay Izhikov <nizhi...@apache.org> > wrote: > > > >> Ticket created: > >> > >> https://issues.apache.org/jira/browse/KAFKA-9943 > >> > >> I will prepare the PR, shortly. > >> > >>> 27 апр. 2020 г., в 17:55, Ismael Juma <ism...@juma.me.uk> написал(а): > >>> > >>> Yes, a PR would be great. > >>> > >>> Ismael > >>> > >>> On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <nizhi...@apache.org> > >> wrote: > >>> > >>>> Hello, Ismael. > >>>> > >>>> AFAIK we don’t run tests with the TLSv1.3, by default. > >>>> Are you suggesting to do it? > >>>> I can create a PR for it. > >>>> > >>>>> 24 апр. 2020 г., в 17:34, Ismael Juma <ism...@juma.me.uk> > написал(а): > >>>>> > >>>>> Right, some companies run them nightly. What I meant to ask is if we > >>>>> changed the configuration so that TLS 1.3 is exercised in the system > >>>> tests > >>>>> by default. > >>>>> > >>>>> Ismael > >>>>> > >>>>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <nizhi...@apache.org > > > >>>> wrote: > >>>>> > >>>>>> Hello, Ismael. > >>>>>> > >>>>>> AFAIK we don’t run system tests nightly. > >>>>>> Do we have resources to run system tests periodically? > >>>>>> > >>>>>> When I did the testing I used servers my employer gave me. > >>>>>> > >>>>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <ism...@juma.me.uk> > >> написал(а): > >>>>>>> > >>>>>>> Hi Nikolay, > >>>>>>> > >>>>>>> Seems like we have been able to run the system tests with TLS 1.3. > Do > >>>> we > >>>>>>> run them nightly? > >>>>>>> > >>>>>>> Ismael > >>>>>>> > >>>>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov < > nizhi...@apache.org > >>> > >>>>>> wrote: > >>>>>>> > >>>>>>>> Hello, Kafka team. > >>>>>>>> > >>>>>>>> I ran system tests that use SSL for the TLSv1.3. > >>>>>>>> You can find the results of the tests in the Jira ticket [1], [2], > >>>> [3], > >>>>>>>> [4]. > >>>>>>>> > >>>>>>>> I also, need a changes [5] in `security_config.py` to execute > system > >>>>>> tests > >>>>>>>> with TLSv1.3(more info in PR description). > >>>>>>>> Please, take a look. > >>>>>>>> > >>>>>>>> Test environment: > >>>>>>>> • openjdk11 > >>>>>>>> • trunk + changes from my PR [5]. > >>>>>>>> > >>>>>>>> Full system tests results have volume 15gb. > >>>>>>>> Should I share full logs with you? > >>>>>>>> > >>>>>>>> What else should be done before we can enable TLSv1.3 by default? > >>>>>>>> > >>>>>>>> [1] > >>>>>>>> > >>>>>> > >>>> > >> > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927 > >>>>>>>> > >>>>>>>> [2] > >>>>>>>> > >>>>>> > >>>> > >> > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928 > >>>>>>>> > >>>>>>>> [3] > >>>>>>>> > >>>>>> > >>>> > >> > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929 > >>>>>>>> > >>>>>>>> [4] > >>>>>>>> > >>>>>> > >>>> > >> > https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930 > >>>>>>>> > >>>>>>>> [5] > >>>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51 > >>>>>>>> > >>>>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov < > nizhikov....@gmail.com> > >>>>>>>> написал(а): > >>>>>>>>> > >>>>>>>>> Hello, Rajini. > >>>>>>>>> > >>>>>>>>> Thanks for the feedback. > >>>>>>>>> > >>>>>>>>> I’ve searched tests by the «ssl» keyword and found the following > >>>> tests: > >>>>>>>>> > >>>>>>>>> ./test/kafkatest/services/kafka_log4j_appender.py > >>>>>>>>> ./test/kafkatest/services/listener_security_config.py > >>>>>>>>> ./test/kafkatest/services/security/security_config.py > >>>>>>>>> ./test/kafkatest/tests/core/security_test.py > >>>>>>>>> > >>>>>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure > we > >>>> can > >>>>>>>> enable it by default? > >>>>>>>>> > >>>>>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram < > rajinisiva...@gmail.com > >>> > >>>>>>>> написал(а): > >>>>>>>>>> > >>>>>>>>>> Hi Nikolay, > >>>>>>>>>> > >>>>>>>>>> Not sure of the total space required. But you can run a > collection > >>>> of > >>>>>>>> tests at a time instead of running them all together. That way, > you > >>>>>> could > >>>>>>>> just run all the tests that enable SSL. Details of running a > subset > >> of > >>>>>>>> tests are in the README in tests. > >>>>>>>>>> > >>>>>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov < > >>>> nizhi...@apache.org> > >>>>>>>> wrote: > >>>>>>>>>> Hello, Rajini. > >>>>>>>>>> > >>>>>>>>>> I’m tried to run all system tests but failed for now. > >>>>>>>>>> It happens, that system tests generates a lot of logs. > >>>>>>>>>> I had a 250GB of the free space but it all was occupied by the > log > >>>>>> from > >>>>>>>> half of the system tests. > >>>>>>>>>> > >>>>>>>>>> Do you have any idea what is summary disc space I need to run > all > >>>>>>>> system tests? > >>>>>>>>>> > >>>>>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram < > rajinisiva...@gmail.com > >>> > >>>>>>>> написал(а): > >>>>>>>>>>> > >>>>>>>>>>> Hi Nikolay, > >>>>>>>>>>> > >>>>>>>>>>> There a couple of things you could do: > >>>>>>>>>>> > >>>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a > >>>>>> subset, > >>>>>>>> but > >>>>>>>>>>> it will be good to run all of them. You can do this locally > using > >>>>>>>> docker > >>>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will > need > >> to > >>>>>>>> update > >>>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable > >> only > >>>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are > >> in > >>>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. > >>>>>>>>>>> 2) For integration tests, we run a small number of tests using > >>>>>> TLSv1.3 > >>>>>>>> if > >>>>>>>>>>> the tests are run using JDK 11 and above. We need to do this > for > >>>>>> system > >>>>>>>>>>> tests as well. There is an open JIRA: > >>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to > >>>>>> assign > >>>>>>>> this > >>>>>>>>>>> to yourself if you have time to do this. > >>>>>>>>>>> > >>>>>>>>>>> Regards, > >>>>>>>>>>> > >>>>>>>>>>> Rajini > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков < > >> nizhi...@apache.org > >>>>> > >>>>>>>> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> Hello, Rajini. > >>>>>>>>>>>> > >>>>>>>>>>>> Can you, please, clarify, what should be done? > >>>>>>>>>>>> I can try to do tests by myself. > >>>>>>>>>>>> > >>>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram < > >> rajinisiva...@gmail.com > >>>>> > >>>>>>>>>>>> написал(а): > >>>>>>>>>>>>> > >>>>>>>>>>>>> Hi Brajesh. > >>>>>>>>>>>>> > >>>>>>>>>>>>> No one is working on this yet, but will follow up with the > >>>>>> Confluent > >>>>>>>>>>>> tools > >>>>>>>>>>>>> team to see when this can be done. > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar < > >>>>>> kbrajesh...@gmail.com> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Hello Rajini, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is > someone > >>>>>>>> working on > >>>>>>>>>>>>>> this? > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < > >>>>>>>> rajinisiva...@gmail.com> > >>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hi Nikolay, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once > >>>> system > >>>>>>>> tests > >>>>>>>>>>>>>> are > >>>>>>>>>>>>>>> running. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Thanks, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Rajini > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков < > >>>>>> nizhi...@apache.org > >>>>>>>>> > >>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Hello, Rajini. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Thanks, for the feedback. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Should I mark this KIP as declined? > >>>>>>>>>>>>>>>> Or just wait for the system tests results? > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram < > >>>>>> rajinisiva...@gmail.com > >>>>>>>>> > >>>>>>>>>>>>>>>> написал(а): > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Hi Nikolay, > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using > >> JDK 8 > >>>>>> and > >>>>>>>>>>>>>> hence > >>>>>>>>>>>>>>>> we > >>>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 > which > >>>>>>>> requires > >>>>>>>>>>>>>> JDK > >>>>>>>>>>>>>>>> 11. > >>>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 > by > >>>>>>>> default. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Rajini > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < > >>>>>>>> nizhi...@apache.org> > >>>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> Hello, Team. > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> Any feedback on this KIP? > >>>>>>>>>>>>>>>>>> Do we need this in Kafka? > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov < > >>>>>> nizhi...@apache.org > >>>>>>>>> > >>>>>>>>>>>>>>>>>> написал(а): > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> Hello, > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP. > >>>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete > >> versions > >>>>>> by > >>>>>>>>>>>>>>> default. > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> > >>>>>> > >>>> > >> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome. > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> -- > >>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>> Brajesh Kumar > >>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>>> > >>>> > >>>> > >> > >> > >
