Nikolay, Thanks for the comments. More below:
1. I meant that `ssl.protocol` is TLSv1.2 while `ssl.enabled.protocols` is `TLSv1.2, TLSv1.3`. How do these two configs interact? 2. My question is not about obsolete protocols, it is about people using TLS 1.2 with specified cipher suites. How will that behave when TLS 1.3 is enabled by default? 3. An additional question is how does this impact Java 8 users? Java 8 will receive TLS 1.3 support later this year ( https://java.com/en/jre-jdk-cryptoroadmap.html), but it currently does not support it. One way to handle this would be to check if the underlying JVM supports TLS 1.3 before enabling it. I hope this clarifies my questions. Ismael On Mon, May 18, 2020 at 6:44 AM Nikolay Izhikov <nizhi...@apache.org> wrote: > Hello, Ismael. > > Here is answers to your questions: > > > Quick question, the following is meant to include TLSv1.3 as well, right? > > Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to > «TLSv1.2» > > I propose to have the following value > SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS = «TLSv1.2,TLSv.1.3» > > > 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be > good to explain why that's OK. > > I think it covered by the following statements in KIP. > If you know more trustworthy sources of this kind of information, please, > let me know. > > ``` > For now, only TLS1.2 and TLS1.3 are recommended for the usage, other > versions of TLS considered as obsolete: > • https://www.rfc-editor.org/info/rfc8446 > • > https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development > > ``` > > > 2. What is the behavior for people who have configured > `ssl.cipher.suites`? > > The cipher suite names are different in TLS 1.3. What would be the > behavior > > if the client requests TLS 1.3, but the server only has cipher suites for > > TLS 1.2? It would be good to explain the expected behavior and add tests > to verify it. > > I think those users should update > `SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS` and enable required(but > obsolete) version of TLS they use. > After one should migrate to the reliable TLS version. > This reflected in the KIP: > > ``` > Migration: Users who are using TLSv1.1 and TLSv1 should enable these > versions of the protocol with the explicit configuration property > "ssl.enabled.protocols" > ``` > > > 25 февр. 2020 г., в 08:57, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > > > > Hello. > > > > Any feedback on this? > > > > This change seems very simple, I can start vote right now if nothing to > discuss here. > > > >> 21 февр. 2020 г., в 15:18, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > >> > >> Hello, > >> > >> I'd like to start a discussion of KIP [1] > >> This is follow-up for the KIP-553 [2] > >> > >> Its goal is to enable TLSv1.3 by default. > >> > >> Your comments and suggestions are welcome. > >> > >> [1] > https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default > >> [2] > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > > > >
