Ismael, thanks for the clarification.
I updated the KIP according to your proposal.
> 21 мая 2020 г., в 17:06, Ismael Juma написал(а):
>
> Given what we've seen in the test, it would be good to mention that TLS 1.3
> will not work for users who have configured ciphers explicitly. If such
> user
Given what we've seen in the test, it would be good to mention that TLS 1.3
will not work for users who have configured ciphers explicitly. If such
users want to use TLS 1.3, they will have to update the list of ciphers to
include TLS 1.3 ciphers (which use a different naming convention). TLS 1.2
w
PR - https://github.com/apache/kafka/pull/8695
> 18 мая 2020 г., в 23:30, Nikolay Izhikov написал(а):
>
> Hello, Colin
>
> We need hack only because TLSv1.3 not supported in java8.
>
>> Java 8 will receive TLS 1.3 support later this year
>> (https://java.com/en/jre-jdk-cryptoroadmap.html)
>
Hello, Colin
We need hack only because TLSv1.3 not supported in java8.
> Java 8 will receive TLS 1.3 support later this year
> (https://java.com/en/jre-jdk-cryptoroadmap.html)
We can
1. Enable TLSv1.3 for java11 for now. And after java8 get TLSv1.3 support
remove it.
2. Or we can wait and e
Yeah, agreed. One option is to actually only change this in Apache Kafka
3.0 and avoid the hack altogether. We could make TLS 1.3 the default and
have 1.2 as one of the enabled protocols.
Ismael
On Mon, May 18, 2020 at 12:24 PM Colin McCabe wrote:
> Hmm. It would be good to figure out if we ar
Hmm. It would be good to figure out if we are going to remove this
compatibility hack in the next major release of Kafka? In other words, in
Kafka 3.0, will we enable TLS 1.3 by default even if the cipher suite is
specified?
best,
Colin
On Mon, May 18, 2020, at 09:26, Ismael Juma wrote:
> S
Sounds good.
Ismael
On Mon, May 18, 2020, 9:03 AM Nikolay Izhikov wrote:
> > A safer approach may be to only add TLS 1.3 to the list if the cipher
> suite config has not been specified.
> > So, if TLS 1.3 is added to the list by Kafka, it would seem that it
> would not work if the user specifi
It's not ok for things to break for Java 8 users when they upgrade (even if
they can fix it by changing a config). So, I think we need to change the
KIP to offer more dynamic behavior: only enable TLS 1.3 if it's safe.
Ismael
On Mon, May 18, 2020, 8:59 AM Nikolay Izhikov wrote:
> > 1. I meant t
> A safer approach may be to only add TLS 1.3 to the list if the cipher suite
> config has not been specified.
> So, if TLS 1.3 is added to the list by Kafka, it would seem that it would not
> work if the user specified a list of cipher suites for previous TLS versions
Let’s just add test for th
> 1. I meant that `ssl.protocol` is TLSv1.2 while `ssl.enabled.protocols` is
> `TLSv1.2, TLSv1.3`. How do these two configs interact
`ssl.protocol` is what will be used, by default, in this KIP is stays unchanged
(TLSv1.2) Please, see [1]
`ssl.enabled.protocols` is list of protocols that *can*
To be more concrete, here are the ciphers supported by TLS 1.3:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
Compare with TLS 1.2:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY
Nikolay,
Thanks for the comments. More below:
1. I meant that `ssl.protocol` is TLSv1.2 while `ssl.enabled.protocols` is
`TLSv1.2, TLSv1.3`. How do these two configs interact?
2. My question is not about obsolete protocols, it is about people using
TLS 1.2 with specified cipher suites. How will t
Hello, Ismael.
Here is answers to your questions:
> Quick question, the following is meant to include TLSv1.3 as well, right?
> Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to «TLSv1.2»
I propose to have the following value SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS
= «TLSv1.
Hello.
Any feedback on this?
This change seems very simple, I can start vote right now if nothing to discuss
here.
> 21 февр. 2020 г., в 15:18, Nikolay Izhikov
> написал(а):
>
> Hello,
>
> I'd like to start a discussion of KIP [1]
> This is follow-up for the KIP-553 [2]
>
> Its goal is to
Hello,
I'd like to start a discussion of KIP [1]
This is follow-up for the KIP-553 [2]
Its goal is to enable TLSv1.3 by default.
Your comments and suggestions are welcome.
[1]
https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default
[2] https://cwiki.apache.org/c
15 matches
Mail list logo
