Subject: Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all protocols except [TLSV1.2, TLSV1.3]


Hi Nikolay,

Quick question, the following is meant to include TLSv1.3 as well, right?

Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to
> "TLSv1.2"
In addition, two more questions:

1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good
to explain why that's OK.
2. What is the behavior for people who have configured `ssl.cipher.suites`?
The cipher suite names are different in TLS 1.3. What would be the behavior
if the client requests TLS 1.3, but the server only has cipher suites for
TLS 1.2? It would be good to explain the expected behavior and add tests to
verify it.

Ismael

On Thu, Apr 30, 2020 at 9:47 AM Nikolay Izhikov <[EMAIL PROTECTED]> wrote:

> Ticket created:
>
> https://issues.apache.org/jira/browse/KAFKA-9943
>
> I will prepare the PR, shortly.
>
> > 27 апр. 2020 г., в 17:55, Ismael Juma <[EMAIL PROTECTED]> написал(а):
> >
> > Yes, a PR would be great.
> >
> > Ismael
> >
> > On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <[EMAIL PROTECTED]>
> wrote:
> >
> >> Hello, Ismael.
> >>
> >> AFAIK we don’t run tests with the TLSv1.3, by default.
> >> Are you suggesting to do it?
> >> I can create a PR for it.
> >>
> >>> 24 апр. 2020 г., в 17:34, Ismael Juma <[EMAIL PROTECTED]> написал(а):
> >>>
> >>> Right, some companies run them nightly. What I meant to ask is if we
> >>> changed the configuration so that TLS 1.3 is exercised in the system
> >> tests
> >>> by default.
> >>>
> >>> Ismael
> >>>
> >>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <[EMAIL PROTECTED]>
> >> wrote:
> >>>
> >>>> Hello, Ismael.
> >>>>
> >>>> AFAIK we don’t run system tests nightly.
> >>>> Do we have resources to run system tests periodically?
> >>>>
> >>>> When I did the testing I used servers my employer gave me.
> >>>>
> >>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <[EMAIL PROTECTED]>
> написал(а):
> >>>>>
> >>>>> Hi Nikolay,
> >>>>>
> >>>>> Seems like we have been able to run the system tests with TLS 1.3. Do
> >> we
> >>>>> run them nightly?
> >>>>>
> >>>>> Ismael
> >>>>>
> >>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <[EMAIL PROTECTED]
> >
> >>>> wrote:
> >>>>>
> >>>>>> Hello, Kafka team.
> >>>>>>
> >>>>>> I ran system tests that use SSL for the TLSv1.3.
> >>>>>> You can find the results of the tests in the Jira ticket [1], [2],
> >> [3],
> >>>>>> [4].
> >>>>>>
> >>>>>> I also, need a changes [5] in `security_config.py` to execute system
> >>>> tests
> >>>>>> with TLSv1.3(more info in PR description).
> >>>>>> Please, take a look.
> >>>>>>
> >>>>>> Test environment:
> >>>>>>      • openjdk11
> >>>>>>      • trunk + changes from my PR [5].
> >>>>>>
> >>>>>> Full system tests results have volume 15gb.
> >>>>>> Should I share full logs with you?
> >>>>>>
> >>>>>> What else should be done before we can enable TLSv1.3 by default?
> >>>>>>
> >>>>>> [1]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
> >>>>>>
> >>>>>> [2]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
> >>>>>>
> >>>>>> [3]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
> >>>>>>
> >>>>>> [4]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
> >>>>>>
> >>>>>> [5]
> >>>>>>
> >>>>
> >>
> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> >>>>>>
> >>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <[EMAIL PROTECTED]>
> >>>>>> написал(а):
> >>>>>>>
> >>>>>>> Hello, Rajini.
> >>>>>>>
> >>>>>>> Thanks for the feedback.
> >>>>>>>
> >>>>>>> I’ve searched tests by the «ssl» keyword and found the following