LGTM. The KIP freeze for 2.5 is officially upon us tomorrow, but hopefully this is such a simple and straightforward change with obvious security benefits that it can be added anyway. I would put it up for a vote very quickly — tomorrow at the latest.
Ron > On Jan 21, 2020, at 7:38 AM, Николай Ижиков <nizhi...@apache.org> wrote: > > Hello. > > KIP [1] updated. > Only TLSv1.2 will be enabled by default, as Rajini suggested. > > Any objections to it? > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > > >> 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com> написал(а): >> >> Thanks, Rajini. >> >> Will do it, shortly. >> >>> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> >>> написал(а): >>> >>> Hi Nikolay, >>> >>> 1) You can update KIP-553 to disable old protocols. This would mean: >>> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 >>> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 >>> >>> 2) When the testing for TLSv1.3 has been done, open a new KIP to enable >>> TLSv1.3 by default. This would mean adding TLSv1.3 to >>> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. >>> >>> >>>> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <nizhi...@apache.org> >>>> wrote: >>>> >>>> Hello, Rajini. >>>> >>>> Yes, we can! >>>> >>>> I have to write another KIP that goal will be keep only TLSv1.2 and >>>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS >>>> Is it correct? >>>> >>>> >>>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> >>>> написал(а): >>>>> >>>>> Hi Nikolay, >>>>> >>>>> Can we split this KIP into two: >>>>> 1) Remove insecure TLS protocols from the default values >>>>> 2) Enable TLSv1.3 >>>>> >>>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be good >>>> if >>>>> we can get at least the first one into 2.5.0. It would be a much smaller >>>>> change and won't get blocked behind TLSv1.3 testing. >>>>> >>>>> Thank you, >>>>> >>>>> Rajini >>>>> >>>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <rajinisiva...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Nikolay, >>>>>> >>>>>> There a couple of things you could do: >>>>>> >>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, >>>> but >>>>>> it will be good to run all of them. You can do this locally using docker >>>>>> with JDK 11 by updating the files in tests/docker. You will need to >>>> update >>>>>> tests/kafkatest/services/security/security_config.py to enable only >>>>>> TLSv1.3. Instructions for running system tests using docker are in >>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>>>> 2) For integration tests, we run a small number of tests using TLSv1.3 >>>> if >>>>>> the tests are run using JDK 11 and above. We need to do this for system >>>>>> tests as well. There is an open JIRA: >>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign >>>>>> this to yourself if you have time to do this. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Rajini >>>>>> >>>>>> >>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> >>>> wrote: >>>>>> >>>>>>> Hello, Rajini. >>>>>>> >>>>>>> Can you, please, clarify, what should be done? >>>>>>> I can try to do tests by myself. >>>>>>> >>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>> написал(а): >>>>>>>> >>>>>>>> Hi Brajesh. >>>>>>>> >>>>>>>> No one is working on this yet, but will follow up with the Confluent >>>>>>> tools >>>>>>>> team to see when this can be done. >>>>>>>> >>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> >>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello Rajini, >>>>>>>>> >>>>>>>>> What is the plan to run system tests using JDK 11? Is someone working >>>>>>> on >>>>>>>>> this? >>>>>>>>> >>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >>>> rajinisiva...@gmail.com >>>>>>>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Nikolay, >>>>>>>>>> >>>>>>>>>> We can leave the KIP open and restart the discussion once system >>>> tests >>>>>>>>> are >>>>>>>>>> running. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> Rajini >>>>>>>>>> >>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hello, Rajini. >>>>>>>>>>> >>>>>>>>>>> Thanks, for the feedback. >>>>>>>>>>> >>>>>>>>>>> Should I mark this KIP as declined? >>>>>>>>>>> Or just wait for the system tests results? >>>>>>>>>>> >>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>>>> написал(а): >>>>>>>>>>>> >>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>> >>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and >>>>>>>>> hence >>>>>>>>>>> we >>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which >>>> requires >>>>>>>>> JDK >>>>>>>>>>> 11. >>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >>>> default. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> >>>>>>>>>>>> Rajini >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >>>> nizhi...@apache.org >>>>>>>> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello, Team. >>>>>>>>>>>>> >>>>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>>>> >>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org> >>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by >>>>>>>>>> default. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Regards, >>>>>>>>> Brajesh Kumar >>>>>>>>> >>>>>>> >>>>>>> >>>> >>>> >> >
