Yes, I will do it the next few hours.
> 22 янв. 2020 г., в 14:24, Rajini Sivaram <rajinisiva...@gmail.com> написал(а):
>
> Hi Nikolay,
>
> Do you have time to submit a PR for this before 2.5.0 feature freeze on Jan
> 29th?
>
> On Tue, Jan 21, 2020 at 1:09 PM Ron Dagostino <rndg...@gmail.com> wrote:
>
>> Sure, go for it.
>>
>>> On Jan 21, 2020, at 8:05 AM, Николай Ижиков <nizhi...@apache.org> wrote:
>>>
>>> Hello, Ron.
>>>
>>> Let’s start vote right now.
>>> What do you think?
>>>
>>>> 21 янв. 2020 г., в 15:48, Ron Dagostino <rndg...@gmail.com> написал(а):
>>>>
>>>> LGTM. The KIP freeze for 2.5 is officially upon us tomorrow, but
>> hopefully this is such a simple and straightforward change with obvious
>> security benefits that it can be added anyway. I would put it up for a
>> vote very quickly — tomorrow at the latest.
>>>>
>>>> Ron
>>>>
>>>>> On Jan 21, 2020, at 7:38 AM, Николай Ижиков <nizhi...@apache.org>
>> wrote:
>>>>>
>>>>> Hello.
>>>>>
>>>>> KIP [1] updated.
>>>>> Only TLSv1.2 will be enabled by default, as Rajini suggested.
>>>>>
>>>>> Any objections to it?
>>>>>
>>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>
>>>>>
>>>>>> 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com>
>> написал(а):
>>>>>>
>>>>>> Thanks, Rajini.
>>>>>>
>>>>>> Will do it, shortly.
>>>>>>
>>>>>>> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com>
>> написал(а):
>>>>>>>
>>>>>>> Hi Nikolay,
>>>>>>>
>>>>>>> 1) You can update KIP-553 to disable old protocols. This would mean:
>>>>>>> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2
>>>>>>> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2
>>>>>>>
>>>>>>> 2) When the testing for TLSv1.3 has been done, open a new KIP to
>> enable
>>>>>>> TLSv1.3 by default. This would mean adding TLSv1.3 to
>>>>>>> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS.
>>>>>>>
>>>>>>>
>>>>>>>> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <
>> nizhi...@apache.org> wrote:
>>>>>>>>
>>>>>>>> Hello, Rajini.
>>>>>>>>
>>>>>>>> Yes, we can!
>>>>>>>>
>>>>>>>> I have to write another KIP that goal will be keep only TLSv1.2 and
>>>>>>>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS
>>>>>>>> Is it correct?
>>>>>>>>
>>>>>>>>
>>>>>>>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com>
>>>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hi Nikolay,
>>>>>>>>>
>>>>>>>>> Can we split this KIP into two:
>>>>>>>>> 1) Remove insecure TLS protocols from the default values
>>>>>>>>> 2) Enable TLSv1.3
>>>>>>>>>
>>>>>>>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be
>> good
>>>>>>>> if
>>>>>>>>> we can get at least the first one into 2.5.0. It would be a much
>> smaller
>>>>>>>>> change and won't get blocked behind TLSv1.3 testing.
>>>>>>>>>
>>>>>>>>> Thank you,
>>>>>>>>>
>>>>>>>>> Rajini
>>>>>>>>>
>>>>>>>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <
>> rajinisiva...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>
>>>>>>>>>> There a couple of things you could do:
>>>>>>>>>>
>>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
>> subset,
>>>>>>>> but
>>>>>>>>>> it will be good to run all of them. You can do this locally using
>> docker
>>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will need
>> to
>>>>>>>> update
>>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable
>> only
>>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are in
>>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>>>>>>>>> 2) For integration tests, we run a small number of tests using
>> TLSv1.3
>>>>>>>> if
>>>>>>>>>> the tests are run using JDK 11 and above. We need to do this for
>> system
>>>>>>>>>> tests as well. There is an open JIRA:
>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
>> assign
>>>>>>>>>> this to yourself if you have time to do this.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Rajini
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <
>> nizhi...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>
>>>>>>>>>>> Can you, please, clarify, what should be done?
>>>>>>>>>>> I can try to do tests by myself.
>>>>>>>>>>>
>>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <
>> rajinisiva...@gmail.com>
>>>>>>>>>>> написал(а):
>>>>>>>>>>>>
>>>>>>>>>>>> Hi Brajesh.
>>>>>>>>>>>>
>>>>>>>>>>>> No one is working on this yet, but will follow up with the
>> Confluent
>>>>>>>>>>> tools
>>>>>>>>>>>> team to see when this can be done.
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
>> kbrajesh...@gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello Rajini,
>>>>>>>>>>>>>
>>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
>> working
>>>>>>>>>>> on
>>>>>>>>>>>>> this?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
>>>>>>>> rajinisiva...@gmail.com
>>>>>>>>>>>>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once
>> system
>>>>>>>> tests
>>>>>>>>>>>>> are
>>>>>>>>>>>>>> running.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
>> nizhi...@apache.org>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks, for the feedback.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Should I mark this KIP as declined?
>>>>>>>>>>>>>>> Or just wait for the system tests results?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
>> rajinisiva...@gmail.com>
>>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK
>> 8 and
>>>>>>>>>>>>> hence
>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
>>>>>>>> requires
>>>>>>>>>>>>> JDK
>>>>>>>>>>>>>>> 11.
>>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
>>>>>>>> default.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
>>>>>>>> nizhi...@apache.org
>>>>>>>>>>>>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hello, Team.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
>> nizhi...@apache.org>
>>>>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete
>> versions by
>>>>>>>>>>>>>> default.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Brajesh Kumar
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
>>