Hello, Rajini. PR - https://github.com/apache/kafka/pull/7998 Please, review.
> 22 янв. 2020 г., в 14:28, Николай Ижиков <nizhikov....@gmail.com> написал(а): > > Yes, I will do it the next few hours. > >> 22 янв. 2020 г., в 14:24, Rajini Sivaram <rajinisiva...@gmail.com> >> написал(а): >> >> Hi Nikolay, >> >> Do you have time to submit a PR for this before 2.5.0 feature freeze on Jan >> 29th? >> >> On Tue, Jan 21, 2020 at 1:09 PM Ron Dagostino <rndg...@gmail.com> wrote: >> >>> Sure, go for it. >>> >>>> On Jan 21, 2020, at 8:05 AM, Николай Ижиков <nizhi...@apache.org> wrote: >>>> >>>> Hello, Ron. >>>> >>>> Let’s start vote right now. >>>> What do you think? >>>> >>>>> 21 янв. 2020 г., в 15:48, Ron Dagostino <rndg...@gmail.com> написал(а): >>>>> >>>>> LGTM. The KIP freeze for 2.5 is officially upon us tomorrow, but >>> hopefully this is such a simple and straightforward change with obvious >>> security benefits that it can be added anyway. I would put it up for a >>> vote very quickly — tomorrow at the latest. >>>>> >>>>> Ron >>>>> >>>>>> On Jan 21, 2020, at 7:38 AM, Николай Ижиков <nizhi...@apache.org> >>> wrote: >>>>>> >>>>>> Hello. >>>>>> >>>>>> KIP [1] updated. >>>>>> Only TLSv1.2 will be enabled by default, as Rajini suggested. >>>>>> >>>>>> Any objections to it? >>>>>> >>>>>> >>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>> >>>>>> >>>>>>> 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com> >>> написал(а): >>>>>>> >>>>>>> Thanks, Rajini. >>>>>>> >>>>>>> Will do it, shortly. >>>>>>> >>>>>>>> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> >>> написал(а): >>>>>>>> >>>>>>>> Hi Nikolay, >>>>>>>> >>>>>>>> 1) You can update KIP-553 to disable old protocols. This would mean: >>>>>>>> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 >>>>>>>> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 >>>>>>>> >>>>>>>> 2) When the testing for TLSv1.3 has been done, open a new KIP to >>> enable >>>>>>>> TLSv1.3 by default. This would mean adding TLSv1.3 to >>>>>>>> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. >>>>>>>> >>>>>>>> >>>>>>>>> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков < >>> nizhi...@apache.org> wrote: >>>>>>>>> >>>>>>>>> Hello, Rajini. >>>>>>>>> >>>>>>>>> Yes, we can! >>>>>>>>> >>>>>>>>> I have to write another KIP that goal will be keep only TLSv1.2 and >>>>>>>>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS >>>>>>>>> Is it correct? >>>>>>>>> >>>>>>>>> >>>>>>>>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>> написал(а): >>>>>>>>>> >>>>>>>>>> Hi Nikolay, >>>>>>>>>> >>>>>>>>>> Can we split this KIP into two: >>>>>>>>>> 1) Remove insecure TLS protocols from the default values >>>>>>>>>> 2) Enable TLSv1.3 >>>>>>>>>> >>>>>>>>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be >>> good >>>>>>>>> if >>>>>>>>>> we can get at least the first one into 2.5.0. It would be a much >>> smaller >>>>>>>>>> change and won't get blocked behind TLSv1.3 testing. >>>>>>>>>> >>>>>>>>>> Thank you, >>>>>>>>>> >>>>>>>>>> Rajini >>>>>>>>>> >>>>>>>>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram < >>> rajinisiva...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Nikolay, >>>>>>>>>>> >>>>>>>>>>> There a couple of things you could do: >>>>>>>>>>> >>>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a >>> subset, >>>>>>>>> but >>>>>>>>>>> it will be good to run all of them. You can do this locally using >>> docker >>>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will need >>> to >>>>>>>>> update >>>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable >>> only >>>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are in >>>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>>>>>>>>> 2) For integration tests, we run a small number of tests using >>> TLSv1.3 >>>>>>>>> if >>>>>>>>>>> the tests are run using JDK 11 and above. We need to do this for >>> system >>>>>>>>>>> tests as well. There is an open JIRA: >>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to >>> assign >>>>>>>>>>> this to yourself if you have time to do this. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Rajini >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков < >>> nizhi...@apache.org> >>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, Rajini. >>>>>>>>>>>> >>>>>>>>>>>> Can you, please, clarify, what should be done? >>>>>>>>>>>> I can try to do tests by myself. >>>>>>>>>>>> >>>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram < >>> rajinisiva...@gmail.com> >>>>>>>>>>>> написал(а): >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Brajesh. >>>>>>>>>>>>> >>>>>>>>>>>>> No one is working on this yet, but will follow up with the >>> Confluent >>>>>>>>>>>> tools >>>>>>>>>>>>> team to see when this can be done. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar < >>> kbrajesh...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Rajini, >>>>>>>>>>>>>> >>>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone >>> working >>>>>>>>>>>> on >>>>>>>>>>>>>> this? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >>>>>>>>> rajinisiva...@gmail.com >>>>>>>>>>>>> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once >>> system >>>>>>>>> tests >>>>>>>>>>>>>> are >>>>>>>>>>>>>>> running. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rajini >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков < >>> nizhi...@apache.org> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello, Rajini. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, for the feedback. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Should I mark this KIP as declined? >>>>>>>>>>>>>>>> Or just wait for the system tests results? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram < >>> rajinisiva...@gmail.com> >>>>>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK >>> 8 and >>>>>>>>>>>>>> hence >>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which >>>>>>>>> requires >>>>>>>>>>>>>> JDK >>>>>>>>>>>>>>>> 11. >>>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >>>>>>>>> default. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rajini >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >>>>>>>>> nizhi...@apache.org >>>>>>>>>>>>> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hello, Team. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov < >>> nizhi...@apache.org> >>>>>>>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete >>> versions by >>>>>>>>>>>>>>> default. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> >>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Brajesh Kumar >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>>> >>>> >>> >