Hello, Ismael. Here is answers to your questions:
> Quick question, the following is meant to include TLSv1.3 as well, right? > Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to «TLSv1.2» I propose to have the following value SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS = «TLSv1.2,TLSv.1.3» > 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good to > explain why that's OK. I think it covered by the following statements in KIP. If you know more trustworthy sources of this kind of information, please, let me know. ``` For now, only TLS1.2 and TLS1.3 are recommended for the usage, other versions of TLS considered as obsolete: • https://www.rfc-editor.org/info/rfc8446 • https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development ``` > 2. What is the behavior for people who have configured `ssl.cipher.suites`? > The cipher suite names are different in TLS 1.3. What would be the behavior > if the client requests TLS 1.3, but the server only has cipher suites for > TLS 1.2? It would be good to explain the expected behavior and add tests to > verify it. I think those users should update `SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS` and enable required(but obsolete) version of TLS they use. After one should migrate to the reliable TLS version. This reflected in the KIP: ``` Migration: Users who are using TLSv1.1 and TLSv1 should enable these versions of the protocol with the explicit configuration property "ssl.enabled.protocols" ``` > 25 февр. 2020 г., в 08:57, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > > Hello. > > Any feedback on this? > > This change seems very simple, I can start vote right now if nothing to > discuss here. > >> 21 февр. 2020 г., в 15:18, Nikolay Izhikov <nizhikov....@gmail.com> >> написал(а): >> >> Hello, >> >> I'd like to start a discussion of KIP [1] >> This is follow-up for the KIP-553 [2] >> >> Its goal is to enable TLSv1.3 by default. >> >> Your comments and suggestions are welcome. >> >> [1] >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default >> [2] >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >