[GitHub] [kafka] ijuma commented on pull request #8695: KAFKA-9320: KIP-573 - Enable TLSv1.3 by default
ijuma commented on pull request #8695: URL: https://github.com/apache/kafka/pull/8695#issuecomment-633687352 A few failures seem related to the changes in this PR: > kafka.network.SocketServerTest.testConnectionIdReuse > kafka.network.SocketServerTest.remoteCloseWithBufferedReceivesFailedSend > kafka.network.SocketServerTest.remoteCloseSendFailure > kafka.network.SocketServerTest.remoteCloseWithoutBufferedReceives > kafka.network.SocketServerTest.remoteCloseWithCompleteAndIncompleteBufferedReceives > kafka.network.SocketServerTest.remoteCloseWithIncompleteBufferedReceive > kafka.network.SocketServerTest.closingChannelWithBufferedReceives > kafka.network.SocketServerTest.closingChannelSendFailure > kafka.network.SocketServerTest.idleExpiryWithBufferedReceives > kafka.network.SocketServerTest.closingChannelWithBufferedReceivesFailedSend > kafka.network.SocketServerTest.remoteCloseWithBufferedReceives > kafka.network.SocketServerTest.closingChannelWithCompleteAndIncompleteBufferedReceives This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka] ijuma commented on pull request #8695: KAFKA-9320: KIP-573 - Enable TLSv1.3 by default
ijuma commented on pull request #8695: URL: https://github.com/apache/kafka/pull/8695#issuecomment-632308200 Since the vote passed, can we flesh out the PR to include more tests that exercise TLS 1.3? A few things to think about: 1. Unit tests like the ones included in the PR currently. Can we go through the various possible combinations of client and server configuration and check that they all work or fail in the way we expect. 2. Make sure the integration tests use the same TLS configuration we use by default (if they don't already). Since Java 8 sticks to TLS 1.2 for now, we will get coverage of the old and new approach this way. 3. Adjust system tests to use TLS 1.3 by default, but also include variants where client uses TLS 1.2 and broker uses 1.3, the reverse and finally where TLS 1.2 is used for both. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka] ijuma commented on pull request #8695: KAFKA-9320: KIP-573 - Enable TLSv1.3 by default
ijuma commented on pull request #8695: URL: https://github.com/apache/kafka/pull/8695#issuecomment-632073022 @nizhikov Thanks. Can you update the KIP and start the voting on it? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [kafka] ijuma commented on pull request #8695: KAFKA-9320: KIP-573 - Enable TLSv1.3 by default
ijuma commented on pull request #8695: URL: https://github.com/apache/kafka/pull/8695#issuecomment-631601762 One question: any downside to setting `ssl.protocol=TLSv1.3` instead of `ssl.protocol=TLSv1.2`? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org