Hello, Ron. Let’s start vote right now. What do you think?
> 21 янв. 2020 г., в 15:48, Ron Dagostino <rndg...@gmail.com> написал(а): > > LGTM. The KIP freeze for 2.5 is officially upon us tomorrow, but hopefully > this is such a simple and straightforward change with obvious security > benefits that it can be added anyway. I would put it up for a vote very > quickly — tomorrow at the latest. > > Ron > >> On Jan 21, 2020, at 7:38 AM, Николай Ижиков <nizhi...@apache.org> wrote: >> >> Hello. >> >> KIP [1] updated. >> Only TLSv1.2 will be enabled by default, as Rajini suggested. >> >> Any objections to it? >> >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >> >> >>> 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com> >>> написал(а): >>> >>> Thanks, Rajini. >>> >>> Will do it, shortly. >>> >>>> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> >>>> написал(а): >>>> >>>> Hi Nikolay, >>>> >>>> 1) You can update KIP-553 to disable old protocols. This would mean: >>>> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 >>>> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 >>>> >>>> 2) When the testing for TLSv1.3 has been done, open a new KIP to enable >>>> TLSv1.3 by default. This would mean adding TLSv1.3 to >>>> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. >>>> >>>> >>>>> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <nizhi...@apache.org> >>>>> wrote: >>>>> >>>>> Hello, Rajini. >>>>> >>>>> Yes, we can! >>>>> >>>>> I have to write another KIP that goal will be keep only TLSv1.2 and >>>>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS >>>>> Is it correct? >>>>> >>>>> >>>>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> >>>>> написал(а): >>>>>> >>>>>> Hi Nikolay, >>>>>> >>>>>> Can we split this KIP into two: >>>>>> 1) Remove insecure TLS protocols from the default values >>>>>> 2) Enable TLSv1.3 >>>>>> >>>>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be good >>>>> if >>>>>> we can get at least the first one into 2.5.0. It would be a much smaller >>>>>> change and won't get blocked behind TLSv1.3 testing. >>>>>> >>>>>> Thank you, >>>>>> >>>>>> Rajini >>>>>> >>>>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <rajinisiva...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Nikolay, >>>>>>> >>>>>>> There a couple of things you could do: >>>>>>> >>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, >>>>> but >>>>>>> it will be good to run all of them. You can do this locally using docker >>>>>>> with JDK 11 by updating the files in tests/docker. You will need to >>>>> update >>>>>>> tests/kafkatest/services/security/security_config.py to enable only >>>>>>> TLSv1.3. Instructions for running system tests using docker are in >>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>>>>> 2) For integration tests, we run a small number of tests using TLSv1.3 >>>>> if >>>>>>> the tests are run using JDK 11 and above. We need to do this for system >>>>>>> tests as well. There is an open JIRA: >>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign >>>>>>> this to yourself if you have time to do this. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Rajini >>>>>>> >>>>>>> >>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> >>>>> wrote: >>>>>>> >>>>>>>> Hello, Rajini. >>>>>>>> >>>>>>>> Can you, please, clarify, what should be done? >>>>>>>> I can try to do tests by myself. >>>>>>>> >>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>> написал(а): >>>>>>>>> >>>>>>>>> Hi Brajesh. >>>>>>>>> >>>>>>>>> No one is working on this yet, but will follow up with the Confluent >>>>>>>> tools >>>>>>>>> team to see when this can be done. >>>>>>>>> >>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hello Rajini, >>>>>>>>>> >>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone working >>>>>>>> on >>>>>>>>>> this? >>>>>>>>>> >>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >>>>> rajinisiva...@gmail.com >>>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Nikolay, >>>>>>>>>>> >>>>>>>>>>> We can leave the KIP open and restart the discussion once system >>>>> tests >>>>>>>>>> are >>>>>>>>>>> running. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> Rajini >>>>>>>>>>> >>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, Rajini. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, for the feedback. >>>>>>>>>>>> >>>>>>>>>>>> Should I mark this KIP as declined? >>>>>>>>>>>> Or just wait for the system tests results? >>>>>>>>>>>> >>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>>>>> написал(а): >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and >>>>>>>>>> hence >>>>>>>>>>>> we >>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which >>>>> requires >>>>>>>>>> JDK >>>>>>>>>>>> 11. >>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >>>>> default. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> >>>>>>>>>>>>> Rajini >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >>>>> nizhi...@apache.org >>>>>>>>> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello, Team. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org> >>>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by >>>>>>>>>>> default. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Regards, >>>>>>>>>> Brajesh Kumar >>>>>>>>>> >>>>>>>> >>>>>>>> >>>>> >>>>> >>> >>