Sure, go for it.
> On Jan 21, 2020, at 8:05 AM, Николай Ижиков <nizhi...@apache.org> wrote: > > Hello, Ron. > > Let’s start vote right now. > What do you think? > >> 21 янв. 2020 г., в 15:48, Ron Dagostino <rndg...@gmail.com> написал(а): >> >> LGTM. The KIP freeze for 2.5 is officially upon us tomorrow, but hopefully >> this is such a simple and straightforward change with obvious security >> benefits that it can be added anyway. I would put it up for a vote very >> quickly — tomorrow at the latest. >> >> Ron >> >>> On Jan 21, 2020, at 7:38 AM, Николай Ижиков <nizhi...@apache.org> wrote: >>> >>> Hello. >>> >>> KIP [1] updated. >>> Only TLSv1.2 will be enabled by default, as Rajini suggested. >>> >>> Any objections to it? >>> >>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>> >>> >>>> 17 янв. 2020 г., в 14:56, Николай Ижиков <nizhikov....@gmail.com> >>>> написал(а): >>>> >>>> Thanks, Rajini. >>>> >>>> Will do it, shortly. >>>> >>>>> 17 янв. 2020 г., в 14:50, Rajini Sivaram <rajinisiva...@gmail.com> >>>>> написал(а): >>>>> >>>>> Hi Nikolay, >>>>> >>>>> 1) You can update KIP-553 to disable old protocols. This would mean: >>>>> 1a) SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS would be just TLSv1.2 >>>>> 1b) SslConfigs.DEFAULT_SSL_PROTOCOL would become TLSv1.2 >>>>> >>>>> 2) When the testing for TLSv1.3 has been done, open a new KIP to enable >>>>> TLSv1.3 by default. This would mean adding TLSv1.3 to >>>>> SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS. >>>>> >>>>> >>>>>> On Fri, Jan 17, 2020 at 11:40 AM Николай Ижиков <nizhi...@apache.org> >>>>>> wrote: >>>>>> >>>>>> Hello, Rajini. >>>>>> >>>>>> Yes, we can! >>>>>> >>>>>> I have to write another KIP that goal will be keep only TLSv1.2 and >>>>>> TLSv1.3 in SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS >>>>>> Is it correct? >>>>>> >>>>>> >>>>>>> 17 янв. 2020 г., в 14:13, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>> написал(а): >>>>>>> >>>>>>> Hi Nikolay, >>>>>>> >>>>>>> Can we split this KIP into two: >>>>>>> 1) Remove insecure TLS protocols from the default values >>>>>>> 2) Enable TLSv1.3 >>>>>>> >>>>>>> Since we are coming up to KIP freeze for 2.5.0 release, it will be good >>>>>> if >>>>>>> we can get at least the first one into 2.5.0. It would be a much smaller >>>>>>> change and won't get blocked behind TLSv1.3 testing. >>>>>>> >>>>>>> Thank you, >>>>>>> >>>>>>> Rajini >>>>>>> >>>>>>> On Tue, Jan 7, 2020 at 11:49 AM Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Nikolay, >>>>>>>> >>>>>>>> There a couple of things you could do: >>>>>>>> >>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, >>>>>> but >>>>>>>> it will be good to run all of them. You can do this locally using >>>>>>>> docker >>>>>>>> with JDK 11 by updating the files in tests/docker. You will need to >>>>>> update >>>>>>>> tests/kafkatest/services/security/security_config.py to enable only >>>>>>>> TLSv1.3. Instructions for running system tests using docker are in >>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>>>>>> 2) For integration tests, we run a small number of tests using TLSv1.3 >>>>>> if >>>>>>>> the tests are run using JDK 11 and above. We need to do this for system >>>>>>>> tests as well. There is an open JIRA: >>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign >>>>>>>> this to yourself if you have time to do this. >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Rajini >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhi...@apache.org> >>>>>> wrote: >>>>>>>> >>>>>>>>> Hello, Rajini. >>>>>>>>> >>>>>>>>> Can you, please, clarify, what should be done? >>>>>>>>> I can try to do tests by myself. >>>>>>>>> >>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>> написал(а): >>>>>>>>>> >>>>>>>>>> Hi Brajesh. >>>>>>>>>> >>>>>>>>>> No one is working on this yet, but will follow up with the Confluent >>>>>>>>> tools >>>>>>>>>> team to see when this can be done. >>>>>>>>>> >>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kbrajesh...@gmail.com> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hello Rajini, >>>>>>>>>>> >>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone >>>>>>>>>>> working >>>>>>>>> on >>>>>>>>>>> this? >>>>>>>>>>> >>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >>>>>> rajinisiva...@gmail.com >>>>>>>>>> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>> >>>>>>>>>>>> We can leave the KIP open and restart the discussion once system >>>>>> tests >>>>>>>>>>> are >>>>>>>>>>>> running. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> Rajini >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhi...@apache.org> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hello, Rajini. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, for the feedback. >>>>>>>>>>>>> >>>>>>>>>>>>> Should I mark this KIP as declined? >>>>>>>>>>>>> Or just wait for the system tests results? >>>>>>>>>>>>> >>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisiva...@gmail.com> >>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and >>>>>>>>>>> hence >>>>>>>>>>>>> we >>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which >>>>>> requires >>>>>>>>>>> JDK >>>>>>>>>>>>> 11. >>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >>>>>> default. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rajini >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >>>>>> nizhi...@apache.org >>>>>>>>>> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, Team. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhi...@apache.org> >>>>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by >>>>>>>>>>>> default. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Regards, >>>>>>>>>>> Brajesh Kumar >>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>> >>>>>> >>>> >>> >
