Hello, Ismael. I think we should move ongoing discussion into KIP-573 discussion [1]
I will respond here and is KIP-573 discussion thread, because, this KIP already adopted by [2] [1] https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default [2] https://github.com/apache/kafka/commit/172409c44b8551e2315bd93044a8a95ccda4699f > 18 мая 2020 г., в 01:34, Ismael Juma <ism...@juma.me.uk> написал(а): > > Hi Nikolay, > > Quick question, the following is meant to include TLSv1.3 as well, right? > > Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to >> "TLSv1.2" > > > In addition, two more questions: > > 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good > to explain why that's OK. > 2. What is the behavior for people who have configured `ssl.cipher.suites`? > The cipher suite names are different in TLS 1.3. What would be the behavior > if the client requests TLS 1.3, but the server only has cipher suites for > TLS 1.2? It would be good to explain the expected behavior and add tests to > verify it. > > Ismael > > On Thu, Apr 30, 2020 at 9:47 AM Nikolay Izhikov <nizhi...@apache.org> wrote: > >> Ticket created: >> >> https://issues.apache.org/jira/browse/KAFKA-9943 >> >> I will prepare the PR, shortly. >> >>> 27 апр. 2020 г., в 17:55, Ismael Juma <ism...@juma.me.uk> написал(а): >>> >>> Yes, a PR would be great. >>> >>> Ismael >>> >>> On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <nizhi...@apache.org> >> wrote: >>> >>>> Hello, Ismael. >>>> >>>> AFAIK we don’t run tests with the TLSv1.3, by default. >>>> Are you suggesting to do it? >>>> I can create a PR for it. >>>> >>>>> 24 апр. 2020 г., в 17:34, Ismael Juma <ism...@juma.me.uk> написал(а): >>>>> >>>>> Right, some companies run them nightly. What I meant to ask is if we >>>>> changed the configuration so that TLS 1.3 is exercised in the system >>>> tests >>>>> by default. >>>>> >>>>> Ismael >>>>> >>>>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <nizhi...@apache.org> >>>> wrote: >>>>> >>>>>> Hello, Ismael. >>>>>> >>>>>> AFAIK we don’t run system tests nightly. >>>>>> Do we have resources to run system tests periodically? >>>>>> >>>>>> When I did the testing I used servers my employer gave me. >>>>>> >>>>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <ism...@juma.me.uk> >> написал(а): >>>>>>> >>>>>>> Hi Nikolay, >>>>>>> >>>>>>> Seems like we have been able to run the system tests with TLS 1.3. Do >>>> we >>>>>>> run them nightly? >>>>>>> >>>>>>> Ismael >>>>>>> >>>>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <nizhi...@apache.org >>> >>>>>> wrote: >>>>>>> >>>>>>>> Hello, Kafka team. >>>>>>>> >>>>>>>> I ran system tests that use SSL for the TLSv1.3. >>>>>>>> You can find the results of the tests in the Jira ticket [1], [2], >>>> [3], >>>>>>>> [4]. >>>>>>>> >>>>>>>> I also, need a changes [5] in `security_config.py` to execute system >>>>>> tests >>>>>>>> with TLSv1.3(more info in PR description). >>>>>>>> Please, take a look. >>>>>>>> >>>>>>>> Test environment: >>>>>>>> • openjdk11 >>>>>>>> • trunk + changes from my PR [5]. >>>>>>>> >>>>>>>> Full system tests results have volume 15gb. >>>>>>>> Should I share full logs with you? >>>>>>>> >>>>>>>> What else should be done before we can enable TLSv1.3 by default? >>>>>>>> >>>>>>>> [1] >>>>>>>> >>>>>> >>>> >> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927 >>>>>>>> >>>>>>>> [2] >>>>>>>> >>>>>> >>>> >> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928 >>>>>>>> >>>>>>>> [3] >>>>>>>> >>>>>> >>>> >> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929 >>>>>>>> >>>>>>>> [4] >>>>>>>> >>>>>> >>>> >> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930 >>>>>>>> >>>>>>>> [5] >>>>>>>> >>>>>> >>>> >> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51 >>>>>>>> >>>>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <nizhikov....@gmail.com> >>>>>>>> написал(а): >>>>>>>>> >>>>>>>>> Hello, Rajini. >>>>>>>>> >>>>>>>>> Thanks for the feedback. >>>>>>>>> >>>>>>>>> I’ve searched tests by the «ssl» keyword and found the following >>>> tests: >>>>>>>>> >>>>>>>>> ./test/kafkatest/services/kafka_log4j_appender.py >>>>>>>>> ./test/kafkatest/services/listener_security_config.py >>>>>>>>> ./test/kafkatest/services/security/security_config.py >>>>>>>>> ./test/kafkatest/tests/core/security_test.py >>>>>>>>> >>>>>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we >>>> can >>>>>>>> enable it by default? >>>>>>>>> >>>>>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <rajinisiva...@gmail.com >>> >>>>>>>> написал(а): >>>>>>>>>> >>>>>>>>>> Hi Nikolay, >>>>>>>>>> >>>>>>>>>> Not sure of the total space required. But you can run a collection >>>> of >>>>>>>> tests at a time instead of running them all together. That way, you >>>>>> could >>>>>>>> just run all the tests that enable SSL. Details of running a subset >> of >>>>>>>> tests are in the README in tests. >>>>>>>>>> >>>>>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov < >>>> nizhi...@apache.org> >>>>>>>> wrote: >>>>>>>>>> Hello, Rajini. >>>>>>>>>> >>>>>>>>>> I’m tried to run all system tests but failed for now. >>>>>>>>>> It happens, that system tests generates a lot of logs. >>>>>>>>>> I had a 250GB of the free space but it all was occupied by the log >>>>>> from >>>>>>>> half of the system tests. >>>>>>>>>> >>>>>>>>>> Do you have any idea what is summary disc space I need to run all >>>>>>>> system tests? >>>>>>>>>> >>>>>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <rajinisiva...@gmail.com >>> >>>>>>>> написал(а): >>>>>>>>>>> >>>>>>>>>>> Hi Nikolay, >>>>>>>>>>> >>>>>>>>>>> There a couple of things you could do: >>>>>>>>>>> >>>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a >>>>>> subset, >>>>>>>> but >>>>>>>>>>> it will be good to run all of them. You can do this locally using >>>>>>>> docker >>>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will need >> to >>>>>>>> update >>>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable >> only >>>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are >> in >>>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md. >>>>>>>>>>> 2) For integration tests, we run a small number of tests using >>>>>> TLSv1.3 >>>>>>>> if >>>>>>>>>>> the tests are run using JDK 11 and above. We need to do this for >>>>>> system >>>>>>>>>>> tests as well. There is an open JIRA: >>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to >>>>>> assign >>>>>>>> this >>>>>>>>>>> to yourself if you have time to do this. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Rajini >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков < >> nizhi...@apache.org >>>>> >>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello, Rajini. >>>>>>>>>>>> >>>>>>>>>>>> Can you, please, clarify, what should be done? >>>>>>>>>>>> I can try to do tests by myself. >>>>>>>>>>>> >>>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram < >> rajinisiva...@gmail.com >>>>> >>>>>>>>>>>> написал(а): >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Brajesh. >>>>>>>>>>>>> >>>>>>>>>>>>> No one is working on this yet, but will follow up with the >>>>>> Confluent >>>>>>>>>>>> tools >>>>>>>>>>>>> team to see when this can be done. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar < >>>>>> kbrajesh...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Rajini, >>>>>>>>>>>>>> >>>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone >>>>>>>> working on >>>>>>>>>>>>>> this? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram < >>>>>>>> rajinisiva...@gmail.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once >>>> system >>>>>>>> tests >>>>>>>>>>>>>> are >>>>>>>>>>>>>>> running. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rajini >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков < >>>>>> nizhi...@apache.org >>>>>>>>> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello, Rajini. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, for the feedback. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Should I mark this KIP as declined? >>>>>>>>>>>>>>>> Or just wait for the system tests results? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram < >>>>>> rajinisiva...@gmail.com >>>>>>>>> >>>>>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Nikolay, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using >> JDK 8 >>>>>> and >>>>>>>>>>>>>> hence >>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which >>>>>>>> requires >>>>>>>>>>>>>> JDK >>>>>>>>>>>>>>>> 11. >>>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by >>>>>>>> default. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rajini >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков < >>>>>>>> nizhi...@apache.org> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hello, Team. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Any feedback on this KIP? >>>>>>>>>>>>>>>>>> Do we need this in Kafka? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov < >>>>>> nizhi...@apache.org >>>>>>>>> >>>>>>>>>>>>>>>>>> написал(а): >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP. >>>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete >> versions >>>>>> by >>>>>>>>>>>>>>> default. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> >>>>>> >>>> >> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Brajesh Kumar >>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>> >>>> >> >>
