Re: [DISCUSS] KIP-573: Enable TLSv1.3 by default

Mon, 18 May 2020 06:44:14 -0700 

Hello, Ismael.

Here is answers to your questions:

> Quick question, the following is meant to include TLSv1.3 as well, right?
> Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to «TLSv1.2»
 
I propose to have the following value SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS 
= «TLSv1.2,TLSv.1.3»
 
> 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good to 
> explain why that's OK.

I think it covered by the following statements in KIP.
If you know more trustworthy sources of this kind of information, please, let 
me know.

```
For now, only TLS1.2 and TLS1.3 are recommended for the usage, other versions 
of TLS considered as obsolete:
        • https://www.rfc-editor.org/info/rfc8446https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development

```

> 2. What is the behavior for people who have configured `ssl.cipher.suites`?
> The cipher suite names are different in TLS 1.3. What would be the behavior
> if the client requests TLS 1.3, but the server only has cipher suites for
> TLS 1.2? It would be good to explain the expected behavior and add tests to 
> verify it.

I think those users should update `SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS` 
and enable required(but obsolete) version of TLS they use.
After one should migrate to the reliable TLS version.
This reflected in the KIP:

```
Migration: Users who are using TLSv1.1 and TLSv1 should enable these versions 
of the protocol with the explicit configuration property "ssl.enabled.protocols"
```

> 25 февр. 2020 г., в 08:57, Nikolay Izhikov <[email protected]> 
> написал(а):
> 
> Hello.
> 
> Any feedback on this?
> 
> This change seems very simple, I can start vote right now if nothing to 
> discuss here.
> 
>> 21 февр. 2020 г., в 15:18, Nikolay Izhikov <[email protected]> 
>> написал(а):
>> 
>> Hello, 
>> 
>> I'd like to start a discussion of KIP [1]
>> This is follow-up for the KIP-553 [2]
>> 
>> Its goal is to enable TLSv1.3 by default.
>> 
>> Your comments and suggestions are welcome.
>> 
>> [1] 
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default
>> [2] 
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>

Reply via email to