Sounds good. Ismael
On Mon, May 18, 2020, 9:03 AM Nikolay Izhikov <nizhi...@apache.org> wrote: > > A safer approach may be to only add TLS 1.3 to the list if the cipher > suite config has not been specified. > > So, if TLS 1.3 is added to the list by Kafka, it would seem that it > would not work if the user specified a list of cipher suites for previous > TLS versions > > Let’s just add test for this case? > I can prepare the preliminary PR for this KIP and add this kind of test to > it. > > What do you think? > > > > 18 мая 2020 г., в 18:59, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > > > >> 1. I meant that `ssl.protocol` is TLSv1.2 while `ssl.enabled.protocols` > is `TLSv1.2, TLSv1.3`. How do these two configs interact > > > > `ssl.protocol` is what will be used, by default, in this KIP is stays > unchanged (TLSv1.2) Please, see [1] > > `ssl.enabled.protocols` is list of protocols that *can* be used. This > value is just passed to the `SSLEngine` implementation. > > Please, see DefaultSslEngineFactory#createSslEngine [2] > > > >> 2. My question is not about obsolete protocols, it is about people > using TLS 1.2 with specified cipher suites. How will that behave when TLS > 1.3 is enabled by default? > > > > They don’t change anything and all just work as expected on java11. > > > >> 3. An additional question is how does this impact Java 8 users? > > > > Yes. > > If SSLEngine doesn’t support TLSv1.3 then java8 users should explicitly > modify `ssl.enabled.protocols` and set it to `TLSv1.2`. > > > > [1] > https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L218 > > [2] > https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L164 > > > >> 18 мая 2020 г., в 17:34, Ismael Juma <ism...@juma.me.uk> написал(а): > >> > >> Nikolay, > >> > >> Thanks for the comments. More below: > >> > >> 1. I meant that `ssl.protocol` is TLSv1.2 while `ssl.enabled.protocols` > is `TLSv1.2, TLSv1.3`. How do these two configs interact? > >> 2. My question is not about obsolete protocols, it is about people > using TLS 1.2 with specified cipher suites. How will that behave when TLS > 1.3 is enabled by default? > >> 3. An additional question is how does this impact Java 8 users? Java 8 > will receive TLS 1.3 support later this year ( > https://java.com/en/jre-jdk-cryptoroadmap.html), but it currently does > not support it. One way to handle this would be to check if the underlying > JVM supports TLS 1.3 before enabling it. > >> > >> I hope this clarifies my questions. > >> > >> Ismael > >> > >> On Mon, May 18, 2020 at 6:44 AM Nikolay Izhikov <nizhi...@apache.org> > wrote: > >> Hello, Ismael. > >> > >> Here is answers to your questions: > >> > >>> Quick question, the following is meant to include TLSv1.3 as well, > right? > >>> Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to > «TLSv1.2» > >> > >> I propose to have the following value > SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS = «TLSv1.2,TLSv.1.3» > >> > >>> 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be > good to explain why that's OK. > >> > >> I think it covered by the following statements in KIP. > >> If you know more trustworthy sources of this kind of information, > please, let me know. > >> > >> ``` > >> For now, only TLS1.2 and TLS1.3 are recommended for the usage, other > versions of TLS considered as obsolete: > >> • https://www.rfc-editor.org/info/rfc8446 > >> • > https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development > >> > >> ``` > >> > >>> 2. What is the behavior for people who have configured > `ssl.cipher.suites`? > >>> The cipher suite names are different in TLS 1.3. What would be the > behavior > >>> if the client requests TLS 1.3, but the server only has cipher suites > for > >>> TLS 1.2? It would be good to explain the expected behavior and add > tests to verify it. > >> > >> I think those users should update > `SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS` and enable required(but > obsolete) version of TLS they use. > >> After one should migrate to the reliable TLS version. > >> This reflected in the KIP: > >> > >> ``` > >> Migration: Users who are using TLSv1.1 and TLSv1 should enable these > versions of the protocol with the explicit configuration property > "ssl.enabled.protocols" > >> ``` > >> > >>> 25 февр. 2020 г., в 08:57, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > >>> > >>> Hello. > >>> > >>> Any feedback on this? > >>> > >>> This change seems very simple, I can start vote right now if nothing > to discuss here. > >>> > >>>> 21 февр. 2020 г., в 15:18, Nikolay Izhikov <nizhikov....@gmail.com> > написал(а): > >>>> > >>>> Hello, > >>>> > >>>> I'd like to start a discussion of KIP [1] > >>>> This is follow-up for the KIP-553 [2] > >>>> > >>>> Its goal is to enable TLSv1.3 by default. > >>>> > >>>> Your comments and suggestions are welcome. > >>>> > >>>> [1] > https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default > >>>> [2] > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956 > >>> > >> > > > >
