nizhikov commented on pull request #8695: URL: https://github.com/apache/kafka/pull/8695#issuecomment-637515040
@ijuma I found explanation of the test behavior. Full information can be found in the [guide](https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-4D421910-C36D-40A2-8BA2-7D42CCBED3C6) Please, navigate to the "Send ClientHello Message". You may want to take a look at the "client version" and "supported_versions (43)" fields. The root of the "strange" behavior is the structure of the SSL ClientHello message(quote from tutorial): > **Client version**: For TLS 1.3, this has a fixed value, TLSv1.2; TLS 1.3 uses the extension supported_versions and not this field to negotiate protocol version > ... > **supported_versions**: Lists which versions of TLS the client supports. In particular, if the client > requests TLS 1.3, then the client version field has the value TLSv1.2 and this extension > contains the value TLSv1.3; if the client requests TLS 1.2, then the client version field has the > value TLSv1.2 and this extension either doesn’t exist or contains the value TLSv1.2 but not the value TLSv1.3. This means we can't connect with the following configuration: client: ``` ssl.protocol=TLSv1.2 #this will be used for ClientHello ssl.enabled.protocols=TLSv1.2,TLSv1.3 #TLS v1.3 will be ignored in ClientHello message. ``` Server: ``` ssl.protocol=TLSv1.3 ssl.enabled.protocols=TLSv1.3 # Accept only TLSv1.3 ``` You can see all details of the SSL connection process in the javax.net log. It can be enabled like the following: ``` public SslVersionsTransportLayerTest(List<String> serverProtocols, List<String> clientProtocols) { System.setProperty("javax.net.debug", "ssl:handshake"); //This will turn on the log from jdk SSL system classes. this.serverProtocols = serverProtocols; this.clientProtocols = clientProtocols; } ``` So correct check should be: ``` private boolean isCompatible(List<String> serverProtocols, List<String> clientProtocols) { return serverProtocols.contains(clientProtocols.get(0)) || (clientProtocols.get(0).equals("TLSv1.3") && clientProtocols.contains("TLSv1.2")); } ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
