[GitHub] [kafka] nizhikov commented on a change in pull request #8695: KAFKA-9320: Enable TLSv1.3 by default (KIP-573)

Tue, 02 Jun 2020 07:28:07 -0700 


nizhikov commented on a change in pull request #8695:
URL: https://github.com/apache/kafka/pull/8695#discussion_r433920350



##########
File path: 
clients/src/test/java/org/apache/kafka/common/network/SslVersionsTransportLayerTest.java
##########
@@ -117,24 +123,51 @@ public void testTlsDefaults() throws Exception {
             server.waitForMetric("response", 1);
         } else {
             NetworkTestUtils.waitForChannelClose(selector, node, 
ChannelState.State.AUTHENTICATION_FAILED);
+            server.verifyAuthenticationMetrics(0, 1);
         }
     }
 
+    /**
+     * <p>
+     * The explanation of this check in the structure of the ClientHello SSL 
message.
+     * Please, take a look at the <a 
href="https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-4D421910-C36D-40A2-8BA2-7D42CCBED3C6";>Guide</a>,
+     * "Send ClientHello Message" section.
+     * <p>
+     * > Client version: For TLS 1.3, this has a fixed value, TLSv1.2; TLS 1.3 
uses the extension supported_versions and not this field to negotiate protocol 
version
+     * ...
+     * > supported_versions: Lists which versions of TLS the client supports. 
In particular, if the client
+     * > requests TLS 1.3, then the client version field has the value TLSv1.2 
and this extension
+     * > contains the value TLSv1.3; if the client requests TLS 1.2, then the 
client version field has the
+     * > value TLSv1.2 and this extension either doesn’t exist or contains the 
value TLSv1.2 but not the value TLSv1.3.
+     * <p>
+     *
+     * This mean that TLSv1.3 client can fallback to TLSv1.2 but TLSv1.2 
client can't change protocol to TLSv1.3.
+     *
+     * @param serverProtocols Server protocols.
+     * @param clientProtocols Client protocols.
+     * @return {@code True} if client should be able to connect to the server.
+     */
+    private boolean isCompatible(List<String> serverProtocols, List<String> 
clientProtocols) {
+        return serverProtocols.contains(clientProtocols.get(0)) ||
+            (clientProtocols.get(0).equals("TLSv1.3") && 
clientProtocols.contains("TLSv1.2"));

Review comment:
       Done.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to