[GitHub] [kafka] ijuma commented on a change in pull request #8695: KAFKA-9320: Enable TLSv1.3 by default (KIP-573)

Tue, 02 Jun 2020 08:50:13 -0700 


ijuma commented on a change in pull request #8695:
URL: https://github.com/apache/kafka/pull/8695#discussion_r433981892



##########
File path: clients/src/main/java/org/apache/kafka/common/config/SslConfigs.java
##########
@@ -49,11 +50,12 @@
 
     public static final String SSL_PROTOCOL_CONFIG = "ssl.protocol";
     public static final String SSL_PROTOCOL_DOC = "The SSL protocol used to 
generate the SSLContext. "
-            + "Default setting is TLSv1.2, which is fine for most cases. "
+            + "Default setting is TLSv1.2(TLSv1.3 for modern JVM), which is 
fine for most cases. "
             + "Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, 
TLSv1.1, SSL, SSLv2 and SSLv3 "
-            + "may be supported in older JVMs, but their usage is discouraged 
due to known security vulnerabilities.";
+            + "may be supported in older JVMs, but their usage is discouraged 
due to known security vulnerabilities."
+            + "Please, note, TLSv1.2 clients can't connect to the servers with 
TLSv1.3 only even if ssl.enabled.protocols contains TLSv1.3";

Review comment:
       How about:
   
   ```java
   "The SSL protocol used to generate the SSLContext. "
               + "The default is TLSv1.3 when running with Java 11 or newer, 
TLSv1.2 otherwise. "
               + "This value should be fine for most use cases. "
               + "Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, 
TLSv1.1, SSL, SSLv2 and SSLv3 "
               + "may be supported in older JVMs, but their usage is 
discouraged due to known security vulnerabilities. ";
               + "With the default value for this config and 
ssl.enabled.protocols, clients will downgrade to TLSv1.2 if "
               + "the server does not support TLSv1.3. If this config is set to 
TLSv1.2, clients will not use TLSv1.3 even "
               + "if it is one of the values in ssl.enabled.protocols and the 
server only supports TLSv1.3."
   ```




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to