[jira] [Comment Edited] (KAFKA-9320) Enable TLSv1.3 by default and disable some of the older protocols

Thu, 19 Aug 2021 11:46:05 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-9320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17401818#comment-17401818
 ] 

Yiming Zang edited comment on KAFKA-9320 at 8/19/21, 6:45 PM:
--------------------------------------------------------------

We have seen some regression after enabling and upgraded to TLS1.3 with Kafka 
version of 2.7.0, we have been seeing very frequent EOFException and 
disconnection:
{code:java}
[2021-08-13 06:07:26,069] WARN [ReplicaFetcher replicaId=18, leaderId=20, 
fetcherId=0] Unexpected error from atla-alo-26-sr1.prod.twttr.net/10.41.44.125; 
closing connection (org.apache.kafka.common.network.Selector)
 java.io.EOFException: EOF during read
 at 
org.apache.kafka.common.network.SslTransportLayer.read(SslTransportLayer.java:627)
 at 
org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:118)
 at org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:466)
 at org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:416)
 at org.apache.kafka.common.network.Selector.attemptRead(Selector.java:729)
 at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:620)
 at org.apache.kafka.common.network.Selector.poll(Selector.java:520)
 at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:562)
 at 
org.apache.kafka.clients.NetworkClientUtils.sendAndReceive(NetworkClientUtils.java:96)
 at 
kafka.server.ReplicaFetcherBlockingSend.sendRequest(ReplicaFetcherBlockingSend.scala:110)
 at 
kafka.server.ReplicaFetcherThread.fetchFromLeader(ReplicaFetcherThread.scala:211)
 at 
kafka.server.AbstractFetcherThread.processFetchRequest(AbstractFetcherThread.scala:310)
 at 
kafka.server.AbstractFetcherThread.$anonfun$maybeFetch$3(AbstractFetcherThread.scala:143)
 at 
kafka.server.AbstractFetcherThread.maybeFetch(AbstractFetcherThread.scala:142)
 at kafka.server.AbstractFetcherThread.doWork(AbstractFetcherThread.scala:122)
 at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:96){code}

 We have to rollback to use TLS1.2 and that solves the EOFException issue


was (Author: yzang):
We have seen some regression after enabling and upgraded to TLS1.3 with Kafka 
version of 2.7.0, we have been seeing very frequent EOFException and 
disconnection:
[2021-08-13 06:07:26,069] WARN [ReplicaFetcher replicaId=18, leaderId=20, 
fetcherId=0] Unexpected error from atla-alo-26-sr1.prod.twttr.net/10.41.44.125; 
closing connection (org.apache.kafka.common.network.Selector)
java.io.EOFException: EOF during read
        at 
org.apache.kafka.common.network.SslTransportLayer.read(SslTransportLayer.java:627)
        at 
org.apache.kafka.common.network.NetworkReceive.readFrom(NetworkReceive.java:118)
        at 
org.apache.kafka.common.network.KafkaChannel.receive(KafkaChannel.java:466)
        at 
org.apache.kafka.common.network.KafkaChannel.read(KafkaChannel.java:416)
        at 
org.apache.kafka.common.network.Selector.attemptRead(Selector.java:729)
        at 
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:620)
        at org.apache.kafka.common.network.Selector.poll(Selector.java:520)
        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:562)
        at 
org.apache.kafka.clients.NetworkClientUtils.sendAndReceive(NetworkClientUtils.java:96)
        at 
kafka.server.ReplicaFetcherBlockingSend.sendRequest(ReplicaFetcherBlockingSend.scala:110)
        at 
kafka.server.ReplicaFetcherThread.fetchFromLeader(ReplicaFetcherThread.scala:211)
        at 
kafka.server.AbstractFetcherThread.processFetchRequest(AbstractFetcherThread.scala:310)
        at 
kafka.server.AbstractFetcherThread.$anonfun$maybeFetch$3(AbstractFetcherThread.scala:143)
        at 
kafka.server.AbstractFetcherThread.maybeFetch(AbstractFetcherThread.scala:142)
        at 
kafka.server.AbstractFetcherThread.doWork(AbstractFetcherThread.scala:122)
        at kafka.utils.ShutdownableThread.run(ShutdownableThread.scala:96)
We have to rollback to use TLS1.2 and that solves the EOFException issue

> Enable TLSv1.3 by default and disable some of the older protocols
> -----------------------------------------------------------------
>
>                 Key: KAFKA-9320
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9320
>             Project: Kafka
>          Issue Type: New Feature
>          Components: security
>            Reporter: Rajini Sivaram
>            Assignee: Nikolay Izhikov
>            Priority: Major
>              Labels: needs-kip
>             Fix For: 2.6.0
>
>         Attachments: report.txt
>
>
> KAFKA-7251 added support for TLSv1.3. We should include this in the list of 
> protocols that are enabled by default. We should also disable some of the 
> older protocols that are not secure. This change requires a KIP.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to