[jira] [Commented] (KAFKA-13418) Brokers disconnect intermittently with TLS1.3

Sat, 12 Mar 2022 07:15:05 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-13418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17505290#comment-17505290
 ] 

Ismael Juma commented on KAFKA-13418:
-------------------------------------

Looks like the property that controls when the key update happens is a security 
property with a default of 2^37.
{quote}There are cryptographic limits some algorithms have on the amount of 
plaintext which can be safely encrypted under a given set of keys. A new 
Security Property, "jdk.tls.keyLimits" has been added for TLS 1.3. When the 
amount of encrypted data by the algorithm has been reached a post-handshake Key 
and IV Update is triggered to derive new keys. This value is configurable so 
administrators can control their own security policies.
{quote}
https://bugs.openjdk.java.net/browse/JDK-8234226

> Brokers disconnect intermittently with TLS1.3
> ---------------------------------------------
>
>                 Key: KAFKA-13418
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13418
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 2.8.0
>            Reporter: shylaja kokoori
>            Assignee: shylaja kokoori
>            Priority: Minor
>         Attachments: tls1_3.patch
>
>
> Using TLS1.3 (with JDK11) is causing a regression and an increase in 
> inter-broker p99 latency, as mentioned by Yiming in 
> [Kafka-9320|https://issues.apache.org/jira/browse/KAFKA-9320?focusedCommentId=17401818&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17401818].
>  We tested this with Kafka 2.8.
> The issue seems to be because of a renegotiation exception being thrown by 
> {code:java}
> read(ByteBuffer dst)
> {code}
>  & 
> {code:java}
> write(ByteBuffer src)
> {code}
>  in 
> _clients/src/main/java/org/apache/kafka/common/network/SslTransportLayer.java_
> This exception is causing the connection to close between the brokers before 
> read/write is completed. In our internal experiments we have seen the p99 
> latency stabilize when we remove this exception.
> Given that TLS1.3 does not support renegotiation, I would like to make it 
> applicable just for TLS1.2.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to