KAFKA-9460: Enable TLSv1.2 by default and disable all others protocol versions#7998
KAFKA-9460: Enable TLSv1.2 by default and disable all others protocol versions#7998rajinisivaram merged 9 commits intoapache:trunkfrom
Conversation
|
Hello @rajinisivaram. |
| + "Allowed values in recent JVMs are TLS, TLSv1.1, TLSv1.2 and TLSv1.3. SSL, SSLv2 and SSLv3 " | ||
| + "may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities."; | ||
|
|
||
| public static final String DEFAULT_SSL_PROTOCOL = "TLS"; |
There was a problem hiding this comment.
Does this need to change as well? Or does the enabled protocol list constrain it?
There was a problem hiding this comment.
It seems, doc inconsistent for now.
We do support TLVv1.3.
see e275742
rajinisivaram
left a comment
rajinisivaram
left a comment
There was a problem hiding this comment.
@nizhikov Thanks for the PR, left a couple of comments. Can we also add a test to verify the change?
Can you, please, clarify, what should this new test check? |
|
@nizhikov I think it is perhaps useful to add a test that uses the actual configs. Something similar to |
|
|
|
retest this please |
rajinisivaram
left a comment
rajinisivaram
left a comment
There was a problem hiding this comment.
@nizhikov Thanks for adding the test. Left a few comments.
|
@rajinisivaram Thanks for the feedback. PR updated according to your comments. |
rajinisivaram
left a comment
rajinisivaram
left a comment
There was a problem hiding this comment.
@nizhikov Thanks for the updates, left a few more minor comments in the test. Apart from those, I think this is ready to go.
|
|
||
| /** | ||
| * Tests that connections cannot be made with unsupported TLS versions | ||
| * Tests that connection sucess with the default TLS version. |
There was a problem hiding this comment.
nit: typo success
Also mention that it tests that insecure protocols are not enabled by default.
|
@rajinisivaram PR updated according to your comments. |
rajinisivaram
left a comment
rajinisivaram
left a comment
There was a problem hiding this comment.
@nizhikov Thanks for the updates, LGTM. Will merge if the PR builds pass.
|
@rajinisivaram One of the build passed and other failed. It seems fail doesn't relate to these changes. |
|
@nizhikov Yes, the test failure is unrelated (ConsumerBounceTest). Merging to trunk. |
|
@rajinisivaram Thank you so much for the review and merge! |
Conflicts and/or compiler errors due to the fact that we temporarily reverted the commit that removes Scala 2.11 support: * SslAdminIntegrationTest: keep using JAdminClient, take upstream changes otherwise. * ReassignPartitionsClusterTest: keep using JAdminClient, take upstream changes otherwise. * KafkaApis: use `asScala.foreach` instead of `forEach`. # By Ismael Juma (3) and others # Via GitHub * apache-github/trunk: (22 commits) KAFKA-9437; Make the Kafka Protocol Friendlier with L7 Proxies [KIP-559] (apache#7994) KAFKA-9375: Add names to all Connect threads (apache#7901) MINOR: Introduce 2.5-IV0 IBP (apache#8010) KAFKA-8503; Add default api timeout to AdminClient (KIP-533) (apache#8011) Add retries to release.py script (apache#8021) KAFKA-8162: IBM JDK Class not found error when handling SASL (apache#6524) MINOR: Add explicit result type in public defs/vals (apache#7993) KAFKA-9408: Use StandardCharsets.UTF-8 instead of "UTF-8" (apache#7940) KAFKA-9474: Adds 'float64' to the RPC protocol types (apache#8012) KAFKA-9360: Allow disabling MM2 heartbeat and checkpoint emissions (apache#7887) KAFKA-7658: Add KStream#toTable to the Streams DSL (apache#7985) KAFKA-9445: Allow adding changes to allow serving from a specific partition (apache#7984) KAFKA-9422: Track the set of topics a connector is using (KIP-558) (apache#8017) KAFKA-9040; Add --all option to config command (apache#7607) KAFKA-4203: Align broker default for max.message.bytes with Java producer default (apache#4154) KAFKA-9426: Use switch instead of chained if/else in OffsetsForLeaderEpochClient (apache#7959) KAFKA-9405: Use Map.computeIfAbsent where applicable (apache#7937) KAFKA-9026: Use automatic RPC generation in DescribeAcls (apache#7560) MINOR: Remove unused fields in StreamsMetricsImpl (apache#7992) KAFKA-9460: Enable only TLSv1.2 by default and disable other TLS protocol versions (KIP-553) (apache#7998) ...
…TLS protocol versions (KIP-553) (apache#7998)" This reverts commit 172409c
…able other TLS protocol versions (KIP-553) (apache#7998)" (#275) This reverts commit 172409c TLSv1.0 and TLSv1.1 will be disabled in CP 6.0 across the whole platform.
3 participants
This PR by default disable all SSL protocols except TLSv1.2.
Changes discussed in KIP-553.
Committer Checklist (excluded from commit message)