You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Nikolay Izhikov <ni...@apache.org> on 2020/02/14 12:17:32 UTC
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Hello, Kafka team.
I ran system tests that use SSL for the TLSv1.3.
You can find the results of the tests in the Jira ticket [1], [2], [3], [4].
I also, need a changes [5] in `security_config.py` to execute system tests with TLSv1.3(more info in PR description).
Please, take a look.
Test environment:
• openjdk11
• trunk + changes from my PR [5].
Full system tests results have volume 15gb.
Should I share full logs with you?
What else should be done before we can enable TLSv1.3 by default?
[1] https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
[2] https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
[3] https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
[4] https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
[5] https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com> написал(а):
>
> Hello, Rajini.
>
> Thanks for the feedback.
>
> I’ve searched tests by the «ssl» keyword and found the following tests:
>
> ./test/kafkatest/services/kafka_log4j_appender.py
> ./test/kafkatest/services/listener_security_config.py
> ./test/kafkatest/services/security/security_config.py
> ./test/kafkatest/tests/core/security_test.py
>
> Is this all tests that need to be run with the TLSv1.3 to ensure we can enable it by default?
>
>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com> написал(а):
>>
>> Hi Nikolay,
>>
>> Not sure of the total space required. But you can run a collection of tests at a time instead of running them all together. That way, you could just run all the tests that enable SSL. Details of running a subset of tests are in the README in tests.
>>
>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <ni...@apache.org> wrote:
>> Hello, Rajini.
>>
>> I’m tried to run all system tests but failed for now.
>> It happens, that system tests generates a lot of logs.
>> I had a 250GB of the free space but it all was occupied by the log from half of the system tests.
>>
>> Do you have any idea what is summary disc space I need to run all system tests?
>>
>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com> написал(а):
>>>
>>> Hi Nikolay,
>>>
>>> There a couple of things you could do:
>>>
>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset, but
>>> it will be good to run all of them. You can do this locally using docker
>>> with JDK 11 by updating the files in tests/docker. You will need to update
>>> tests/kafkatest/services/security/security_config.py to enable only
>>> TLSv1.3. Instructions for running system tests using docker are in
>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>> 2) For integration tests, we run a small number of tests using TLSv1.3 if
>>> the tests are run using JDK 11 and above. We need to do this for system
>>> tests as well. There is an open JIRA:
>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign this
>>> to yourself if you have time to do this.
>>>
>>> Regards,
>>>
>>> Rajini
>>>
>>>
>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <ni...@apache.org> wrote:
>>>
>>>> Hello, Rajini.
>>>>
>>>> Can you, please, clarify, what should be done?
>>>> I can try to do tests by myself.
>>>>
>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <ra...@gmail.com>
>>>> написал(а):
>>>>>
>>>>> Hi Brajesh.
>>>>>
>>>>> No one is working on this yet, but will follow up with the Confluent
>>>> tools
>>>>> team to see when this can be done.
>>>>>
>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kb...@gmail.com>
>>>> wrote:
>>>>>
>>>>>> Hello Rajini,
>>>>>>
>>>>>> What is the plan to run system tests using JDK 11? Is someone working on
>>>>>> this?
>>>>>>
>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <ra...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Nikolay,
>>>>>>>
>>>>>>> We can leave the KIP open and restart the discussion once system tests
>>>>>> are
>>>>>>> running.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Rajini
>>>>>>>
>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <ni...@apache.org>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello, Rajini.
>>>>>>>>
>>>>>>>> Thanks, for the feedback.
>>>>>>>>
>>>>>>>> Should I mark this KIP as declined?
>>>>>>>> Or just wait for the system tests results?
>>>>>>>>
>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <ra...@gmail.com>
>>>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hi Nikolay,
>>>>>>>>>
>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and
>>>>>> hence
>>>>>>>> we
>>>>>>>>> don't yet have full system test results with TLS 1.3 which requires
>>>>>> JDK
>>>>>>>> 11.
>>>>>>>>> We should wait until that is done before enabling TLS1.3 by default.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Rajini
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <ni...@apache.org>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello, Team.
>>>>>>>>>>
>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>
>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <ni...@apache.org>
>>>>>>>>>> написал(а):
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by
>>>>>>> default.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>
>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Brajesh Kumar
>>>>>>
>>>>
>>>>
>>
>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Nikolay Izhikov <ni...@apache.org>.
Hello, Ismael.
> What I meant to ask is if we changed the configuration so that TLS 1.3 is exercised in the system tests by default.
Are you suggesting just use TLSv1.3 instead of TLSv1.2 if the new version supported?
Or you suggest introducing one more parameter for applicable tests like `ssl_protocol_version=[TLSv1.2, TLSv1.3]` ?
The second option enlarges the number of test cases twice so it will be run slower.
> 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk> написал(а):
>
> Right, some companies run them nightly. What I meant to ask is if we
> changed the configuration so that TLS 1.3 is exercised in the system tests
> by default.
>
> Ismael
>
> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org> wrote:
>
>> Hello, Ismael.
>>
>> AFAIK we don’t run system tests nightly.
>> Do we have resources to run system tests periodically?
>>
>> When I did the testing I used servers my employer gave me.
>>
>>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk> написал(а):
>>>
>>> Hi Nikolay,
>>>
>>> Seems like we have been able to run the system tests with TLS 1.3. Do we
>>> run them nightly?
>>>
>>> Ismael
>>>
>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org>
>> wrote:
>>>
>>>> Hello, Kafka team.
>>>>
>>>> I ran system tests that use SSL for the TLSv1.3.
>>>> You can find the results of the tests in the Jira ticket [1], [2], [3],
>>>> [4].
>>>>
>>>> I also, need a changes [5] in `security_config.py` to execute system
>> tests
>>>> with TLSv1.3(more info in PR description).
>>>> Please, take a look.
>>>>
>>>> Test environment:
>>>> • openjdk11
>>>> • trunk + changes from my PR [5].
>>>>
>>>> Full system tests results have volume 15gb.
>>>> Should I share full logs with you?
>>>>
>>>> What else should be done before we can enable TLSv1.3 by default?
>>>>
>>>> [1]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
>>>>
>>>> [2]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
>>>>
>>>> [3]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
>>>>
>>>> [4]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
>>>>
>>>> [5]
>>>>
>> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
>>>>
>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
>>>> написал(а):
>>>>>
>>>>> Hello, Rajini.
>>>>>
>>>>> Thanks for the feedback.
>>>>>
>>>>> I’ve searched tests by the «ssl» keyword and found the following tests:
>>>>>
>>>>> ./test/kafkatest/services/kafka_log4j_appender.py
>>>>> ./test/kafkatest/services/listener_security_config.py
>>>>> ./test/kafkatest/services/security/security_config.py
>>>>> ./test/kafkatest/tests/core/security_test.py
>>>>>
>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we can
>>>> enable it by default?
>>>>>
>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
>>>> написал(а):
>>>>>>
>>>>>> Hi Nikolay,
>>>>>>
>>>>>> Not sure of the total space required. But you can run a collection of
>>>> tests at a time instead of running them all together. That way, you
>> could
>>>> just run all the tests that enable SSL. Details of running a subset of
>>>> tests are in the README in tests.
>>>>>>
>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <ni...@apache.org>
>>>> wrote:
>>>>>> Hello, Rajini.
>>>>>>
>>>>>> I’m tried to run all system tests but failed for now.
>>>>>> It happens, that system tests generates a lot of logs.
>>>>>> I had a 250GB of the free space but it all was occupied by the log
>> from
>>>> half of the system tests.
>>>>>>
>>>>>> Do you have any idea what is summary disc space I need to run all
>>>> system tests?
>>>>>>
>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
>>>> написал(а):
>>>>>>>
>>>>>>> Hi Nikolay,
>>>>>>>
>>>>>>> There a couple of things you could do:
>>>>>>>
>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
>> subset,
>>>> but
>>>>>>> it will be good to run all of them. You can do this locally using
>>>> docker
>>>>>>> with JDK 11 by updating the files in tests/docker. You will need to
>>>> update
>>>>>>> tests/kafkatest/services/security/security_config.py to enable only
>>>>>>> TLSv1.3. Instructions for running system tests using docker are in
>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>>>>>> 2) For integration tests, we run a small number of tests using
>> TLSv1.3
>>>> if
>>>>>>> the tests are run using JDK 11 and above. We need to do this for
>> system
>>>>>>> tests as well. There is an open JIRA:
>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
>> assign
>>>> this
>>>>>>> to yourself if you have time to do this.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Rajini
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <ni...@apache.org>
>>>> wrote:
>>>>>>>
>>>>>>>> Hello, Rajini.
>>>>>>>>
>>>>>>>> Can you, please, clarify, what should be done?
>>>>>>>> I can try to do tests by myself.
>>>>>>>>
>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <ra...@gmail.com>
>>>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hi Brajesh.
>>>>>>>>>
>>>>>>>>> No one is working on this yet, but will follow up with the
>> Confluent
>>>>>>>> tools
>>>>>>>>> team to see when this can be done.
>>>>>>>>>
>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
>> kbrajesh176@gmail.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello Rajini,
>>>>>>>>>>
>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
>>>> working on
>>>>>>>>>> this?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
>>>> rajinisivaram@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>
>>>>>>>>>>> We can leave the KIP open and restart the discussion once system
>>>> tests
>>>>>>>>>> are
>>>>>>>>>>> running.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Rajini
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
>> nizhikov@apache.org
>>>>>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks, for the feedback.
>>>>>>>>>>>>
>>>>>>>>>>>> Should I mark this KIP as declined?
>>>>>>>>>>>> Or just wait for the system tests results?
>>>>>>>>>>>>
>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
>> rajinisivaram@gmail.com
>>>>>
>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8
>> and
>>>>>>>>>> hence
>>>>>>>>>>>> we
>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
>>>> requires
>>>>>>>>>> JDK
>>>>>>>>>>>> 11.
>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
>>>> default.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
>>>> nizhikov@apache.org>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello, Team.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
>> nizhikov@apache.org
>>>>>
>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions
>> by
>>>>>>>>>>> default.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Regards,
>>>>>>>>>> Brajesh Kumar
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>
>>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Ismael Juma <is...@juma.me.uk>.
Sounds good, that's the one I meant to use. :)
Ismael
On Mon, May 18, 2020, 6:34 AM Nikolay Izhikov <ni...@apache.org> wrote:
> Hello, Ismael.
>
> I think we should move ongoing discussion into KIP-573 discussion [1]
>
> I will respond here and is KIP-573 discussion thread, because, this KIP
> already adopted by [2]
>
> [1]
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default
> [2]
> https://github.com/apache/kafka/commit/172409c44b8551e2315bd93044a8a95ccda4699f
>
> > 18 мая 2020 г., в 01:34, Ismael Juma <is...@juma.me.uk> написал(а):
> >
> > Hi Nikolay,
> >
> > Quick question, the following is meant to include TLSv1.3 as well, right?
> >
> > Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to
> >> "TLSv1.2"
> >
> >
> > In addition, two more questions:
> >
> > 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good
> > to explain why that's OK.
> > 2. What is the behavior for people who have configured
> `ssl.cipher.suites`?
> > The cipher suite names are different in TLS 1.3. What would be the
> behavior
> > if the client requests TLS 1.3, but the server only has cipher suites for
> > TLS 1.2? It would be good to explain the expected behavior and add tests
> to
> > verify it.
> >
> > Ismael
> >
> > On Thu, Apr 30, 2020 at 9:47 AM Nikolay Izhikov <ni...@apache.org>
> wrote:
> >
> >> Ticket created:
> >>
> >> https://issues.apache.org/jira/browse/KAFKA-9943
> >>
> >> I will prepare the PR, shortly.
> >>
> >>> 27 апр. 2020 г., в 17:55, Ismael Juma <is...@juma.me.uk> написал(а):
> >>>
> >>> Yes, a PR would be great.
> >>>
> >>> Ismael
> >>>
> >>> On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <ni...@apache.org>
> >> wrote:
> >>>
> >>>> Hello, Ismael.
> >>>>
> >>>> AFAIK we don’t run tests with the TLSv1.3, by default.
> >>>> Are you suggesting to do it?
> >>>> I can create a PR for it.
> >>>>
> >>>>> 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk>
> написал(а):
> >>>>>
> >>>>> Right, some companies run them nightly. What I meant to ask is if we
> >>>>> changed the configuration so that TLS 1.3 is exercised in the system
> >>>> tests
> >>>>> by default.
> >>>>>
> >>>>> Ismael
> >>>>>
> >>>>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <nizhikov@apache.org
> >
> >>>> wrote:
> >>>>>
> >>>>>> Hello, Ismael.
> >>>>>>
> >>>>>> AFAIK we don’t run system tests nightly.
> >>>>>> Do we have resources to run system tests periodically?
> >>>>>>
> >>>>>> When I did the testing I used servers my employer gave me.
> >>>>>>
> >>>>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk>
> >> написал(а):
> >>>>>>>
> >>>>>>> Hi Nikolay,
> >>>>>>>
> >>>>>>> Seems like we have been able to run the system tests with TLS 1.3.
> Do
> >>>> we
> >>>>>>> run them nightly?
> >>>>>>>
> >>>>>>> Ismael
> >>>>>>>
> >>>>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <
> nizhikov@apache.org
> >>>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hello, Kafka team.
> >>>>>>>>
> >>>>>>>> I ran system tests that use SSL for the TLSv1.3.
> >>>>>>>> You can find the results of the tests in the Jira ticket [1], [2],
> >>>> [3],
> >>>>>>>> [4].
> >>>>>>>>
> >>>>>>>> I also, need a changes [5] in `security_config.py` to execute
> system
> >>>>>> tests
> >>>>>>>> with TLSv1.3(more info in PR description).
> >>>>>>>> Please, take a look.
> >>>>>>>>
> >>>>>>>> Test environment:
> >>>>>>>> • openjdk11
> >>>>>>>> • trunk + changes from my PR [5].
> >>>>>>>>
> >>>>>>>> Full system tests results have volume 15gb.
> >>>>>>>> Should I share full logs with you?
> >>>>>>>>
> >>>>>>>> What else should be done before we can enable TLSv1.3 by default?
> >>>>>>>>
> >>>>>>>> [1]
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
> >>>>>>>>
> >>>>>>>> [2]
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
> >>>>>>>>
> >>>>>>>> [3]
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
> >>>>>>>>
> >>>>>>>> [4]
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
> >>>>>>>>
> >>>>>>>> [5]
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> >>>>>>>>
> >>>>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <
> nizhikov.dev@gmail.com>
> >>>>>>>> написал(а):
> >>>>>>>>>
> >>>>>>>>> Hello, Rajini.
> >>>>>>>>>
> >>>>>>>>> Thanks for the feedback.
> >>>>>>>>>
> >>>>>>>>> I’ve searched tests by the «ssl» keyword and found the following
> >>>> tests:
> >>>>>>>>>
> >>>>>>>>> ./test/kafkatest/services/kafka_log4j_appender.py
> >>>>>>>>> ./test/kafkatest/services/listener_security_config.py
> >>>>>>>>> ./test/kafkatest/services/security/security_config.py
> >>>>>>>>> ./test/kafkatest/tests/core/security_test.py
> >>>>>>>>>
> >>>>>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure
> we
> >>>> can
> >>>>>>>> enable it by default?
> >>>>>>>>>
> >>>>>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <
> rajinisivaram@gmail.com
> >>>
> >>>>>>>> написал(а):
> >>>>>>>>>>
> >>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>
> >>>>>>>>>> Not sure of the total space required. But you can run a
> collection
> >>>> of
> >>>>>>>> tests at a time instead of running them all together. That way,
> you
> >>>>>> could
> >>>>>>>> just run all the tests that enable SSL. Details of running a
> subset
> >> of
> >>>>>>>> tests are in the README in tests.
> >>>>>>>>>>
> >>>>>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <
> >>>> nizhikov@apache.org>
> >>>>>>>> wrote:
> >>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>
> >>>>>>>>>> I’m tried to run all system tests but failed for now.
> >>>>>>>>>> It happens, that system tests generates a lot of logs.
> >>>>>>>>>> I had a 250GB of the free space but it all was occupied by the
> log
> >>>>>> from
> >>>>>>>> half of the system tests.
> >>>>>>>>>>
> >>>>>>>>>> Do you have any idea what is summary disc space I need to run
> all
> >>>>>>>> system tests?
> >>>>>>>>>>
> >>>>>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <
> rajinisivaram@gmail.com
> >>>
> >>>>>>>> написал(а):
> >>>>>>>>>>>
> >>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>
> >>>>>>>>>>> There a couple of things you could do:
> >>>>>>>>>>>
> >>>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
> >>>>>> subset,
> >>>>>>>> but
> >>>>>>>>>>> it will be good to run all of them. You can do this locally
> using
> >>>>>>>> docker
> >>>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will
> need
> >> to
> >>>>>>>> update
> >>>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable
> >> only
> >>>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are
> >> in
> >>>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
> >>>>>>>>>>> 2) For integration tests, we run a small number of tests using
> >>>>>> TLSv1.3
> >>>>>>>> if
> >>>>>>>>>>> the tests are run using JDK 11 and above. We need to do this
> for
> >>>>>> system
> >>>>>>>>>>> tests as well. There is an open JIRA:
> >>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
> >>>>>> assign
> >>>>>>>> this
> >>>>>>>>>>> to yourself if you have time to do this.
> >>>>>>>>>>>
> >>>>>>>>>>> Regards,
> >>>>>>>>>>>
> >>>>>>>>>>> Rajini
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <
> >> nizhikov@apache.org
> >>>>>
> >>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Can you, please, clarify, what should be done?
> >>>>>>>>>>>> I can try to do tests by myself.
> >>>>>>>>>>>>
> >>>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <
> >> rajinisivaram@gmail.com
> >>>>>
> >>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Hi Brajesh.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> No one is working on this yet, but will follow up with the
> >>>>>> Confluent
> >>>>>>>>>>>> tools
> >>>>>>>>>>>>> team to see when this can be done.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
> >>>>>> kbrajesh176@gmail.com>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hello Rajini,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is
> someone
> >>>>>>>> working on
> >>>>>>>>>>>>>> this?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
> >>>>>>>> rajinisivaram@gmail.com>
> >>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once
> >>>> system
> >>>>>>>> tests
> >>>>>>>>>>>>>> are
> >>>>>>>>>>>>>>> running.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Thanks,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Rajini
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
> >>>>>> nizhikov@apache.org
> >>>>>>>>>
> >>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Thanks, for the feedback.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Should I mark this KIP as declined?
> >>>>>>>>>>>>>>>> Or just wait for the system tests results?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
> >>>>>> rajinisivaram@gmail.com
> >>>>>>>>>
> >>>>>>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using
> >> JDK 8
> >>>>>> and
> >>>>>>>>>>>>>> hence
> >>>>>>>>>>>>>>>> we
> >>>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3
> which
> >>>>>>>> requires
> >>>>>>>>>>>>>> JDK
> >>>>>>>>>>>>>>>> 11.
> >>>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3
> by
> >>>>>>>> default.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Rajini
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
> >>>>>>>> nizhikov@apache.org>
> >>>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Hello, Team.
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Any feedback on this KIP?
> >>>>>>>>>>>>>>>>>> Do we need this in Kafka?
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
> >>>>>> nizhikov@apache.org
> >>>>>>>>>
> >>>>>>>>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Hello,
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
> >>>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete
> >> versions
> >>>>>> by
> >>>>>>>>>>>>>>> default.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> --
> >>>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>> Brajesh Kumar
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Nikolay Izhikov <ni...@apache.org>.
Hello, Ismael.
I think we should move ongoing discussion into KIP-573 discussion [1]
I will respond here and is KIP-573 discussion thread, because, this KIP already adopted by [2]
[1] https://cwiki.apache.org/confluence/display/KAFKA/KIP-573%3A+Enable+TLSv1.3+by+default
[2] https://github.com/apache/kafka/commit/172409c44b8551e2315bd93044a8a95ccda4699f
> 18 мая 2020 г., в 01:34, Ismael Juma <is...@juma.me.uk> написал(а):
>
> Hi Nikolay,
>
> Quick question, the following is meant to include TLSv1.3 as well, right?
>
> Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to
>> "TLSv1.2"
>
>
> In addition, two more questions:
>
> 1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good
> to explain why that's OK.
> 2. What is the behavior for people who have configured `ssl.cipher.suites`?
> The cipher suite names are different in TLS 1.3. What would be the behavior
> if the client requests TLS 1.3, but the server only has cipher suites for
> TLS 1.2? It would be good to explain the expected behavior and add tests to
> verify it.
>
> Ismael
>
> On Thu, Apr 30, 2020 at 9:47 AM Nikolay Izhikov <ni...@apache.org> wrote:
>
>> Ticket created:
>>
>> https://issues.apache.org/jira/browse/KAFKA-9943
>>
>> I will prepare the PR, shortly.
>>
>>> 27 апр. 2020 г., в 17:55, Ismael Juma <is...@juma.me.uk> написал(а):
>>>
>>> Yes, a PR would be great.
>>>
>>> Ismael
>>>
>>> On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <ni...@apache.org>
>> wrote:
>>>
>>>> Hello, Ismael.
>>>>
>>>> AFAIK we don’t run tests with the TLSv1.3, by default.
>>>> Are you suggesting to do it?
>>>> I can create a PR for it.
>>>>
>>>>> 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk> написал(а):
>>>>>
>>>>> Right, some companies run them nightly. What I meant to ask is if we
>>>>> changed the configuration so that TLS 1.3 is exercised in the system
>>>> tests
>>>>> by default.
>>>>>
>>>>> Ismael
>>>>>
>>>>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org>
>>>> wrote:
>>>>>
>>>>>> Hello, Ismael.
>>>>>>
>>>>>> AFAIK we don’t run system tests nightly.
>>>>>> Do we have resources to run system tests periodically?
>>>>>>
>>>>>> When I did the testing I used servers my employer gave me.
>>>>>>
>>>>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk>
>> написал(а):
>>>>>>>
>>>>>>> Hi Nikolay,
>>>>>>>
>>>>>>> Seems like we have been able to run the system tests with TLS 1.3. Do
>>>> we
>>>>>>> run them nightly?
>>>>>>>
>>>>>>> Ismael
>>>>>>>
>>>>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <nizhikov@apache.org
>>>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello, Kafka team.
>>>>>>>>
>>>>>>>> I ran system tests that use SSL for the TLSv1.3.
>>>>>>>> You can find the results of the tests in the Jira ticket [1], [2],
>>>> [3],
>>>>>>>> [4].
>>>>>>>>
>>>>>>>> I also, need a changes [5] in `security_config.py` to execute system
>>>>>> tests
>>>>>>>> with TLSv1.3(more info in PR description).
>>>>>>>> Please, take a look.
>>>>>>>>
>>>>>>>> Test environment:
>>>>>>>> • openjdk11
>>>>>>>> • trunk + changes from my PR [5].
>>>>>>>>
>>>>>>>> Full system tests results have volume 15gb.
>>>>>>>> Should I share full logs with you?
>>>>>>>>
>>>>>>>> What else should be done before we can enable TLSv1.3 by default?
>>>>>>>>
>>>>>>>> [1]
>>>>>>>>
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
>>>>>>>>
>>>>>>>> [2]
>>>>>>>>
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
>>>>>>>>
>>>>>>>> [3]
>>>>>>>>
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
>>>>>>>>
>>>>>>>> [4]
>>>>>>>>
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
>>>>>>>>
>>>>>>>> [5]
>>>>>>>>
>>>>>>
>>>>
>> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
>>>>>>>>
>>>>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
>>>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hello, Rajini.
>>>>>>>>>
>>>>>>>>> Thanks for the feedback.
>>>>>>>>>
>>>>>>>>> I’ve searched tests by the «ssl» keyword and found the following
>>>> tests:
>>>>>>>>>
>>>>>>>>> ./test/kafkatest/services/kafka_log4j_appender.py
>>>>>>>>> ./test/kafkatest/services/listener_security_config.py
>>>>>>>>> ./test/kafkatest/services/security/security_config.py
>>>>>>>>> ./test/kafkatest/tests/core/security_test.py
>>>>>>>>>
>>>>>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we
>>>> can
>>>>>>>> enable it by default?
>>>>>>>>>
>>>>>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <rajinisivaram@gmail.com
>>>
>>>>>>>> написал(а):
>>>>>>>>>>
>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>
>>>>>>>>>> Not sure of the total space required. But you can run a collection
>>>> of
>>>>>>>> tests at a time instead of running them all together. That way, you
>>>>>> could
>>>>>>>> just run all the tests that enable SSL. Details of running a subset
>> of
>>>>>>>> tests are in the README in tests.
>>>>>>>>>>
>>>>>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <
>>>> nizhikov@apache.org>
>>>>>>>> wrote:
>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>
>>>>>>>>>> I’m tried to run all system tests but failed for now.
>>>>>>>>>> It happens, that system tests generates a lot of logs.
>>>>>>>>>> I had a 250GB of the free space but it all was occupied by the log
>>>>>> from
>>>>>>>> half of the system tests.
>>>>>>>>>>
>>>>>>>>>> Do you have any idea what is summary disc space I need to run all
>>>>>>>> system tests?
>>>>>>>>>>
>>>>>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <rajinisivaram@gmail.com
>>>
>>>>>>>> написал(а):
>>>>>>>>>>>
>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>
>>>>>>>>>>> There a couple of things you could do:
>>>>>>>>>>>
>>>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
>>>>>> subset,
>>>>>>>> but
>>>>>>>>>>> it will be good to run all of them. You can do this locally using
>>>>>>>> docker
>>>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will need
>> to
>>>>>>>> update
>>>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable
>> only
>>>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are
>> in
>>>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>>>>>>>>>> 2) For integration tests, we run a small number of tests using
>>>>>> TLSv1.3
>>>>>>>> if
>>>>>>>>>>> the tests are run using JDK 11 and above. We need to do this for
>>>>>> system
>>>>>>>>>>> tests as well. There is an open JIRA:
>>>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
>>>>>> assign
>>>>>>>> this
>>>>>>>>>>> to yourself if you have time to do this.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Rajini
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <
>> nizhikov@apache.org
>>>>>
>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>>
>>>>>>>>>>>> Can you, please, clarify, what should be done?
>>>>>>>>>>>> I can try to do tests by myself.
>>>>>>>>>>>>
>>>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <
>> rajinisivaram@gmail.com
>>>>>
>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Brajesh.
>>>>>>>>>>>>>
>>>>>>>>>>>>> No one is working on this yet, but will follow up with the
>>>>>> Confluent
>>>>>>>>>>>> tools
>>>>>>>>>>>>> team to see when this can be done.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
>>>>>> kbrajesh176@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello Rajini,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
>>>>>>>> working on
>>>>>>>>>>>>>> this?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
>>>>>>>> rajinisivaram@gmail.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once
>>>> system
>>>>>>>> tests
>>>>>>>>>>>>>> are
>>>>>>>>>>>>>>> running.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
>>>>>> nizhikov@apache.org
>>>>>>>>>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks, for the feedback.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Should I mark this KIP as declined?
>>>>>>>>>>>>>>>> Or just wait for the system tests results?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
>>>>>> rajinisivaram@gmail.com
>>>>>>>>>
>>>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using
>> JDK 8
>>>>>> and
>>>>>>>>>>>>>> hence
>>>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
>>>>>>>> requires
>>>>>>>>>>>>>> JDK
>>>>>>>>>>>>>>>> 11.
>>>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
>>>>>>>> default.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
>>>>>>>> nizhikov@apache.org>
>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hello, Team.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
>>>>>> nizhikov@apache.org
>>>>>>>>>
>>>>>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete
>> versions
>>>>>> by
>>>>>>>>>>>>>>> default.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>> Brajesh Kumar
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Nikolay,
Quick question, the following is meant to include TLSv1.3 as well, right?
Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to
> "TLSv1.2"
In addition, two more questions:
1. `ssl.protocol` would remain TLSv1.2 with this change. It would be good
to explain why that's OK.
2. What is the behavior for people who have configured `ssl.cipher.suites`?
The cipher suite names are different in TLS 1.3. What would be the behavior
if the client requests TLS 1.3, but the server only has cipher suites for
TLS 1.2? It would be good to explain the expected behavior and add tests to
verify it.
Ismael
On Thu, Apr 30, 2020 at 9:47 AM Nikolay Izhikov <ni...@apache.org> wrote:
> Ticket created:
>
> https://issues.apache.org/jira/browse/KAFKA-9943
>
> I will prepare the PR, shortly.
>
> > 27 апр. 2020 г., в 17:55, Ismael Juma <is...@juma.me.uk> написал(а):
> >
> > Yes, a PR would be great.
> >
> > Ismael
> >
> > On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <ni...@apache.org>
> wrote:
> >
> >> Hello, Ismael.
> >>
> >> AFAIK we don’t run tests with the TLSv1.3, by default.
> >> Are you suggesting to do it?
> >> I can create a PR for it.
> >>
> >>> 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk> написал(а):
> >>>
> >>> Right, some companies run them nightly. What I meant to ask is if we
> >>> changed the configuration so that TLS 1.3 is exercised in the system
> >> tests
> >>> by default.
> >>>
> >>> Ismael
> >>>
> >>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org>
> >> wrote:
> >>>
> >>>> Hello, Ismael.
> >>>>
> >>>> AFAIK we don’t run system tests nightly.
> >>>> Do we have resources to run system tests periodically?
> >>>>
> >>>> When I did the testing I used servers my employer gave me.
> >>>>
> >>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk>
> написал(а):
> >>>>>
> >>>>> Hi Nikolay,
> >>>>>
> >>>>> Seems like we have been able to run the system tests with TLS 1.3. Do
> >> we
> >>>>> run them nightly?
> >>>>>
> >>>>> Ismael
> >>>>>
> >>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <nizhikov@apache.org
> >
> >>>> wrote:
> >>>>>
> >>>>>> Hello, Kafka team.
> >>>>>>
> >>>>>> I ran system tests that use SSL for the TLSv1.3.
> >>>>>> You can find the results of the tests in the Jira ticket [1], [2],
> >> [3],
> >>>>>> [4].
> >>>>>>
> >>>>>> I also, need a changes [5] in `security_config.py` to execute system
> >>>> tests
> >>>>>> with TLSv1.3(more info in PR description).
> >>>>>> Please, take a look.
> >>>>>>
> >>>>>> Test environment:
> >>>>>> • openjdk11
> >>>>>> • trunk + changes from my PR [5].
> >>>>>>
> >>>>>> Full system tests results have volume 15gb.
> >>>>>> Should I share full logs with you?
> >>>>>>
> >>>>>> What else should be done before we can enable TLSv1.3 by default?
> >>>>>>
> >>>>>> [1]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
> >>>>>>
> >>>>>> [2]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
> >>>>>>
> >>>>>> [3]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
> >>>>>>
> >>>>>> [4]
> >>>>>>
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
> >>>>>>
> >>>>>> [5]
> >>>>>>
> >>>>
> >>
> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> >>>>>>
> >>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
> >>>>>> написал(а):
> >>>>>>>
> >>>>>>> Hello, Rajini.
> >>>>>>>
> >>>>>>> Thanks for the feedback.
> >>>>>>>
> >>>>>>> I’ve searched tests by the «ssl» keyword and found the following
> >> tests:
> >>>>>>>
> >>>>>>> ./test/kafkatest/services/kafka_log4j_appender.py
> >>>>>>> ./test/kafkatest/services/listener_security_config.py
> >>>>>>> ./test/kafkatest/services/security/security_config.py
> >>>>>>> ./test/kafkatest/tests/core/security_test.py
> >>>>>>>
> >>>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we
> >> can
> >>>>>> enable it by default?
> >>>>>>>
> >>>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <rajinisivaram@gmail.com
> >
> >>>>>> написал(а):
> >>>>>>>>
> >>>>>>>> Hi Nikolay,
> >>>>>>>>
> >>>>>>>> Not sure of the total space required. But you can run a collection
> >> of
> >>>>>> tests at a time instead of running them all together. That way, you
> >>>> could
> >>>>>> just run all the tests that enable SSL. Details of running a subset
> of
> >>>>>> tests are in the README in tests.
> >>>>>>>>
> >>>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <
> >> nizhikov@apache.org>
> >>>>>> wrote:
> >>>>>>>> Hello, Rajini.
> >>>>>>>>
> >>>>>>>> I’m tried to run all system tests but failed for now.
> >>>>>>>> It happens, that system tests generates a lot of logs.
> >>>>>>>> I had a 250GB of the free space but it all was occupied by the log
> >>>> from
> >>>>>> half of the system tests.
> >>>>>>>>
> >>>>>>>> Do you have any idea what is summary disc space I need to run all
> >>>>>> system tests?
> >>>>>>>>
> >>>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <rajinisivaram@gmail.com
> >
> >>>>>> написал(а):
> >>>>>>>>>
> >>>>>>>>> Hi Nikolay,
> >>>>>>>>>
> >>>>>>>>> There a couple of things you could do:
> >>>>>>>>>
> >>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
> >>>> subset,
> >>>>>> but
> >>>>>>>>> it will be good to run all of them. You can do this locally using
> >>>>>> docker
> >>>>>>>>> with JDK 11 by updating the files in tests/docker. You will need
> to
> >>>>>> update
> >>>>>>>>> tests/kafkatest/services/security/security_config.py to enable
> only
> >>>>>>>>> TLSv1.3. Instructions for running system tests using docker are
> in
> >>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
> >>>>>>>>> 2) For integration tests, we run a small number of tests using
> >>>> TLSv1.3
> >>>>>> if
> >>>>>>>>> the tests are run using JDK 11 and above. We need to do this for
> >>>> system
> >>>>>>>>> tests as well. There is an open JIRA:
> >>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
> >>>> assign
> >>>>>> this
> >>>>>>>>> to yourself if you have time to do this.
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>>
> >>>>>>>>> Rajini
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <
> nizhikov@apache.org
> >>>
> >>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>
> >>>>>>>>>> Can you, please, clarify, what should be done?
> >>>>>>>>>> I can try to do tests by myself.
> >>>>>>>>>>
> >>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <
> rajinisivaram@gmail.com
> >>>
> >>>>>>>>>> написал(а):
> >>>>>>>>>>>
> >>>>>>>>>>> Hi Brajesh.
> >>>>>>>>>>>
> >>>>>>>>>>> No one is working on this yet, but will follow up with the
> >>>> Confluent
> >>>>>>>>>> tools
> >>>>>>>>>>> team to see when this can be done.
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
> >>>> kbrajesh176@gmail.com>
> >>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hello Rajini,
> >>>>>>>>>>>>
> >>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
> >>>>>> working on
> >>>>>>>>>>>> this?
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
> >>>>>> rajinisivaram@gmail.com>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> We can leave the KIP open and restart the discussion once
> >> system
> >>>>>> tests
> >>>>>>>>>>>> are
> >>>>>>>>>>>>> running.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thanks,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Rajini
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
> >>>> nizhikov@apache.org
> >>>>>>>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks, for the feedback.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Should I mark this KIP as declined?
> >>>>>>>>>>>>>> Or just wait for the system tests results?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
> >>>> rajinisivaram@gmail.com
> >>>>>>>
> >>>>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using
> JDK 8
> >>>> and
> >>>>>>>>>>>> hence
> >>>>>>>>>>>>>> we
> >>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
> >>>>>> requires
> >>>>>>>>>>>> JDK
> >>>>>>>>>>>>>> 11.
> >>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
> >>>>>> default.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Rajini
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
> >>>>>> nizhikov@apache.org>
> >>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Hello, Team.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Any feedback on this KIP?
> >>>>>>>>>>>>>>>> Do we need this in Kafka?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
> >>>> nizhikov@apache.org
> >>>>>>>
> >>>>>>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Hello,
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
> >>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete
> versions
> >>>> by
> >>>>>>>>>>>>> default.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>
> >>>>
> >>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> Regards,
> >>>>>>>>>>>> Brajesh Kumar
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Nikolay Izhikov <ni...@apache.org>.
Ticket created:
https://issues.apache.org/jira/browse/KAFKA-9943
I will prepare the PR, shortly.
> 27 апр. 2020 г., в 17:55, Ismael Juma <is...@juma.me.uk> написал(а):
>
> Yes, a PR would be great.
>
> Ismael
>
> On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <ni...@apache.org> wrote:
>
>> Hello, Ismael.
>>
>> AFAIK we don’t run tests with the TLSv1.3, by default.
>> Are you suggesting to do it?
>> I can create a PR for it.
>>
>>> 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk> написал(а):
>>>
>>> Right, some companies run them nightly. What I meant to ask is if we
>>> changed the configuration so that TLS 1.3 is exercised in the system
>> tests
>>> by default.
>>>
>>> Ismael
>>>
>>> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org>
>> wrote:
>>>
>>>> Hello, Ismael.
>>>>
>>>> AFAIK we don’t run system tests nightly.
>>>> Do we have resources to run system tests periodically?
>>>>
>>>> When I did the testing I used servers my employer gave me.
>>>>
>>>>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk> написал(а):
>>>>>
>>>>> Hi Nikolay,
>>>>>
>>>>> Seems like we have been able to run the system tests with TLS 1.3. Do
>> we
>>>>> run them nightly?
>>>>>
>>>>> Ismael
>>>>>
>>>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org>
>>>> wrote:
>>>>>
>>>>>> Hello, Kafka team.
>>>>>>
>>>>>> I ran system tests that use SSL for the TLSv1.3.
>>>>>> You can find the results of the tests in the Jira ticket [1], [2],
>> [3],
>>>>>> [4].
>>>>>>
>>>>>> I also, need a changes [5] in `security_config.py` to execute system
>>>> tests
>>>>>> with TLSv1.3(more info in PR description).
>>>>>> Please, take a look.
>>>>>>
>>>>>> Test environment:
>>>>>> • openjdk11
>>>>>> • trunk + changes from my PR [5].
>>>>>>
>>>>>> Full system tests results have volume 15gb.
>>>>>> Should I share full logs with you?
>>>>>>
>>>>>> What else should be done before we can enable TLSv1.3 by default?
>>>>>>
>>>>>> [1]
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
>>>>>>
>>>>>> [2]
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
>>>>>>
>>>>>> [3]
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
>>>>>>
>>>>>> [4]
>>>>>>
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
>>>>>>
>>>>>> [5]
>>>>>>
>>>>
>> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
>>>>>>
>>>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
>>>>>> написал(а):
>>>>>>>
>>>>>>> Hello, Rajini.
>>>>>>>
>>>>>>> Thanks for the feedback.
>>>>>>>
>>>>>>> I’ve searched tests by the «ssl» keyword and found the following
>> tests:
>>>>>>>
>>>>>>> ./test/kafkatest/services/kafka_log4j_appender.py
>>>>>>> ./test/kafkatest/services/listener_security_config.py
>>>>>>> ./test/kafkatest/services/security/security_config.py
>>>>>>> ./test/kafkatest/tests/core/security_test.py
>>>>>>>
>>>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we
>> can
>>>>>> enable it by default?
>>>>>>>
>>>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
>>>>>> написал(а):
>>>>>>>>
>>>>>>>> Hi Nikolay,
>>>>>>>>
>>>>>>>> Not sure of the total space required. But you can run a collection
>> of
>>>>>> tests at a time instead of running them all together. That way, you
>>>> could
>>>>>> just run all the tests that enable SSL. Details of running a subset of
>>>>>> tests are in the README in tests.
>>>>>>>>
>>>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <
>> nizhikov@apache.org>
>>>>>> wrote:
>>>>>>>> Hello, Rajini.
>>>>>>>>
>>>>>>>> I’m tried to run all system tests but failed for now.
>>>>>>>> It happens, that system tests generates a lot of logs.
>>>>>>>> I had a 250GB of the free space but it all was occupied by the log
>>>> from
>>>>>> half of the system tests.
>>>>>>>>
>>>>>>>> Do you have any idea what is summary disc space I need to run all
>>>>>> system tests?
>>>>>>>>
>>>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hi Nikolay,
>>>>>>>>>
>>>>>>>>> There a couple of things you could do:
>>>>>>>>>
>>>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
>>>> subset,
>>>>>> but
>>>>>>>>> it will be good to run all of them. You can do this locally using
>>>>>> docker
>>>>>>>>> with JDK 11 by updating the files in tests/docker. You will need to
>>>>>> update
>>>>>>>>> tests/kafkatest/services/security/security_config.py to enable only
>>>>>>>>> TLSv1.3. Instructions for running system tests using docker are in
>>>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>>>>>>>> 2) For integration tests, we run a small number of tests using
>>>> TLSv1.3
>>>>>> if
>>>>>>>>> the tests are run using JDK 11 and above. We need to do this for
>>>> system
>>>>>>>>> tests as well. There is an open JIRA:
>>>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
>>>> assign
>>>>>> this
>>>>>>>>> to yourself if you have time to do this.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>>
>>>>>>>>> Rajini
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhikov@apache.org
>>>
>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>
>>>>>>>>>> Can you, please, clarify, what should be done?
>>>>>>>>>> I can try to do tests by myself.
>>>>>>>>>>
>>>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisivaram@gmail.com
>>>
>>>>>>>>>> написал(а):
>>>>>>>>>>>
>>>>>>>>>>> Hi Brajesh.
>>>>>>>>>>>
>>>>>>>>>>> No one is working on this yet, but will follow up with the
>>>> Confluent
>>>>>>>>>> tools
>>>>>>>>>>> team to see when this can be done.
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
>>>> kbrajesh176@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello Rajini,
>>>>>>>>>>>>
>>>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
>>>>>> working on
>>>>>>>>>>>> this?
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
>>>>>> rajinisivaram@gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>
>>>>>>>>>>>>> We can leave the KIP open and restart the discussion once
>> system
>>>>>> tests
>>>>>>>>>>>> are
>>>>>>>>>>>>> running.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
>>>> nizhikov@apache.org
>>>>>>>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks, for the feedback.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Should I mark this KIP as declined?
>>>>>>>>>>>>>> Or just wait for the system tests results?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
>>>> rajinisivaram@gmail.com
>>>>>>>
>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8
>>>> and
>>>>>>>>>>>> hence
>>>>>>>>>>>>>> we
>>>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
>>>>>> requires
>>>>>>>>>>>> JDK
>>>>>>>>>>>>>> 11.
>>>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
>>>>>> default.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
>>>>>> nizhikov@apache.org>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hello, Team.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
>>>> nizhikov@apache.org
>>>>>>>
>>>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions
>>>> by
>>>>>>>>>>>>> default.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>
>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Brajesh Kumar
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
>>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Ismael Juma <is...@juma.me.uk>.
Yes, a PR would be great.
Ismael
On Mon, Apr 27, 2020, 2:10 AM Nikolay Izhikov <ni...@apache.org> wrote:
> Hello, Ismael.
>
> AFAIK we don’t run tests with the TLSv1.3, by default.
> Are you suggesting to do it?
> I can create a PR for it.
>
> > 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk> написал(а):
> >
> > Right, some companies run them nightly. What I meant to ask is if we
> > changed the configuration so that TLS 1.3 is exercised in the system
> tests
> > by default.
> >
> > Ismael
> >
> > On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org>
> wrote:
> >
> >> Hello, Ismael.
> >>
> >> AFAIK we don’t run system tests nightly.
> >> Do we have resources to run system tests periodically?
> >>
> >> When I did the testing I used servers my employer gave me.
> >>
> >>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk> написал(а):
> >>>
> >>> Hi Nikolay,
> >>>
> >>> Seems like we have been able to run the system tests with TLS 1.3. Do
> we
> >>> run them nightly?
> >>>
> >>> Ismael
> >>>
> >>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org>
> >> wrote:
> >>>
> >>>> Hello, Kafka team.
> >>>>
> >>>> I ran system tests that use SSL for the TLSv1.3.
> >>>> You can find the results of the tests in the Jira ticket [1], [2],
> [3],
> >>>> [4].
> >>>>
> >>>> I also, need a changes [5] in `security_config.py` to execute system
> >> tests
> >>>> with TLSv1.3(more info in PR description).
> >>>> Please, take a look.
> >>>>
> >>>> Test environment:
> >>>> • openjdk11
> >>>> • trunk + changes from my PR [5].
> >>>>
> >>>> Full system tests results have volume 15gb.
> >>>> Should I share full logs with you?
> >>>>
> >>>> What else should be done before we can enable TLSv1.3 by default?
> >>>>
> >>>> [1]
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
> >>>>
> >>>> [2]
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
> >>>>
> >>>> [3]
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
> >>>>
> >>>> [4]
> >>>>
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
> >>>>
> >>>> [5]
> >>>>
> >>
> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> >>>>
> >>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
> >>>> написал(а):
> >>>>>
> >>>>> Hello, Rajini.
> >>>>>
> >>>>> Thanks for the feedback.
> >>>>>
> >>>>> I’ve searched tests by the «ssl» keyword and found the following
> tests:
> >>>>>
> >>>>> ./test/kafkatest/services/kafka_log4j_appender.py
> >>>>> ./test/kafkatest/services/listener_security_config.py
> >>>>> ./test/kafkatest/services/security/security_config.py
> >>>>> ./test/kafkatest/tests/core/security_test.py
> >>>>>
> >>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we
> can
> >>>> enable it by default?
> >>>>>
> >>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
> >>>> написал(а):
> >>>>>>
> >>>>>> Hi Nikolay,
> >>>>>>
> >>>>>> Not sure of the total space required. But you can run a collection
> of
> >>>> tests at a time instead of running them all together. That way, you
> >> could
> >>>> just run all the tests that enable SSL. Details of running a subset of
> >>>> tests are in the README in tests.
> >>>>>>
> >>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <
> nizhikov@apache.org>
> >>>> wrote:
> >>>>>> Hello, Rajini.
> >>>>>>
> >>>>>> I’m tried to run all system tests but failed for now.
> >>>>>> It happens, that system tests generates a lot of logs.
> >>>>>> I had a 250GB of the free space but it all was occupied by the log
> >> from
> >>>> half of the system tests.
> >>>>>>
> >>>>>> Do you have any idea what is summary disc space I need to run all
> >>>> system tests?
> >>>>>>
> >>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
> >>>> написал(а):
> >>>>>>>
> >>>>>>> Hi Nikolay,
> >>>>>>>
> >>>>>>> There a couple of things you could do:
> >>>>>>>
> >>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
> >> subset,
> >>>> but
> >>>>>>> it will be good to run all of them. You can do this locally using
> >>>> docker
> >>>>>>> with JDK 11 by updating the files in tests/docker. You will need to
> >>>> update
> >>>>>>> tests/kafkatest/services/security/security_config.py to enable only
> >>>>>>> TLSv1.3. Instructions for running system tests using docker are in
> >>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
> >>>>>>> 2) For integration tests, we run a small number of tests using
> >> TLSv1.3
> >>>> if
> >>>>>>> the tests are run using JDK 11 and above. We need to do this for
> >> system
> >>>>>>> tests as well. There is an open JIRA:
> >>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
> >> assign
> >>>> this
> >>>>>>> to yourself if you have time to do this.
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>>
> >>>>>>> Rajini
> >>>>>>>
> >>>>>>>
> >>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <nizhikov@apache.org
> >
> >>>> wrote:
> >>>>>>>
> >>>>>>>> Hello, Rajini.
> >>>>>>>>
> >>>>>>>> Can you, please, clarify, what should be done?
> >>>>>>>> I can try to do tests by myself.
> >>>>>>>>
> >>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <rajinisivaram@gmail.com
> >
> >>>>>>>> написал(а):
> >>>>>>>>>
> >>>>>>>>> Hi Brajesh.
> >>>>>>>>>
> >>>>>>>>> No one is working on this yet, but will follow up with the
> >> Confluent
> >>>>>>>> tools
> >>>>>>>>> team to see when this can be done.
> >>>>>>>>>
> >>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
> >> kbrajesh176@gmail.com>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hello Rajini,
> >>>>>>>>>>
> >>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
> >>>> working on
> >>>>>>>>>> this?
> >>>>>>>>>>
> >>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
> >>>> rajinisivaram@gmail.com>
> >>>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>
> >>>>>>>>>>> We can leave the KIP open and restart the discussion once
> system
> >>>> tests
> >>>>>>>>>> are
> >>>>>>>>>>> running.
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> Rajini
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
> >> nizhikov@apache.org
> >>>>>
> >>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks, for the feedback.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Should I mark this KIP as declined?
> >>>>>>>>>>>> Or just wait for the system tests results?
> >>>>>>>>>>>>
> >>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
> >> rajinisivaram@gmail.com
> >>>>>
> >>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8
> >> and
> >>>>>>>>>> hence
> >>>>>>>>>>>> we
> >>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
> >>>> requires
> >>>>>>>>>> JDK
> >>>>>>>>>>>> 11.
> >>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
> >>>> default.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Rajini
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
> >>>> nizhikov@apache.org>
> >>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> Hello, Team.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Any feedback on this KIP?
> >>>>>>>>>>>>>> Do we need this in Kafka?
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
> >> nizhikov@apache.org
> >>>>>
> >>>>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Hello,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
> >>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions
> >> by
> >>>>>>>>>>> default.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>
> >>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Your comments and suggestions are welcome.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Regards,
> >>>>>>>>>> Brajesh Kumar
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>
> >>
>
>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Nikolay Izhikov <ni...@apache.org>.
Hello, Ismael.
AFAIK we don’t run tests with the TLSv1.3, by default.
Are you suggesting to do it?
I can create a PR for it.
> 24 апр. 2020 г., в 17:34, Ismael Juma <is...@juma.me.uk> написал(а):
>
> Right, some companies run them nightly. What I meant to ask is if we
> changed the configuration so that TLS 1.3 is exercised in the system tests
> by default.
>
> Ismael
>
> On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org> wrote:
>
>> Hello, Ismael.
>>
>> AFAIK we don’t run system tests nightly.
>> Do we have resources to run system tests periodically?
>>
>> When I did the testing I used servers my employer gave me.
>>
>>> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk> написал(а):
>>>
>>> Hi Nikolay,
>>>
>>> Seems like we have been able to run the system tests with TLS 1.3. Do we
>>> run them nightly?
>>>
>>> Ismael
>>>
>>> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org>
>> wrote:
>>>
>>>> Hello, Kafka team.
>>>>
>>>> I ran system tests that use SSL for the TLSv1.3.
>>>> You can find the results of the tests in the Jira ticket [1], [2], [3],
>>>> [4].
>>>>
>>>> I also, need a changes [5] in `security_config.py` to execute system
>> tests
>>>> with TLSv1.3(more info in PR description).
>>>> Please, take a look.
>>>>
>>>> Test environment:
>>>> • openjdk11
>>>> • trunk + changes from my PR [5].
>>>>
>>>> Full system tests results have volume 15gb.
>>>> Should I share full logs with you?
>>>>
>>>> What else should be done before we can enable TLSv1.3 by default?
>>>>
>>>> [1]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
>>>>
>>>> [2]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
>>>>
>>>> [3]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
>>>>
>>>> [4]
>>>>
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
>>>>
>>>> [5]
>>>>
>> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
>>>>
>>>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
>>>> написал(а):
>>>>>
>>>>> Hello, Rajini.
>>>>>
>>>>> Thanks for the feedback.
>>>>>
>>>>> I’ve searched tests by the «ssl» keyword and found the following tests:
>>>>>
>>>>> ./test/kafkatest/services/kafka_log4j_appender.py
>>>>> ./test/kafkatest/services/listener_security_config.py
>>>>> ./test/kafkatest/services/security/security_config.py
>>>>> ./test/kafkatest/tests/core/security_test.py
>>>>>
>>>>> Is this all tests that need to be run with the TLSv1.3 to ensure we can
>>>> enable it by default?
>>>>>
>>>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
>>>> написал(а):
>>>>>>
>>>>>> Hi Nikolay,
>>>>>>
>>>>>> Not sure of the total space required. But you can run a collection of
>>>> tests at a time instead of running them all together. That way, you
>> could
>>>> just run all the tests that enable SSL. Details of running a subset of
>>>> tests are in the README in tests.
>>>>>>
>>>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <ni...@apache.org>
>>>> wrote:
>>>>>> Hello, Rajini.
>>>>>>
>>>>>> I’m tried to run all system tests but failed for now.
>>>>>> It happens, that system tests generates a lot of logs.
>>>>>> I had a 250GB of the free space but it all was occupied by the log
>> from
>>>> half of the system tests.
>>>>>>
>>>>>> Do you have any idea what is summary disc space I need to run all
>>>> system tests?
>>>>>>
>>>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
>>>> написал(а):
>>>>>>>
>>>>>>> Hi Nikolay,
>>>>>>>
>>>>>>> There a couple of things you could do:
>>>>>>>
>>>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
>> subset,
>>>> but
>>>>>>> it will be good to run all of them. You can do this locally using
>>>> docker
>>>>>>> with JDK 11 by updating the files in tests/docker. You will need to
>>>> update
>>>>>>> tests/kafkatest/services/security/security_config.py to enable only
>>>>>>> TLSv1.3. Instructions for running system tests using docker are in
>>>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>>>>>> 2) For integration tests, we run a small number of tests using
>> TLSv1.3
>>>> if
>>>>>>> the tests are run using JDK 11 and above. We need to do this for
>> system
>>>>>>> tests as well. There is an open JIRA:
>>>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
>> assign
>>>> this
>>>>>>> to yourself if you have time to do this.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Rajini
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <ni...@apache.org>
>>>> wrote:
>>>>>>>
>>>>>>>> Hello, Rajini.
>>>>>>>>
>>>>>>>> Can you, please, clarify, what should be done?
>>>>>>>> I can try to do tests by myself.
>>>>>>>>
>>>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <ra...@gmail.com>
>>>>>>>> написал(а):
>>>>>>>>>
>>>>>>>>> Hi Brajesh.
>>>>>>>>>
>>>>>>>>> No one is working on this yet, but will follow up with the
>> Confluent
>>>>>>>> tools
>>>>>>>>> team to see when this can be done.
>>>>>>>>>
>>>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
>> kbrajesh176@gmail.com>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello Rajini,
>>>>>>>>>>
>>>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
>>>> working on
>>>>>>>>>> this?
>>>>>>>>>>
>>>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
>>>> rajinisivaram@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>
>>>>>>>>>>> We can leave the KIP open and restart the discussion once system
>>>> tests
>>>>>>>>>> are
>>>>>>>>>>> running.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Rajini
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
>> nizhikov@apache.org
>>>>>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks, for the feedback.
>>>>>>>>>>>>
>>>>>>>>>>>> Should I mark this KIP as declined?
>>>>>>>>>>>> Or just wait for the system tests results?
>>>>>>>>>>>>
>>>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
>> rajinisivaram@gmail.com
>>>>>
>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8
>> and
>>>>>>>>>> hence
>>>>>>>>>>>> we
>>>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
>>>> requires
>>>>>>>>>> JDK
>>>>>>>>>>>> 11.
>>>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
>>>> default.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rajini
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
>>>> nizhikov@apache.org>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello, Team.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
>> nizhikov@apache.org
>>>>>
>>>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions
>> by
>>>>>>>>>>> default.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Regards,
>>>>>>>>>> Brajesh Kumar
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>
>>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Ismael Juma <is...@juma.me.uk>.
Right, some companies run them nightly. What I meant to ask is if we
changed the configuration so that TLS 1.3 is exercised in the system tests
by default.
Ismael
On Fri, Apr 24, 2020 at 7:32 AM Nikolay Izhikov <ni...@apache.org> wrote:
> Hello, Ismael.
>
> AFAIK we don’t run system tests nightly.
> Do we have resources to run system tests periodically?
>
> When I did the testing I used servers my employer gave me.
>
> > 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk> написал(а):
> >
> > Hi Nikolay,
> >
> > Seems like we have been able to run the system tests with TLS 1.3. Do we
> > run them nightly?
> >
> > Ismael
> >
> > On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org>
> wrote:
> >
> >> Hello, Kafka team.
> >>
> >> I ran system tests that use SSL for the TLSv1.3.
> >> You can find the results of the tests in the Jira ticket [1], [2], [3],
> >> [4].
> >>
> >> I also, need a changes [5] in `security_config.py` to execute system
> tests
> >> with TLSv1.3(more info in PR description).
> >> Please, take a look.
> >>
> >> Test environment:
> >> • openjdk11
> >> • trunk + changes from my PR [5].
> >>
> >> Full system tests results have volume 15gb.
> >> Should I share full logs with you?
> >>
> >> What else should be done before we can enable TLSv1.3 by default?
> >>
> >> [1]
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
> >>
> >> [2]
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
> >>
> >> [3]
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
> >>
> >> [4]
> >>
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
> >>
> >> [5]
> >>
> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
> >>
> >>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
> >> написал(а):
> >>>
> >>> Hello, Rajini.
> >>>
> >>> Thanks for the feedback.
> >>>
> >>> I’ve searched tests by the «ssl» keyword and found the following tests:
> >>>
> >>> ./test/kafkatest/services/kafka_log4j_appender.py
> >>> ./test/kafkatest/services/listener_security_config.py
> >>> ./test/kafkatest/services/security/security_config.py
> >>> ./test/kafkatest/tests/core/security_test.py
> >>>
> >>> Is this all tests that need to be run with the TLSv1.3 to ensure we can
> >> enable it by default?
> >>>
> >>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
> >> написал(а):
> >>>>
> >>>> Hi Nikolay,
> >>>>
> >>>> Not sure of the total space required. But you can run a collection of
> >> tests at a time instead of running them all together. That way, you
> could
> >> just run all the tests that enable SSL. Details of running a subset of
> >> tests are in the README in tests.
> >>>>
> >>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <ni...@apache.org>
> >> wrote:
> >>>> Hello, Rajini.
> >>>>
> >>>> I’m tried to run all system tests but failed for now.
> >>>> It happens, that system tests generates a lot of logs.
> >>>> I had a 250GB of the free space but it all was occupied by the log
> from
> >> half of the system tests.
> >>>>
> >>>> Do you have any idea what is summary disc space I need to run all
> >> system tests?
> >>>>
> >>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
> >> написал(а):
> >>>>>
> >>>>> Hi Nikolay,
> >>>>>
> >>>>> There a couple of things you could do:
> >>>>>
> >>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a
> subset,
> >> but
> >>>>> it will be good to run all of them. You can do this locally using
> >> docker
> >>>>> with JDK 11 by updating the files in tests/docker. You will need to
> >> update
> >>>>> tests/kafkatest/services/security/security_config.py to enable only
> >>>>> TLSv1.3. Instructions for running system tests using docker are in
> >>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
> >>>>> 2) For integration tests, we run a small number of tests using
> TLSv1.3
> >> if
> >>>>> the tests are run using JDK 11 and above. We need to do this for
> system
> >>>>> tests as well. There is an open JIRA:
> >>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to
> assign
> >> this
> >>>>> to yourself if you have time to do this.
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Rajini
> >>>>>
> >>>>>
> >>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <ni...@apache.org>
> >> wrote:
> >>>>>
> >>>>>> Hello, Rajini.
> >>>>>>
> >>>>>> Can you, please, clarify, what should be done?
> >>>>>> I can try to do tests by myself.
> >>>>>>
> >>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <ra...@gmail.com>
> >>>>>> написал(а):
> >>>>>>>
> >>>>>>> Hi Brajesh.
> >>>>>>>
> >>>>>>> No one is working on this yet, but will follow up with the
> Confluent
> >>>>>> tools
> >>>>>>> team to see when this can be done.
> >>>>>>>
> >>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <
> kbrajesh176@gmail.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hello Rajini,
> >>>>>>>>
> >>>>>>>> What is the plan to run system tests using JDK 11? Is someone
> >> working on
> >>>>>>>> this?
> >>>>>>>>
> >>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
> >> rajinisivaram@gmail.com>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> Hi Nikolay,
> >>>>>>>>>
> >>>>>>>>> We can leave the KIP open and restart the discussion once system
> >> tests
> >>>>>>>> are
> >>>>>>>>> running.
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>>
> >>>>>>>>> Rajini
> >>>>>>>>>
> >>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <
> nizhikov@apache.org
> >>>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hello, Rajini.
> >>>>>>>>>>
> >>>>>>>>>> Thanks, for the feedback.
> >>>>>>>>>>
> >>>>>>>>>> Should I mark this KIP as declined?
> >>>>>>>>>> Or just wait for the system tests results?
> >>>>>>>>>>
> >>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <
> rajinisivaram@gmail.com
> >>>
> >>>>>>>>>> написал(а):
> >>>>>>>>>>>
> >>>>>>>>>>> Hi Nikolay,
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8
> and
> >>>>>>>> hence
> >>>>>>>>>> we
> >>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
> >> requires
> >>>>>>>> JDK
> >>>>>>>>>> 11.
> >>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
> >> default.
> >>>>>>>>>>>
> >>>>>>>>>>> Regards,
> >>>>>>>>>>>
> >>>>>>>>>>> Rajini
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
> >> nizhikov@apache.org>
> >>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>> Hello, Team.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Any feedback on this KIP?
> >>>>>>>>>>>> Do we need this in Kafka?
> >>>>>>>>>>>>
> >>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <
> nizhikov@apache.org
> >>>
> >>>>>>>>>>>> написал(а):
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Hello,
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I'd like to start a discussion of KIP.
> >>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions
> by
> >>>>>>>>> default.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Your comments and suggestions are welcome.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Regards,
> >>>>>>>> Brajesh Kumar
> >>>>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>
> >>
> >>
>
>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Nikolay Izhikov <ni...@apache.org>.
Hello, Ismael.
AFAIK we don’t run system tests nightly.
Do we have resources to run system tests periodically?
When I did the testing I used servers my employer gave me.
> 24 апр. 2020 г., в 08:05, Ismael Juma <is...@juma.me.uk> написал(а):
>
> Hi Nikolay,
>
> Seems like we have been able to run the system tests with TLS 1.3. Do we
> run them nightly?
>
> Ismael
>
> On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org> wrote:
>
>> Hello, Kafka team.
>>
>> I ran system tests that use SSL for the TLSv1.3.
>> You can find the results of the tests in the Jira ticket [1], [2], [3],
>> [4].
>>
>> I also, need a changes [5] in `security_config.py` to execute system tests
>> with TLSv1.3(more info in PR description).
>> Please, take a look.
>>
>> Test environment:
>> • openjdk11
>> • trunk + changes from my PR [5].
>>
>> Full system tests results have volume 15gb.
>> Should I share full logs with you?
>>
>> What else should be done before we can enable TLSv1.3 by default?
>>
>> [1]
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
>>
>> [2]
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
>>
>> [3]
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
>>
>> [4]
>> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
>>
>> [5]
>> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
>>
>>> 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
>> написал(а):
>>>
>>> Hello, Rajini.
>>>
>>> Thanks for the feedback.
>>>
>>> I’ve searched tests by the «ssl» keyword and found the following tests:
>>>
>>> ./test/kafkatest/services/kafka_log4j_appender.py
>>> ./test/kafkatest/services/listener_security_config.py
>>> ./test/kafkatest/services/security/security_config.py
>>> ./test/kafkatest/tests/core/security_test.py
>>>
>>> Is this all tests that need to be run with the TLSv1.3 to ensure we can
>> enable it by default?
>>>
>>>> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
>> написал(а):
>>>>
>>>> Hi Nikolay,
>>>>
>>>> Not sure of the total space required. But you can run a collection of
>> tests at a time instead of running them all together. That way, you could
>> just run all the tests that enable SSL. Details of running a subset of
>> tests are in the README in tests.
>>>>
>>>> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <ni...@apache.org>
>> wrote:
>>>> Hello, Rajini.
>>>>
>>>> I’m tried to run all system tests but failed for now.
>>>> It happens, that system tests generates a lot of logs.
>>>> I had a 250GB of the free space but it all was occupied by the log from
>> half of the system tests.
>>>>
>>>> Do you have any idea what is summary disc space I need to run all
>> system tests?
>>>>
>>>>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
>> написал(а):
>>>>>
>>>>> Hi Nikolay,
>>>>>
>>>>> There a couple of things you could do:
>>>>>
>>>>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset,
>> but
>>>>> it will be good to run all of them. You can do this locally using
>> docker
>>>>> with JDK 11 by updating the files in tests/docker. You will need to
>> update
>>>>> tests/kafkatest/services/security/security_config.py to enable only
>>>>> TLSv1.3. Instructions for running system tests using docker are in
>>>>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
>>>>> 2) For integration tests, we run a small number of tests using TLSv1.3
>> if
>>>>> the tests are run using JDK 11 and above. We need to do this for system
>>>>> tests as well. There is an open JIRA:
>>>>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign
>> this
>>>>> to yourself if you have time to do this.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Rajini
>>>>>
>>>>>
>>>>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <ni...@apache.org>
>> wrote:
>>>>>
>>>>>> Hello, Rajini.
>>>>>>
>>>>>> Can you, please, clarify, what should be done?
>>>>>> I can try to do tests by myself.
>>>>>>
>>>>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <ra...@gmail.com>
>>>>>> написал(а):
>>>>>>>
>>>>>>> Hi Brajesh.
>>>>>>>
>>>>>>> No one is working on this yet, but will follow up with the Confluent
>>>>>> tools
>>>>>>> team to see when this can be done.
>>>>>>>
>>>>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kb...@gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello Rajini,
>>>>>>>>
>>>>>>>> What is the plan to run system tests using JDK 11? Is someone
>> working on
>>>>>>>> this?
>>>>>>>>
>>>>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
>> rajinisivaram@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Nikolay,
>>>>>>>>>
>>>>>>>>> We can leave the KIP open and restart the discussion once system
>> tests
>>>>>>>> are
>>>>>>>>> running.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> Rajini
>>>>>>>>>
>>>>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhikov@apache.org
>>>
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hello, Rajini.
>>>>>>>>>>
>>>>>>>>>> Thanks, for the feedback.
>>>>>>>>>>
>>>>>>>>>> Should I mark this KIP as declined?
>>>>>>>>>> Or just wait for the system tests results?
>>>>>>>>>>
>>>>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisivaram@gmail.com
>>>
>>>>>>>>>> написал(а):
>>>>>>>>>>>
>>>>>>>>>>> Hi Nikolay,
>>>>>>>>>>>
>>>>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and
>>>>>>>> hence
>>>>>>>>>> we
>>>>>>>>>>> don't yet have full system test results with TLS 1.3 which
>> requires
>>>>>>>> JDK
>>>>>>>>>> 11.
>>>>>>>>>>> We should wait until that is done before enabling TLS1.3 by
>> default.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Rajini
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
>> nizhikov@apache.org>
>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello, Team.
>>>>>>>>>>>>
>>>>>>>>>>>> Any feedback on this KIP?
>>>>>>>>>>>> Do we need this in Kafka?
>>>>>>>>>>>>
>>>>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhikov@apache.org
>>>
>>>>>>>>>>>> написал(а):
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'd like to start a discussion of KIP.
>>>>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by
>>>>>>>>> default.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
>>>>>>>>>>>>>
>>>>>>>>>>>>> Your comments and suggestions are welcome.
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Regards,
>>>>>>>> Brajesh Kumar
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
>>
>>
Re: [DISCUSS] KIP-553: Enable TLSv1.3 by default and disable all
protocols except [TLSV1.2, TLSV1.3]
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Nikolay,
Seems like we have been able to run the system tests with TLS 1.3. Do we
run them nightly?
Ismael
On Fri, Feb 14, 2020 at 4:17 AM Nikolay Izhikov <ni...@apache.org> wrote:
> Hello, Kafka team.
>
> I ran system tests that use SSL for the TLSv1.3.
> You can find the results of the tests in the Jira ticket [1], [2], [3],
> [4].
>
> I also, need a changes [5] in `security_config.py` to execute system tests
> with TLSv1.3(more info in PR description).
> Please, take a look.
>
> Test environment:
> • openjdk11
> • trunk + changes from my PR [5].
>
> Full system tests results have volume 15gb.
> Should I share full logs with you?
>
> What else should be done before we can enable TLSv1.3 by default?
>
> [1]
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036927&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036927
>
> [2]
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036928&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036928
>
> [3]
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036929&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036929
>
> [4]
> https://issues.apache.org/jira/browse/KAFKA-9319?focusedCommentId=17036930&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17036930
>
> [5]
> https://github.com/apache/kafka/pull/8106/files#diff-6dd015b94706f6920d9de524c355ddd8R51
>
> > 29 янв. 2020 г., в 15:27, Nikolay Izhikov <ni...@gmail.com>
> написал(а):
> >
> > Hello, Rajini.
> >
> > Thanks for the feedback.
> >
> > I’ve searched tests by the «ssl» keyword and found the following tests:
> >
> > ./test/kafkatest/services/kafka_log4j_appender.py
> > ./test/kafkatest/services/listener_security_config.py
> > ./test/kafkatest/services/security/security_config.py
> > ./test/kafkatest/tests/core/security_test.py
> >
> > Is this all tests that need to be run with the TLSv1.3 to ensure we can
> enable it by default?
> >
> >> 28 янв. 2020 г., в 14:58, Rajini Sivaram <ra...@gmail.com>
> написал(а):
> >>
> >> Hi Nikolay,
> >>
> >> Not sure of the total space required. But you can run a collection of
> tests at a time instead of running them all together. That way, you could
> just run all the tests that enable SSL. Details of running a subset of
> tests are in the README in tests.
> >>
> >> On Mon, Jan 27, 2020 at 6:29 PM Nikolay Izhikov <ni...@apache.org>
> wrote:
> >> Hello, Rajini.
> >>
> >> I’m tried to run all system tests but failed for now.
> >> It happens, that system tests generates a lot of logs.
> >> I had a 250GB of the free space but it all was occupied by the log from
> half of the system tests.
> >>
> >> Do you have any idea what is summary disc space I need to run all
> system tests?
> >>
> >>> 7 янв. 2020 г., в 14:49, Rajini Sivaram <ra...@gmail.com>
> написал(а):
> >>>
> >>> Hi Nikolay,
> >>>
> >>> There a couple of things you could do:
> >>>
> >>> 1) Run all system tests that use SSL with TLSv1.3. I had run a subset,
> but
> >>> it will be good to run all of them. You can do this locally using
> docker
> >>> with JDK 11 by updating the files in tests/docker. You will need to
> update
> >>> tests/kafkatest/services/security/security_config.py to enable only
> >>> TLSv1.3. Instructions for running system tests using docker are in
> >>> https://github.com/apache/kafka/blob/trunk/tests/README.md.
> >>> 2) For integration tests, we run a small number of tests using TLSv1.3
> if
> >>> the tests are run using JDK 11 and above. We need to do this for system
> >>> tests as well. There is an open JIRA:
> >>> https://issues.apache.org/jira/browse/KAFKA-9319. Feel free to assign
> this
> >>> to yourself if you have time to do this.
> >>>
> >>> Regards,
> >>>
> >>> Rajini
> >>>
> >>>
> >>> On Tue, Jan 7, 2020 at 5:15 AM Николай Ижиков <ni...@apache.org>
> wrote:
> >>>
> >>>> Hello, Rajini.
> >>>>
> >>>> Can you, please, clarify, what should be done?
> >>>> I can try to do tests by myself.
> >>>>
> >>>>> 6 янв. 2020 г., в 21:29, Rajini Sivaram <ra...@gmail.com>
> >>>> написал(а):
> >>>>>
> >>>>> Hi Brajesh.
> >>>>>
> >>>>> No one is working on this yet, but will follow up with the Confluent
> >>>> tools
> >>>>> team to see when this can be done.
> >>>>>
> >>>>> On Mon, Jan 6, 2020 at 3:29 PM Brajesh Kumar <kb...@gmail.com>
> >>>> wrote:
> >>>>>
> >>>>>> Hello Rajini,
> >>>>>>
> >>>>>> What is the plan to run system tests using JDK 11? Is someone
> working on
> >>>>>> this?
> >>>>>>
> >>>>>> On Mon, Jan 6, 2020 at 3:00 PM Rajini Sivaram <
> rajinisivaram@gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Hi Nikolay,
> >>>>>>>
> >>>>>>> We can leave the KIP open and restart the discussion once system
> tests
> >>>>>> are
> >>>>>>> running.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> Rajini
> >>>>>>>
> >>>>>>> On Mon, Jan 6, 2020 at 2:46 PM Николай Ижиков <nizhikov@apache.org
> >
> >>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hello, Rajini.
> >>>>>>>>
> >>>>>>>> Thanks, for the feedback.
> >>>>>>>>
> >>>>>>>> Should I mark this KIP as declined?
> >>>>>>>> Or just wait for the system tests results?
> >>>>>>>>
> >>>>>>>>> 6 янв. 2020 г., в 17:26, Rajini Sivaram <rajinisivaram@gmail.com
> >
> >>>>>>>> написал(а):
> >>>>>>>>>
> >>>>>>>>> Hi Nikolay,
> >>>>>>>>>
> >>>>>>>>> Thanks for the KIP. We currently run system tests using JDK 8 and
> >>>>>> hence
> >>>>>>>> we
> >>>>>>>>> don't yet have full system test results with TLS 1.3 which
> requires
> >>>>>> JDK
> >>>>>>>> 11.
> >>>>>>>>> We should wait until that is done before enabling TLS1.3 by
> default.
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>>
> >>>>>>>>> Rajini
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Mon, Dec 30, 2019 at 5:36 AM Николай Ижиков <
> nizhikov@apache.org>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Hello, Team.
> >>>>>>>>>>
> >>>>>>>>>> Any feedback on this KIP?
> >>>>>>>>>> Do we need this in Kafka?
> >>>>>>>>>>
> >>>>>>>>>>> 24 дек. 2019 г., в 18:28, Nikolay Izhikov <nizhikov@apache.org
> >
> >>>>>>>>>> написал(а):
> >>>>>>>>>>>
> >>>>>>>>>>> Hello,
> >>>>>>>>>>>
> >>>>>>>>>>> I'd like to start a discussion of KIP.
> >>>>>>>>>>> Its goal is to enable TLSv1.3 and disable obsolete versions by
> >>>>>>> default.
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=142641956
> >>>>>>>>>>>
> >>>>>>>>>>> Your comments and suggestions are welcome.
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Regards,
> >>>>>> Brajesh Kumar
> >>>>>>
> >>>>
> >>>>
> >>
> >
>
>