Table of Contents |
---|
Status
Current state: Under DiscussionAccepted
Discussion thread: here
JIRA: KAFKA-9320
...
There are no changes in public interfaces.
Proposed Changes
If Kafka started on java11 compatible environment then
SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1.2,TLSv1.3"
Change the value of the SslConfigs.DEFAULT_SSL_PROTOCOL = "TLSv1.3"
If Kafka started on java version that is lower java11 then
SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to = "TLSv1.2,"
SslConfigs.DEFAULT_SSL_PROTOCOL = "TLSv1.32"
Compatibility, Deprecation, and Migration Plan
...
Migration: Users who are using TLSv1.1 and TLSv1 should enable these versions of the protocol with the explicit configuration property "ssl.enabled.protocols"
TLSv1.3 will not work for users who configured cipher suite explicitly - one needs to update the list of ciphers to include TLSv1.3 ciphers which use a different naming convention. The client will downgrade to TLS 1.2 in this case.
Rejected Alternatives
There are no rejected alternativesWait until java8 gets TLSv1.3 support and made changes afterward.