THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: DraftUnder discussion
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA: here [Change the link from KAFKA-1 to your own ticket]
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Describe the problems you are trying to solve.
Public Interfaces
Briefly list any new interfaces that will be introduced as part of this proposal or any existing interfaces that will be removed or changed. The purpose of this section is to concisely call out the public contract that will come along with this feature.
A public interface is any change to the following:
Binary log format
The network protocol and api behavior
Any class in the public packages under clientsConfiguration, especially client configuration
org/apache/kafka/common/serialization
org/apache/kafka/common
org/apache/kafka/common/errors
org/apache/kafka/clients/producer
org/apache/kafka/clients/consumer (eventually, once stable)
Monitoring
Command line tools and arguments
- Anything else that will likely break existing users in some way when they upgrade
Proposed Changes
Motivation
In KAFKA-7251 support of TLS1.3 was introduced.
For now, only TLS1.2 and TLS1.3 are recommended for the usage, other versions of TLS considered as obsolete:
- https://www.rfc-editor.org/info/rfc8446
- https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development
We should enable actual versions of the TLS protocol by default to provide to the users only secure implementations.
Users can enable obsolete versions of the TLS with the configuration if they want to.
Public Interfaces
There are no changes in public interfaces.
Proposed Changes
Change the value of the SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to "TLSv1.3,TLSv1.2"Describe the new thing you want to do in appropriate detail. This may be fairly extensive and have large subsections of its own. Or it may be a few sentences. Use judgement based on the scope of the change.
Compatibility, Deprecation, and Migration Plan
- What impact (if any) will there be on existing users?
- If we are changing behavior how will we phase out the older behavior?
- If we need special migration tools, describe them here.
- When will we remove the existing behavior?
Rejected Alternatives
...
Compatibility: There are no compatibility issues.
Migration: Users who are using TLSv1.1 and TLSv1 should enable these versions of the protocol with the explicit configuration property "ssl.enabled.protocols"
Deprecation: TLSv1.1, TLLv1 will become deprecated.