Current state: Accepted
Discussion thread: Dev-list discussion
In KAFKA-7251 support of TLS1.3 was introduced.
For now, only TLS1.2 and TLS1.3 are recommended for the usage, other versions of TLS considered as obsolete:
But testing of TLS1.3 incomplete, for now.
We should enable actual versions of the TLS protocol by default to provide to the users only secure implementations.
Users can enable obsolete versions of the TLS with the configuration if they want to.
There are no changes in public interfaces.
Change the value of the
SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS to "TLSv1.2"
Compatibility, Deprecation, and Migration Plan
Compatibility: There are no compatibility issues.
Migration: Users who are using TLSv1.1 and TLSv1 should enable these versions of the protocol with the explicit configuration property
Deprecation: TLSv1.1, TLLv1 will become deprecated.
There is no rejected alternatives.