KAFKA-9320: Enable TLSv1.3 by default (KIP-573)

[nizhikov]

1. Enables TLSv1.3 by default with Java 11 or newer.
2. Add unit tests that cover the various TLSv1.2 and TLSv1.3 combinations.
3. Extend benchmark_test.py and replication_test.py to run with 'TLSv1.2'
   or 'TLSv1.3'.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[nizhikov]

@ijuma Looks like tests are OK.
Please, take a look at this preliminary PR.

[ijuma]

I think you want to leave this as the default and see if it works correctly.

[nizhikov]

Hello. Sorry, I don't understand your concern :)

1. DEFAULT_SSL_ENABLED_PROTOCOLS = TLSv1.2,TLSv1.3 for java11+
2. DEFAULT_SSL_ENABLED_PROTOCOLS = TLSv1.2 for others jdk.

This property modified inside this test so I forcefully set it as default value.

[ijuma]

Ah, I see, you are forcefully setting it to the default. Makes sense. OK, so this test shows that we can negotiate successfully even though we have no cipher suites that work with TLS 1.3. Can we also test that if the client sets TLS 1.3, it will fail?

[nizhikov]

Tests added.

[ijuma]

One question: any downside to setting ssl.protocol=TLSv1.3 instead of ssl.protocol=TLSv1.2?

[nizhikov]

@ijuma I can't see downside in forcing usage of the latest TLS version.
Added this change to PR.

[nizhikov]

retest this, please

[ijuma]

@nizhikov Thanks. Can you update the KIP and start the voting on it?

[nizhikov]

@ijuma KIP-573 updated.
Actually, I'm started one (link), but didn't get any votes :)
Should I start another?

[ijuma]

Since the vote passed, can we flesh out the PR to include more tests that exercise TLS 1.3? A few things to think about:

1. Unit tests like the ones included in the PR currently. Can we go through the various possible combinations of client and server configuration and check that they all work or fail in the way we expect.

2. Make sure the integration tests use the same TLS configuration we use by default (if they don't already). Since Java 8 sticks to TLS 1.2 for now, we will get coverage of the old and new approach this way.

3. Adjust system tests to use TLS 1.3 by default, but also include variants where client uses TLS 1.2 and broker uses 1.3, the reverse and finally where TLS 1.2 is used for both.

[ijuma]

A few failures seem related to the changes in this PR:

kafka.network.SocketServerTest.testConnectionIdReuse
kafka.network.SocketServerTest.remoteCloseWithBufferedReceivesFailedSend
kafka.network.SocketServerTest.remoteCloseSendFailure
kafka.network.SocketServerTest.remoteCloseWithoutBufferedReceives
kafka.network.SocketServerTest.remoteCloseWithCompleteAndIncompleteBufferedReceives
kafka.network.SocketServerTest.remoteCloseWithIncompleteBufferedReceive
kafka.network.SocketServerTest.closingChannelWithBufferedReceives
kafka.network.SocketServerTest.closingChannelSendFailure
kafka.network.SocketServerTest.idleExpiryWithBufferedReceives
kafka.network.SocketServerTest.closingChannelWithBufferedReceivesFailedSend
kafka.network.SocketServerTest.remoteCloseWithBufferedReceives
kafka.network.SocketServerTest.closingChannelWithCompleteAndIncompleteBufferedReceives

[nizhikov]

retest this, please

[ijuma]

Thanks for the updates. We're closer. :) A few comments below.

[nizhikov]

@ijuma I found explanation of the test behavior.

Full information can be found in the guide Please, navigate to the "Send ClientHello Message". You may want to take a look at the "client version" and "supported_versions (43)" fields.

The root of the "strange" behavior is the structure of the SSL ClientHello message(quote from tutorial):

Client version: For TLS 1.3, this has a fixed value, TLSv1.2; TLS 1.3 uses the extension supported_versions and not this field to negotiate protocol version
...
supported_versions: Lists which versions of TLS the client supports. In particular, if the client
requests TLS 1.3, then the client version field has the value TLSv1.2 and this extension
contains the value TLSv1.3; if the client requests TLS 1.2, then the client version field has the
value TLSv1.2 and this extension either doesn’t exist or contains the value TLSv1.2 but not the value TLSv1.3.

This means we can't connect with the following configuration:
client:

ssl.protocol=TLSv1.2 #this will be used for ClientHello
ssl.enabled.protocols=TLSv1.2,TLSv1.3 #TLS v1.3 will be ignored in ClientHello message.

Server:

ssl.protocol=TLSv1.3
ssl.enabled.protocols=TLSv1.3 # Accept only TLSv1.3 

You can see all details of the SSL connection process in the javax.net log.
It can be enabled like the following:

    public SslVersionsTransportLayerTest(List<String> serverProtocols, List<String> clientProtocols) {
        System.setProperty("javax.net.debug", "ssl:handshake"); //This will turn on the log from jdk SSL system classes.
        this.serverProtocols = serverProtocols;
        this.clientProtocols = clientProtocols;
    }

So correct check should be:

    private boolean isCompatible(List<String> serverProtocols, List<String> clientProtocols) {
        return serverProtocols.contains(clientProtocols.get(0)) ||
            (clientProtocols.get(0).equals("TLSv1.3") && clientProtocols.contains("TLSv1.2"));
    }

[ijuma]

Thanks for figuring this out. Very helpful. Can we update SSL_PROTOCOL_DOC to include what we've learned here? It's not particularly intuitive. :) Aside from that and a couple of nits below, I think we're good to merge.

[ijuma]

Oh, one more thing, let's please add an entry to upgrade.html.

[ijuma]

retest this please

[nizhikov]

I think, currently, the trunk is broken with the c6633a1
I prepared oneliner fix for it - #8779

[ijuma]

How about:

"The SSL protocol used to generate the SSLContext. "
            + "The default is TLSv1.3 when running with Java 11 or newer, TLSv1.2 otherwise. "
            + "This value should be fine for most use cases. "
            + "Allowed values in recent JVMs are TLSv1.2 and TLSv1.3. TLS, TLSv1.1, SSL, SSLv2 and SSLv3 "
            + "may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. ";
            + "With the default value for this config and ssl.enabled.protocols, clients will downgrade to TLSv1.2 if "
            + "the server does not support TLSv1.3. If this config is set to TLSv1.2, clients will not use TLSv1.3 even "
            + "if it is one of the values in ssl.enabled.protocols and the server only supports TLSv1.3."

[ijuma]

How about:

The list of protocols enabled for SSL connections. The default is 'TLSv1.2,TLSv1.3' when running with Java 11 or newer, 'TLSv1.2' otherwise. With the default value for Java 11, clients and servers will prefer TLSv1.3 if both support it and fallback to TLSv1.2 otherwise (assuming both support at least TLSv1.2). This default should be fine for most cases. Also see the `ssl.protocol` config documentation.

[ijuma]

One more nit: "TLSv1.3 has been enabled by default for Java 11 or newer. The client and server will negotiate TLSv1.3 if both support it and fallback to TLSv1.2 otherwise. See...

[ijuma]

@nizhikov I think we're good to merge this after the non code suggestions above are addressed (assuming we can get a Jenkins build, I merged your other PR fixing the build issue).

[ijuma]

LGTM, thanks!

[nizhikov]

@ijuma Thanks for your time! Appreciate it.
Try my best to waste fewer rounds of review next time :)

[ijuma]

@nizhikov These changes are pretty tricky to validate. Thanks for being thorough on the tests. :)

[ijuma]

The failures are unrelated:

org.apache.kafka.clients.consumer.CooperativeStickyAssignorTest.testReassignmentWithRandomSubscriptionsAndChanges
org.apache.kafka.clients.consumer.CooperativeStickyAssignorTest.testReassignmentWithRandomSubscriptionsAndChanges
org.apache.kafka.clients.consumer.StickyAssignorTest.testReassignmentWithRandomSubscriptionsAndChanges
org.apache.kafka.clients.consumer.StickyAssignorTest.testReassignmentWithRandomSubscriptionsAndChanges

Also failing in master:

org.apache.kafka.clients.consumer.CooperativeStickyAssignorTest.testReassignmentWithRandomSubscriptionsAndChanges
org.apache.kafka.clients.consumer.StickyAssignorTest.testReassignmentWithRandomSubscriptionsAndChanges