KIP-573 — Enable TLSv1.3 by default
Accepted Kafka 2.6 Security
KIP-573 changes the default value of `ssl.enabled.protocols` to include only TLSv1.2 and TLSv1.3, removing the obsolete and insecure TLSv1 and TLSv1.1 from the default negotiation list. Older TLS versions have known cryptographic weaknesses and are deprecated by RFC 8446, yet Kafka continued to advertise them by default because TLSv1.3 required JDK 11+.
Details
| Author | Nikolay Izhikov |
| Status | Accepted |
| Kafka Version | 2.6 |
| JIRA | KAFKA-9320 |
| Wiki | View on Apache Wiki |
| Created | 2020-02-21 |
| Last Modified | 2020-06-03 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.