Skip to content

KAFKA-20728: Post-Quantum Cryptography (PQC) TLS Readiness: Add setNamedGroups() and ssl.named.groups configuration (ref: CAMEL-23154)#22865

Open
arnabnandy7 wants to merge 1 commit into
apache:trunkfrom
arnabnandy7:feature/pqc-tls-named-groups
Open

KAFKA-20728: Post-Quantum Cryptography (PQC) TLS Readiness: Add setNamedGroups() and ssl.named.groups configuration (ref: CAMEL-23154)#22865
arnabnandy7 wants to merge 1 commit into
apache:trunkfrom
arnabnandy7:feature/pqc-tls-named-groups

Conversation

@arnabnandy7

Copy link
Copy Markdown

Summary

Add an ssl.named.groups configuration for Kafka clients and brokers. This allows users to specify an ordered list of TLS key-exchange named groups, including post-quantum hybrid groups such as X25519MLKEM768 when supported by the configured Java runtime and SSL provider.

The configuration follows the existing ssl.cipher.suites and ssl.enabled.protocols flows:

  • It is available to both clients and brokers.
  • Values are ordered by preference.
  • Duplicate and blank values are rejected.
  • The default is an empty list, which preserves the SSL provider’s defaults.
  • The configuration is classified as non-reconfigurable, consistent with cipher suites and enabled protocols.

SSLParameters.setNamedGroups() was added in Java 20, while Kafka clients continue to support Java 11. The implementation therefore resolves and invokes the method reflectively. Configuring a non-empty list on a runtime older than Java 20 produces an InvalidConfigurationException. When the configuration is empty, Kafka does not call the method and remains compatible with existing supported runtimes.

Named groups are applied to both client and server SSLEngine instances. The server-side ordering ensures applying SSLParameters does not reset the configured client-authentication mode.

The SSL documentation now describes:

  • Runtime and SSL-provider dependencies.
  • The Java 20 requirement for explicit configuration.
  • The need to retain appropriate fallback groups during migration.
  • The TLS 1.3 requirement for post-quantum hybrid key exchange.
  • JDK 27’s default preference for X25519MLKEM768, meaning explicit configuration is normally unnecessary on that runtime.

Kafka Connect’s REST SSL configuration is not changed because it uses a separate Jetty SSL configuration path.

Testing

The following targeted tests were run on Java 21:

  • DefaultSslEngineFactoryTest
    • Verifies configured named groups are applied in order to client and server engines.
    • Verifies an empty configuration preserves the SSL provider defaults.
    • Verifies applying named groups does not reset required server-side client authentication.
    • All 12 tests passed.
  • KafkaConfigTest
    • Verifies the new broker configuration integrates with the complete broker configuration definition.
    • All tests passed.
  • :clients:spotlessJavaApply
  • Client checkstyle and SpotBugs tasks executed successfully as dependencies of the targeted client test build.
  • git diff --check passed.

A JDK 27-specific integration test for an actual X25519MLKEM768 TLS 1.3 handshake is not included because the current Kafka build and CI environment use Java 17/21 for these paths. The unit tests use classical named groups supported by Java 21 to validate Kafka’s configuration and SSLEngine behavior independently of JDK 27’s PQC implementation.

Generated-by: OpenAI Codex
Signed-off-by: Arnab Nandy <arnab_nandy7@yahoo.com>
@github-actions github-actions Bot added triage PRs from the community core Kafka Broker clients labels Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

clients core Kafka Broker triage PRs from the community

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant