KAFKA-20728: Post-Quantum Cryptography (PQC) TLS Readiness: Add setNamedGroups() and ssl.named.groups configuration (ref: CAMEL-23154)#22865
Open
arnabnandy7 wants to merge 1 commit into
Conversation
Generated-by: OpenAI Codex Signed-off-by: Arnab Nandy <arnab_nandy7@yahoo.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add an
ssl.named.groupsconfiguration for Kafka clients and brokers. This allows users to specify an ordered list of TLS key-exchange named groups, including post-quantum hybrid groups such asX25519MLKEM768when supported by the configured Java runtime and SSL provider.The configuration follows the existing
ssl.cipher.suitesandssl.enabled.protocolsflows:SSLParameters.setNamedGroups()was added in Java 20, while Kafka clients continue to support Java 11. The implementation therefore resolves and invokes the method reflectively. Configuring a non-empty list on a runtime older than Java 20 produces anInvalidConfigurationException. When the configuration is empty, Kafka does not call the method and remains compatible with existing supported runtimes.Named groups are applied to both client and server
SSLEngineinstances. The server-side ordering ensures applyingSSLParametersdoes not reset the configured client-authentication mode.The SSL documentation now describes:
X25519MLKEM768, meaning explicit configuration is normally unnecessary on that runtime.Kafka Connect’s REST SSL configuration is not changed because it uses a separate Jetty SSL configuration path.
Testing
The following targeted tests were run on Java 21:
DefaultSslEngineFactoryTestKafkaConfigTest:clients:spotlessJavaApplygit diff --checkpassed.A JDK 27-specific integration test for an actual
X25519MLKEM768TLS 1.3 handshake is not included because the current Kafka build and CI environment use Java 17/21 for these paths. The unit tests use classical named groups supported by Java 21 to validate Kafka’s configuration andSSLEnginebehavior independently of JDK 27’s PQC implementation.