Manage Data in Transit with TLS on Confluent Cloud

Confluent Cloud uses the Transport Layer Security (TLS) protocol to provide secure communication channels between clients and servers, protecting sensitive data during transmission across networks.

For more information about TLS, see:

• Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (NIST Special Publication 800-52 Revision 2)

• The Transport Layer Security (TLS) Protocol Version 1.3 (RFC 8446)

TLS on Confluent Cloud

All connections with data in transit to and from Confluent Cloud are encrypted using TLS. Confluent Cloud services other than Kafka clusters prefer TLS 1.3 for all services, with a fallback to TLS 1.2.

TLS 1.3 is supported on all Kafka cluster types:

• Basic, Standard, Freight, and Enterprise clusters:

  Support TLS 1.3 and TLS 1.2. Protocol versions cannot be configured and both remain enabled.

• Dedicated clusters:

  TLS 1.3 is enabled by default on all newly created clusters. For Dedicated clusters without TLS 1.3 enabled, you can manually enable it by following the steps in Enable TLS 1.3 on Dedicated clusters. If needed, you can disable TLS 1.2 after enabling TLS 1.3.

All Confluent Cloud cluster types support a shared set of cipher suites. Only Dedicated clusters can restrict which suites the cluster negotiates. See Restrict cipher suites.

Supported cipher suites

Confluent Cloud supports the following cipher suites for TLS-encrypted connections.

All cluster types

Basic, Standard, Enterprise, Dedicated, and Freight clusters support TLS 1.2.

TLS version	Cipher suite	Status
1.2	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	Recommended
1.2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	Recommended
1.2	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	Recommended
1.2	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	Legacy
1.2	TLS_RSA_WITH_AES_128_GCM_SHA256	Legacy

Cipher suites marked Legacy are only supported for backwards compatibility. Do not adopt these ciphers for any new deployments. They also cannot be used with the cipher suite restriction feature. See Restrict cipher suites.

Dedicated clusters with TLS 1.3 enabled

To use TLS 1.3 cipher suites, enable TLS 1.3 on a Dedicated cluster. See Enable TLS 1.3 on Dedicated clusters.

TLS version	Cipher suite	Status
1.3	TLS_AES_128_GCM_SHA256	Recommended
1.3	TLS_AES_256_GCM_SHA384	Recommended
1.3	TLS_CHACHA20_POLY1305_SHA256	Recommended

Enable TLS 1.3 on Dedicated clusters

For Dedicated clusters without TLS 1.3 enabled, you can enable TLS 1.3. If you have existing clients connected to your Dedicated cluster, follow these steps to ensure those connections successfully migrate to TLS 1.3.

1. Update the Kafka broker configuration for your Dedicated cluster to use both TLS 1.3 and TLS 1.2 (ssl.enabled.protocols=TLSv1.3,TLSv1.2). After you update the broker configuration, clients that are configured to use TLS 1.3 automatically use TLS 1.3. For details, see Manage TLS protocols.

2. Verify the Kafka cluster is using TLS 1.3 by running the confluent kafka cluster configuration describe command. For details, see Verify TLS protocols.

3. Ensure all Kafka clients connecting to the Kafka cluster are configured to use TLS 1.3.

   • Java Clients: Set ssl.enabled.protocols=TLSv1.3,TLSv1.2. For Java Clients version 2.6.0 or later, this is the default behavior.

     • Java Clients older than v. 3.0.2/3.1.1 might experience performance degradation when using TLS 1.3. For details, see Brokers disconnect intermittently with TLS1.3 (KAFKA-13418).

   • Other clients: Check the documentation for your client library to determine how to configure it to use TLS 1.3.

4. Verify all applications are healthy and processing data using TLS 1.3.

5. After confirming that all client applications are able to successfully use TLS 1.3 without any issues, you can optionally update the configuration to use only TLS 1.3 (ssl.enabled.protocols=TLSv1.3). This disables TLS 1.2 on the brokers.

   Important

   Follow a slow roll out as there are older client libraries that don’t behave well with TLS 1.3. By initially using both TLS 1.2 and TLS 1.3, you can confirm that it works well with TLS 1.3 on the client-side before disabling TLS 1.2.

6. Verify again that all applications are healthy and processing data now that TLS 1.2 is disabled on the brokers. For details, see Verify TLS protocols.

Verify TLS protocols

You can quickly verify that your Dedicated cluster is using TLS 1.3 using the Confluent CLI.

Use confluent kafka cluster configuration describe to check the ssl.enabled.protocols property:

confluent kafka cluster configuration describe ssl.enabled.protocols \
  --cluster <cluster-id>

For example, to verify that your Dedicated cluster lkc-abc123 is using TLS 1.3, you can use the following command:

confluent kafka cluster configuration describe ssl.enabled.protocols \
  --cluster lkc-abc123

The output should be similar to the following:

+-----------+-----------------------+
| Name      | ssl.enabled.protocols |
| Value     | TLSv1.3               |
| Read-Only | true                  |
+-----------+-----------------------+

If the ssl.enabled.protocols property is set to TLSv1.3, then your Dedicated cluster only uses TLS 1.3. To include TLS 1.2, you can update the property to TLSv1.3,TLSv1.2.

For details on using the confluent kafka cluster configuration describe command, see confluent kafka cluster configuration describe.

Troubleshooting

• If you encounter the following error, it indicates that no dynamic configuration is set for the flag and it is using TLS 1.2 by default.

  Error: configuration "ssl.enabled.protocols" not found
  

• Confluent Cloud audit logs will capture TLS suite and cipher in the kafka.Authentication event method.