Unable to change cipher suites for communication between KC and LDAPS over TLSv1.3 #29637
Replies: 8 comments 9 replies
-
@AmanPandey0320 I don't think Keycloak is doing any specific customization of the protocol used for LDAP. When an SSL connection is needed, this method is used: The SSLSocketFactory passed in will either be null (the default if UseTruststoreSpi = false) or the SSLSocketFactory created by Beyond that I don't see where cipher suite customization is used in this path either. It seems like you'll have to handle this for now will JDK customization and / or system properties. What did you try for jdk.tls.disabledAlgorithms? cc @vmuzikar what expectations should there be for configuring ldap SSL from the client side, or are we simply expecting the LDAP server to be configured appropriately? |
Beta Was this translation helpful? Give feedback.
-
@shawkins I tried setting cipher to JDK. For jdk.tls.disabledAlgorithms I tried to set it like the one shown below
|
Beta Was this translation helpful? Give feedback.
-
@shawkins I tried ‑Djdk.tls.client.protocols="TLSv1.3" as well but that does not reflect the ciphers, do you suggest any other way? |
Beta Was this translation helpful? Give feedback.
-
Yes I see older TLS ciphers still being used, I have captured the packets from KC to ldaps here |
Beta Was this translation helpful? Give feedback.
-
@shawkins I tried to set java.security file with required property, but this doesn't work |
Beta Was this translation helpful? Give feedback.
-
Reopening to continue discussion, till it is concluded, Thanks @shawkins for you support |
Beta Was this translation helpful? Give feedback.
-
@shawkins whenever we set the above property, but the pod fails at startup with following error The property I set in my docker file while. building the image was `2024-05-27 07:46:35,918 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheConfigurationException: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, linger=-1, port_range=0, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7800, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, use_virtual_threads=false, bundler_type=transfer-queue, logical_addr_cache_expiration=360000, thread_pool.min_threads=0), RED(), dns.DNS_PING(dns_record_type=A, num_discovery_runs=3), MERGE3(max_interval=30000, min_interval=10000), FD_SOCK2(offset=50000), FD_ALL3(), VERIFY_SUSPECT2(timeout=1000), pbcast.NAKACK2(xmit_table_num_rows=50, use_mcast_xmit=false, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000, xmit_interval=200, resend_last_seqno=true), UNICAST3(conn_close_timeout=5000, xmit_interval=200, xmit_table_num_rows=50, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000), pbcast.STABLE(desired_avg_gossip=5000, max_bytes=1M), pbcast.GMS(join_timeout=2000, print_local_addr=false), UFC(min_threshold=0.40, max_credits=4m), MFC(min_threshold=0.40, max_credits=4m), FRAG4(frag_size=60000)]' 2024-05-27 07:46:37,593 WARN [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly |
Beta Was this translation helpful? Give feedback.
-
@shawkins Is it necessary to start KC on TLS, for TLS we use a gateway in front of KC which runs on non-TLS mode |
Beta Was this translation helpful? Give feedback.
-
I was trying to configure TLSv1.3 over KC to LDAPS connection, but I was unable to change the cipher suites from the default ones supported in TLSv1.2. KC was running over HTTP and LDAP with SSL.
I tried using following methods as suggested by the documentation of both Keycloak and quarkus:
Expected behavior
On checking the captured packets transferred from Keycloak to LDAPS we should be able to see the cipher suites that we mention in the configuration
Actual behavior
We see the default cipher suites present in the keycloak for TLSv1.2, we do not see the ciphers that we mention in any of the above methods suggested by the documentation.
Beta Was this translation helpful? Give feedback.
All reactions