Unable to change cipher suites for communication between KC and LDAPS over TLSv1.3

[AmanPandey0320]

I was trying to configure TLSv1.3 over KC to LDAPS connection, but I was unable to change the cipher suites from the default ones supported in TLSv1.2. KC was running over HTTP and LDAP with SSL.

I tried using following methods as suggested by the documentation of both Keycloak and quarkus:

• setting following properties in quarkus server and runtime quarkus.http.ssl.cipher-suites, quarkus.http.ssl.protocols
• setting flags while KC start script. --https-protocols and --https-cipher-suites
• setting cipher on JDK using jdk.tls.disabledAlgorithms
• setting TLS versions for KC to TLSv1.3
• I tried configuring the cipher suites used by keycloak by adding this environment variable KC_HTTPS_CIPHER_SUITES but it is not geting reflected

Expected behavior

On checking the captured packets transferred from Keycloak to LDAPS we should be able to see the cipher suites that we mention in the configuration

Actual behavior

We see the default cipher suites present in the keycloak for TLSv1.2, we do not see the ciphers that we mention in any of the above methods suggested by the documentation.

[shawkins]

@AmanPandey0320 I don't think Keycloak is doing any specific customization of the protocol used for LDAP. When an SSL connection is needed, this method is used:

keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.java

Line 88 in 1aab371

tlsResponse = startTLS(ldapContext, ldapConfig.getAuthType(), ldapConfig.getBindDN(),

The SSLSocketFactory passed in will either be null (the default if UseTruststoreSpi = false) or the SSLSocketFactory created by

keycloak/services/src/main/java/org/keycloak/truststore/JSSETruststoreConfigurator.java

Line 62 in 1aab371

SSLContext sslctx = SSLContext.getInstance("TLS");

- which you can see just specifies TLS.

Beyond that I don't see where cipher suite customization is used in this path either.

It seems like you'll have to handle this for now will JDK customization and / or system properties. What did you try for jdk.tls.disabledAlgorithms?

cc @vmuzikar what expectations should there be for configuring ldap SSL from the client side, or are we simply expecting the LDAP server to be configured appropriately?

[AmanPandey0320]

@shawkins I tried setting cipher to JDK. For jdk.tls.disabledAlgorithms I tried to set it like the one shown below

JAVA_OPTS="$JAVA_OPTS -Djdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, aNULL, eNULL, EXPORT, DES, 3DES, AES128, \ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
But this didn't work.

[shawkins]

@AmanPandey0320 that may be applicable to only the jdk java.security file - https://www.java.com/en/configure_crypto.html

[AmanPandey0320]

@shawkins I tried ‑Djdk.tls.client.protocols="TLSv1.3" as well but that does not reflect the ciphers, do you suggest any other way?

[shawkins]

You mean that you still see older TLS cipher suites still in use? Or do you mean that there are TLSv1.3 cipher suites you want to disable as well?

Have you tried using -Djavax.net.debug=all to capture exactly what is going on with the negotiation.

[AmanPandey0320]

Yes I see older TLS ciphers still being used, I have captured the packets from KC to ldaps here
ldaps5.pcap.zip

I am attaching the screenshot of the cipher I see

[shawkins]

I believe those are valid TLSv1.3 cipher suites. At least they are on my JDK 17:

        SSLContext context = SSLContext.getInstance("TLSv1.3");
        context.init(null, null, null);
        System.out.println(Arrays.toString(context.getSocketFactory().getDefaultCipherSuites()));

Also the screenshot confirms TLSv1.3 is in use.

So what you are looking to do now is to further filter the cipher suites. Did you move your jdk.tls.disabledAlgorithms property to the java.security file?

[AmanPandey0320]

@shawkins I tried to set java.security file with required property, but this doesn't work

[shawkins]

@AmanPandey0320 to confirm you are editing JAVA_HOME/conf/security/java.security correct?

cc @pedroigor

[AmanPandey0320]

Yes @shawkins

[AmanPandey0320]

Reopening to continue discussion, till it is concluded, Thanks @shawkins for you support

[shawkins]

@AmanPandey0320 it turns out that openjdk also relies upon a /etc/crypto-policies/back-ends/java.config file that overrides the java.security file. Try your modification there and also include -Djava.security.debug=properties to verify.

[AmanPandey0320]

@shawkins whenever we set the above property, but the pod fails at startup with following error

The property I set in my docker file while. building the image was
RUN echo -e "\njdk.tls.client.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" >> /opt/java/jre/conf/security/java.security

`2024-05-27 07:46:35,918 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheConfigurationException: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, linger=-1, port_range=0, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7800, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, use_virtual_threads=false, bundler_type=transfer-queue, logical_addr_cache_expiration=360000, thread_pool.min_threads=0), RED(), dns.DNS_PING(dns_record_type=A, num_discovery_runs=3), MERGE3(max_interval=30000, min_interval=10000), FD_SOCK2(offset=50000), FD_ALL3(), VERIFY_SUSPECT2(timeout=1000), pbcast.NAKACK2(xmit_table_num_rows=50, use_mcast_xmit=false, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000, xmit_interval=200, resend_last_seqno=true), UNICAST3(conn_close_timeout=5000, xmit_interval=200, xmit_table_num_rows=50, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000), pbcast.STABLE(desired_avg_gossip=5000, max_bytes=1M), pbcast.GMS(join_timeout=2000, print_local_addr=false), UFC(min_threshold=0.40, max_credits=4m), MFC(min_threshold=0.40, max_credits=4m), FRAG4(frag_size=60000)]'
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.channelFromConfigurator(JGroupsTransport.java:765)
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.buildChannel(JGroupsTransport.java:734)
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.initChannel(JGroupsTransport.java:488)
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:472)
at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
at org.infinispan.factories.GlobalComponentRegistry.preStart(GlobalComponentRegistry.java:284)
at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:250)
at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
at org.infinispan.manager.DefaultCacheManager.(DefaultCacheManager.java:411)
at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:120)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:842)
Caused by: java.lang.IllegalArgumentException: dns_query can not be null or empty
at org.jgroups.protocols.dns.DNS_PING.validateProperties(DNS_PING.java:85)
at org.jgroups.protocols.dns.DNS_PING.init(DNS_PING.java:53)
at org.jgroups.stack.ProtocolStack.initProtocolStack(ProtocolStack.java:802)
at org.jgroups.stack.ProtocolStack.setup(ProtocolStack.java:442)
at org.jgroups.JChannel.init(JChannel.java:902)
at org.jgroups.JChannel.(JChannel.java:124)
at org.infinispan.remoting.transport.jgroups.FileJGroupsChannelConfigurator.createChannel(FileJGroupsChannelConfigurator.java:49)
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.channelFromConfigurator(JGroupsTransport.java:763)
... 23 more

2024-05-27 07:46:37,593 WARN [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-05-27 07:46:38,997 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-27 07:46:41,043 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
2024-05-27 07:46:41,043 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-05-27 07:46:41,044 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, linger=-1, port_range=0, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7800, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, use_virtual_threads=false, bundler_type=transfer-queue, logical_addr_cache_expiration=360000, thread_pool.min_threads=0), RED(), dns.DNS_PING(dns_record_type=A, num_discovery_runs=3), MERGE3(max_interval=30000, min_interval=10000), FD_SOCK2(offset=50000), FD_ALL3(), VERIFY_SUSPECT2(timeout=1000), pbcast.NAKACK2(xmit_table_num_rows=50, use_mcast_xmit=false, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000, xmit_interval=200, resend_last_seqno=true), UNICAST3(conn_close_timeout=5000, xmit_interval=200, xmit_table_num_rows=50, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000), pbcast.STABLE(desired_avg_gossip=5000, max_bytes=1M), pbcast.GMS(join_timeout=2000, print_local_addr=false), UFC(min_threshold=0.40, max_credits=4m), MFC(min_threshold=0.40, max_credits=4m), FRAG4(frag_size=60000)]'
2024-05-27 07:46:41,044 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, linger=-1, port_range=0, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7800, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, use_virtual_threads=false, bundler_type=transfer-queue, logical_addr_cache_expiration=360000, thread_pool.min_threads=0), RED(), dns.DNS_PING(dns_record_type=A, num_discovery_runs=3), MERGE3(max_interval=30000, min_interval=10000), FD_SOCK2(offset=50000), FD_ALL3(), VERIFY_SUSPECT2(timeout=1000), pbcast.NAKACK2(xmit_table_num_rows=50, use_mcast_xmit=false, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000, xmit_interval=200, resend_last_seqno=true), UNICAST3(conn_close_timeout=5000, xmit_interval=200, xmit_table_num_rows=50, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000), pbcast.STABLE(desired_avg_gossip=5000, max_bytes=1M), pbcast.GMS(join_timeout=2000, print_local_addr=false), UFC(min_threshold=0.40, max_credits=4m), MFC(min_threshold=0.40, max_credits=4m), FRAG4(frag_size=60000)]'
2024-05-27 07:46:41,044 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, linger=-1, port_range=0, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7800, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, use_virtual_threads=false, bundler_type=transfer-queue, logical_addr_cache_expiration=360000, thread_pool.min_threads=0), RED(), dns.DNS_PING(dns_record_type=A, num_discovery_runs=3), MERGE3(max_interval=30000, min_interval=10000), FD_SOCK2(offset=50000), FD_ALL3(), VERIFY_SUSPECT2(timeout=1000), pbcast.NAKACK2(xmit_table_num_rows=50, use_mcast_xmit=false, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000, xmit_interval=200, resend_last_seqno=true), UNICAST3(conn_close_timeout=5000, xmit_interval=200, xmit_table_num_rows=50, xmit_table_msgs_per_row=1024, xmit_table_max_compaction_time=30000), pbcast.STABLE(desired_avg_gossip=5000, max_bytes=1M), pbcast.GMS(join_timeout=2000, print_local_addr=false), UFC(min_threshold=0.40, max_credits=4m), MFC(min_threshold=0.40, max_credits=4m), FRAG4(frag_size=60000)]'
2024-05-27 07:46:41,044 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: dns_query can not be null or empty
2024-05-27 07:46:41,044 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) `

[AmanPandey0320]

I went through some threads on following discussions

• https://keycloak.discourse.group/t/unable-to-start-keycloak-17-0-0-cache-with-kubernetes-stack/13580
• Kubernetes cache-stack documentation update #10341

I am already setting this property

JAVA_OPTS already set in environment; overriding default settings with values: -XX:+UseContainerSupport --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED -Djgroups.dns.query=kc-headless

[shawkins]

The property I set in my docker file while. building the image was
RUN echo -e "\njdk.tls.client.cipherSuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" >> /opt/java/jre/conf/security/java.security

jdk.tls.client.cipherSuites is a system property, it is not a security property.

[AmanPandey0320]

@shawkins Is it necessary to start KC on TLS, for TLS we use a gateway in front of KC which runs on non-TLS mode

[shawkins]

@AmanPandey0320 Keycloak is fine running with edge termination of TLS.