There is a java setting that disables the ability for clients to renegotiate the TLS cipher they want to use:
Djdk.tls.rejectClientInitiatedRenegotiation=true
It is considered best practice to enforce this on applications that manage sensitive data, in order to harden it against attacks.
I’ve successfully implemented it on our Wildfly-based application, but I can’t find any info on how to do this for our Quarkus-based Keycloak instance. A vulnerability scanner reports that client-initiated renegotiation is still possible when opening a connection to Keycloak.