Keycloak and TLS1.3


Is there a way to make Keycloak work with tls1.3?
Is it supported?

Keycloak doesn’t have a problem with TLS 1.3, but used infrastructure may have - e.g. you are running Keycloak on old Java and that Java version doesn’t support then of course Keycloak can’t support TLS 1.3. Also you may have TLS/SSL offloading on the loadbalancer in front of Keycloak, then it depends on used LB, which TLS is supported - again nothing related to Keycloak. So it really depends how you have implemented TLS.

Generally: use loadbalancer in front of Keycloak with TLS offloading and configure required TLS policy (allowed min/max TLS version, allowed ciphers, preference of server/client cipher order, …) there.


Thanks for the answer!
I’m using the docker image jboss/keycloak:9.0.0, which uses java 11.
when forcing curl to use tls1.3 I get refused with

  • TLSv1.3 (IN), TLS alert, protocol version (582):
  • error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version