Keycloak and TLS1.3

itai · May 3, 2021, 1:02pm

Hey,

Is there a way to make Keycloak work with tls1.3?
Is it supported?

jangaraj · May 3, 2021, 3:23pm

Keycloak doesn’t have a problem with TLS 1.3, but used infrastructure may have - e.g. you are running Keycloak on old Java and that Java version doesn’t support then of course Keycloak can’t support TLS 1.3. Also you may have TLS/SSL offloading on the loadbalancer in front of Keycloak, then it depends on used LB, which TLS is supported - again nothing related to Keycloak. So it really depends how you have implemented TLS.

Generally: use loadbalancer in front of Keycloak with TLS offloading and configure required TLS policy (allowed min/max TLS version, allowed ciphers, preference of server/client cipher order, …) there.

itai · May 3, 2021, 6:12pm

Thanks for the answer!
I’m using the docker image jboss/keycloak:9.0.0, which uses java 11.
when forcing curl to use tls1.3 I get refused with

TLSv1.3 (IN), TLS alert, protocol version (582):

error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

Topic		Replies	Views
TLS v1.3 support Getting advice	3	681	April 13, 2022
Keycloak configuration required to support TLS V1.2 Getting advice	0	473	May 12, 2022
The server selected protocol version TLS11 is not accepted by client preferences [TLS12, SSL20Hello] Configuring the server	8	18283	May 5, 2021
Disabling TLS1.0 TLS1.1	3	3644	June 21, 2022
Could not convert socket to TLS	1	1677	November 12, 2021

Keycloak and TLS1.3

Related Topics