The server selected protocol version TLS11 is not accepted by client preferences [TLS12, SSL20Hello]

Configuring the server
1

I’m trying to set up the email configuration in a new realm in the admin console. All the email details are correct and when I test the connection it fails. In looking in the logs it says this:
javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS11 is not accepted by client preferences [TLS12, SSL20Hello]

I have tried adding this:
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
to /opt/keycloak/current/bin/standalone.conf and I know that’s working because if I force 1.1 only then Keycloak is not accessible over port 8443.

But this doesn’t seem to having any effect on sending emails. The email server I am using does have 1.2 but still has 1.1 available but deprecated - I don’t know why it’s choosing to use 1.1 but maybe that’s a different problem.

Anyone know how to enable TLSv1.1 for sending out emails? Many thanks.

2

TLS 1.1 is deprecated. So you may open a security hole if you allow it. I would rather fix TLS preference on the mail server.

3

Thanks @jangaraj. Yeah I appreciate the fact it’s deprecated and insecure. I tried a different email provider and that works fine. The one not working is a huge provider for email worldwide so it’s a bit weird and I doubt I can make any headway with having them address the issue. If I wanted to accept the risk, is it possible to do?

4

IMHO it is configured on the JVM level, so overriding from the app doesn’t work. Check documentation of used java. Maybe it can be configured in java.security file, default properties,…

5

I had once the issue, that I had to enable something on OS level, not on the JVM. I searched my … off to find this out.
But don’t ask me now, what exactly it was at theses former days… some “legacy” set of encryption policies on the OS.
Fixing SSL/TLS issues is always a big PITA! Worse than timezones and encoding.

7

For anyone stumbling on this: on RedHat-based delete this file

/etc/crypto-policies/back-ends/java.config

and TLS1.0 will work without changing anything else, at least with official Keycloak images.

This is because such OS-specific settings override the JDK security policy so even if you change them in JAVA_HOME they will not be picked up.

1 Like
8

It might be worth first trying to edit that file and removing the disabled security protocols that you want enabled, or you may be opening up your server to more than you want to. I did try this and I believe TLS 1.1 was enabled but in trying to send an email I got an error again about possible downgraded attack. So, I’m back to using an email provider that is using TLS 1.2. Thanks for the help with this @nicolabeghin

9

@soundessential absolutely true, but after 3 days on this I preferred to stick to out-of-the-box JDK policies without external OS interferences, expecially because we’re taking about Docker images (it really drove me crazy :D)

10

Addition from May 2021 for updated Dockerfile to enable back TLS1.0:

RUN rm /etc/crypto-policies/back-ends/java.config &&\
    sed -i 's/jdk\.tls\.disabledAlgorithms=SSLv3, TLSv1, TLSv1\.1/jdk\.tls\.disabledAlgorithms=SSLv3/' /usr/lib/jvm/jre-11/conf/security/java.security