<p dir="ltr">+1 Makes sense</p>
<br><div class="gmail_quote"><div dir="ltr">On Wed, Mar 2, 2016, 5:46 AM Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">+1 To do nothing<div><br></div><div>SSL for KC itself is provided by WildFly, so this is WildFly/Undertow&#39;s responsibility. For outgoing SSL connections (db, ldap, etc..) it&#39;s up to the admin to configure those resources correctly.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 March 2016 at 09:34, Juraci Paixão Kröhling <span dir="ltr">&lt;<a href="mailto:jpkroehling@redhat.com" target="_blank">jpkroehling@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 01.03.2016 21:25, Bruno Oliveira wrote:<br>
&gt;<br>
&gt; Ahoy, today I was reading about this &quot;new&quot; vulnerability on TLS<br>
&gt; (<a href="http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html" rel="noreferrer" target="_blank">http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html</a>).<br>
&gt; And was wondering if we should blacklist or document broken protocols.<br>
&gt; Preventing people to deploy Keycloak in non secure environments.<br>
&gt;<br>
</span>...<br>
<span>&gt;<br>
&gt; Should we document? Blacklist? Or leave it as is?<br>
<br>
</span>I&#39;d say &quot;do nothing&quot;. Good system admins already have something in place<br>
that would alert them in those cases, ranging from monitoring<br>
vulnerabilities databases to scripting the score check via <a href="http://ssllabs.com" rel="noreferrer" target="_blank">ssllabs.com</a>.<br>
<br>
The main problem that I see with adding some sort of support like this<br>
directly into Keycloak is that you&#39;d need a lot of effort to keep it up<br>
to date. If a comprehensive check cannot be done, people would either<br>
ignore it, or people will trust it because of the false sense of<br>
security it gives.<br>
<br>
- Juca.<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote></div>