[keycloak-user] Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that.

jazz jazz at sqmail.me
Thu Apr 14 13:12:08 EDT 2016 

Hi Ashkay, Stian and Marko,

This question helps me with something similar I asked yesterday. I
enabled strong ciphers in the JVM (JCE installed). However, when I
switch SSL logging on using "-Djavax.net.debug=ssl:handshake" I see
that strong ciphers on the ssl proxy (ECDHE) are not supported
(therefore the message Ignoring unsupported cipher suites). 

2016-04-13 22:05:43,040 INFO  [stdout] (default task-15) Allow unsafe
renegotiation: false
2016-04-13 22:05:43,042 INFO  [stdout] (default task-15) Allow legacy
hello messages: true
2016-04-13 22:05:43,043 INFO  [stdout] (default task-15) Is initial
handshake: true
2016-04-13 22:05:43,044 INFO  [stdout] (default task-15) Is secure
renegotiation: false
2016-04-13 22:05:43,048 INFO  [stdout] (default task-15) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 22:05:43,049 INFO  [stdout] (default task-15) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 22:05:43,050 INFO  [stdout] (default task-15) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 22:05:43,050 INFO  [stdout] (default task-15) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 22:05:43,051 INFO  [stdout] (default task-15) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 22:05:43,052 INFO  [stdout] (default task-15) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 22:05:43,055 INFO  [stdout] (default task-15) %% No cached
client session
2016-04-13 22:05:43,056 INFO  [stdout] (default task-15) ***
ClientHello, TLSv1.2
2016-04-13 22:05:43,058 INFO  [stdout] (default task-15)
RandomCookie:  GMT: 1460512151 bytes = { 14, 53, 153, 224, 92, 2, 43,
139, 161, 201, 181, 69, 65, 9, 110, 156, 40, 223, 11, 184, 237, 137, 9,
239, 221, 180, 164, 163}
2016-04-13 22:05:43,059 INFO  [stdout] (default task-15) Session
ID:  {}
2016-04-13 22:05:43,060 INFO  [stdout] (default task-15) Cipher Suites:
[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Which ciphers are used by the Bouncycastle provider? Can I enable the
use of ECDHE ciphers? These ciphers are enabled in the ssl proxy:

ssl_ciphers 		ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM SHA256:ECDHE-
ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;


Best regards, Bart


Message: 2
Date: Thu, 14 Apr 2016 13:28:19 +0200
From: Stian Thorgersen <sthorger at redhat.com>
Subject: Re: [keycloak-user] Does Keycloak adhere to the JCA (Java
        Cryptography Architecture)? i.e. if I change the JVM's crypto
        provider, keycloak should use that.
To: Akshay Kini <kga.official at gmail.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Message-ID:
        <CAJgngAcMjw2g8Ti425RqDKiD1b2FDfeO6F+nb+1KS97AXMoq7w at mail.gmail
.com>
Content-Type: text/plain; charset="utf-8"

Afraid it's hardcoded to use Bouncycastle as the provider. You can open
a
JIRA for it though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/1f5d5e27/attachment.html

More information about the keycloak-user mailing list