[keycloak-user] Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that.
Stian Thorgersen
sthorger at redhat.com
Thu Apr 14 13:53:58 EDT 2016
Actually there's two parts. One is signing of tokens and the other is SSL.
SSL should be configurable as it's just a matter of configuring
undertow/WildFly underneath. Token signatures are at the moment hard coded
to bouncycastle.
On 14 Apr 2016 19:12, "jazz" <jazz at sqmail.me> wrote:
> Hi Ashkay, Stian and Marko,
>
> This question helps me with something similar I asked yesterday. I enabled
> strong ciphers in the JVM (JCE installed). However, when I switch SSL
> logging on using "-Djavax.net.debug=ssl:handshake" I see that strong
> ciphers on the ssl proxy (ECDHE) are not supported (therefore the message
> Ignoring unsupported cipher suites).
>
> 2016-04-13 22:05:43,040 INFO [stdout] (default task-15) Allow unsafe
> renegotiation: false
> 2016-04-13 22:05:43,042 INFO [stdout] (default task-15) Allow legacy
> hello messages: true
> 2016-04-13 22:05:43,043 INFO [stdout] (default task-15) Is initial
> handshake: true
> 2016-04-13 22:05:43,044 INFO [stdout] (default task-15) Is secure
> renegotiation: false
> 2016-04-13 22:05:43,048 INFO [stdout] (default task-15) Ignoring
> unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 2016-04-13 22:05:43,049 INFO [stdout] (default task-15) Ignoring
> unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> 2016-04-13 22:05:43,050 INFO [stdout] (default task-15) Ignoring
> unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
> 2016-04-13 22:05:43,050 INFO [stdout] (default task-15) Ignoring
> unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 2016-04-13 22:05:43,051 INFO [stdout] (default task-15) Ignoring
> unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 2016-04-13 22:05:43,052 INFO [stdout] (default task-15) Ignoring
> unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
> 2016-04-13 22:05:43,055 INFO [stdout] (default task-15) %% No cached
> client session
> 2016-04-13 22:05:43,056 INFO [stdout] (default task-15) *** ClientHello,
> TLSv1.2
> 2016-04-13 22:05:43,058 INFO [stdout] (default task-15)
> RandomCookie: GMT: 1460512151 bytes = { 14, 53, 153, 224, 92, 2, 43, 139,
> 161, 201, 181, 69, 65, 9, 110, 156, 40, 223, 11, 184, 237, 137, 9, 239,
> 221, 180, 164, 163}
> 2016-04-13 22:05:43,059 INFO [stdout] (default task-15) Session ID: {}
> 2016-04-13 22:05:43,060 INFO [stdout] (default task-15) Cipher Suites:
> [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
>
> Which ciphers are used by the Bouncycastle provider? Can I enable the use
> of ECDHE ciphers? These ciphers are enabled in the ssl proxy:
>
> ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM
> SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
>
>
> Best regards, Bart
>
>
> Message: 2
> Date: Thu, 14 Apr 2016 13:28:19 +0200
> From: Stian Thorgersen <sthorger at redhat.com>
> Subject: Re: [keycloak-user] Does Keycloak adhere to the JCA (Java
> Cryptography Architecture)? i.e. if I change the JVM's crypto
> provider, keycloak should use that.
> To: Akshay Kini <kga.official at gmail.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
> <
> CAJgngAcMjw2g8Ti425RqDKiD1b2FDfeO6F+nb+1KS97AXMoq7w at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Afraid it's hardcoded to use Bouncycastle as the provider. You can open a
> JIRA for it though.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/9912558e/attachment.html
More information about the keycloak-user
mailing list