<html><head></head><body><div>Hi,</div><div><br></div><div>I have wildfly 10 installed using nginx as https proxy server [1, standalone-full.xml]. Works great when using weak ciphers in nginx. In that case keycloak can connect back to the app after authentication (redirect SSL). When using strong ciphers in nginx [2] is fails the ssl handshake [4]. JCE seems enabled since the deployed app reports&nbsp;2016-04-13 21:41:33,304 INFO&nbsp;&nbsp;[stdout] (ServerService Thread Pool -- 83) max allowed keylength = 2147483647</div><div><br></div><div>My question is: does keycloak use a limited set of ciphers? SNI works fine according to the log. I was digging in the code, but could not find something obvious [5]</div><div><br></div><div>Best regards, Jazz</div><div><br></div><div><br></div><div><br></div><div><br></div><div>[1] wildfly standalone-full.xml</div><div><br></div><address>&lt;subsystem xmlns="urn:jboss:domain:undertow:3.0"&gt;</address><address>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;buffer-cache name="default"/&gt;</address><address>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;server name="default-server"&gt;</address><address>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/&gt;</address><address><br></address><address><span class="Apple-tab-span" style="white-space:pre">        </span>[... snip ...]</address><address><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size: 10.5pt;">&lt;socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"&gt;</span></pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/&gt;</pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/&gt;</pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;socket-binding name="http" port="${jboss.http.port:8080}"/&gt;</pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;socket-binding name="https" port="${jboss.https.port:8444}"/&gt;</pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;socket-binding name="proxy-https" port="443"/&gt;</pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;"><br></pre></address><div>[2] nginx ssl.conf</div><div>&nbsp;ssl_protocols&nbsp;<span class="Apple-tab-span" style="white-space:pre">        </span><span class="Apple-tab-span" style="white-space:pre">        </span>TLSv1 TLSv1.1 TLSv1.2;</div><div>&nbsp;ssl_prefer_server_ciphers on;</div><div>&nbsp;&nbsp;&nbsp;&nbsp;ssl_session_timeout 5m;</div><div>&nbsp;&nbsp;&nbsp;&nbsp;ssl_ciphers&nbsp;<span class="Apple-tab-span" style="white-space:pre">        </span><span class="Apple-tab-span" style="white-space:pre">        </span>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;</div><div>&nbsp; &nbsp;&nbsp;</div><div><br></div><div>[3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service&nbsp;</div><div><br></div><div>[4]</div><div><br></div><div>2016-04-13 21:41:46,495 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, setSoTimeout(0) called</div><div>2016-04-13 21:41:46,498 INFO&nbsp;&nbsp;[stdout] (default task-7) Allow unsafe renegotiation: false</div><div>2016-04-13 21:41:46,500 INFO&nbsp;&nbsp;[stdout] (default task-7) Allow legacy hello messages: true</div><div>2016-04-13 21:41:46,502 INFO&nbsp;&nbsp;[stdout] (default task-7) Is initial handshake: true</div><div>2016-04-13 21:41:46,503 INFO&nbsp;&nbsp;[stdout] (default task-7) Is secure renegotiation: false</div><div>2016-04-13 21:41:46,505 INFO&nbsp;&nbsp;[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</div><div>2016-04-13 21:41:46,506 INFO&nbsp;&nbsp;[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</div><div>2016-04-13 21:41:46,508 INFO&nbsp;&nbsp;[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1</div><div>2016-04-13 21:41:46,509 INFO&nbsp;&nbsp;[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</div><div>2016-04-13 21:41:46,511 INFO&nbsp;&nbsp;[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</div><div>2016-04-13 21:41:46,512 INFO&nbsp;&nbsp;[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1</div><div>2016-04-13 21:41:46,514 INFO&nbsp;&nbsp;[stdout] (default task-7) %% No cached client session</div><div>2016-04-13 21:41:46,518 INFO&nbsp;&nbsp;[stdout] (default task-7) *** ClientHello, TLSv1.2</div><div>2016-04-13 21:41:46,522 INFO&nbsp;&nbsp;[stdout] (default task-7) RandomCookie:&nbsp;&nbsp;GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130, 99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12, 171, 41, 74, 46, 186, 180, 88 }</div><div>2016-04-13 21:41:46,523 INFO&nbsp;&nbsp;[stdout] (default task-7) Session ID:&nbsp;&nbsp;{}</div><div>2016-04-13 21:41:46,525 INFO&nbsp;&nbsp;[stdout] (default task-7) Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]</div><div>2016-04-13 21:41:46,526 INFO&nbsp;&nbsp;[stdout] (default task-7) Compression Methods:&nbsp;&nbsp;{ 0 }</div><div>2016-04-13 21:41:46,527 INFO&nbsp;&nbsp;[stdout] (default task-7) Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA</div><div>2016-04-13 21:41:46,529 INFO&nbsp;&nbsp;[stdout] (default task-7) Extension server_name, server_name: [type=host_name (0), value=keycloak.example.com]</div><div>2016-04-13 21:41:46,530 INFO&nbsp;&nbsp;[stdout] (default task-7) ***</div><div>2016-04-13 21:41:46,531 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, WRITE: TLSv1.2 Handshake, length = 138</div><div>2016-04-13 21:41:46,533 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, READ: TLSv1.2 Alert, length = 2</div><div>2016-04-13 21:41:46,534 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, RECV TLSv1.2 ALERT:&nbsp;&nbsp;fatal, handshake_failure</div><div>2016-04-13 21:41:46,535 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, called closeSocket()</div><div>2016-04-13 21:41:46,536 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</div><div>2016-04-13 21:41:46,537 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, called close()</div><div>2016-04-13 21:41:46,538 INFO&nbsp;&nbsp;[stdout] (default task-7) default task-7, called closeInternal(true)</div><div>2016-04-13 21:41:46,539 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) failed to turn code into token: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div><div><span class="Apple-tab-span" style="white-space:pre">        </span>at java.lang.Thread.run(Thread.java:745)</div><div><br></div><div><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;">[5] <a href="https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java">https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java</a></pre><pre style="background-color:#2b2b2b;color:#a9b7c6;font-family:'Source Code Pro';font-size:10.5pt;"><br></pre></div></body></html>