<html><head></head><body><div>Hi Ashkay, Stian and Marko,</div><div><br></div><div>This question helps me with something similar I asked yesterday. I enabled strong ciphers in the JVM (JCE installed). However, when I switch SSL logging on using "<span style="color: rgb(169, 183, 198); font-family: 'Source Code Pro'; font-size: 10.5pt; background-color: rgb(43, 43, 43);">-Djavax.net.debug=ssl:handshake" I see that strong ciphers on the ssl proxy (ECDHE) are not supported (therefore the message Ignoring unsupported cipher suites).&nbsp;</span></div><div><br></div><div>2016-04-13 22:05:43,040 INFO&nbsp;&nbsp;[stdout] (default task-15) Allow unsafe renegotiation: false</div><div>2016-04-13 22:05:43,042 INFO&nbsp;&nbsp;[stdout] (default task-15) Allow legacy hello messages: true</div><div>2016-04-13 22:05:43,043 INFO&nbsp;&nbsp;[stdout] (default task-15) Is initial handshake: true</div><div>2016-04-13 22:05:43,044 INFO&nbsp;&nbsp;[stdout] (default task-15) Is secure renegotiation: false</div><div>2016-04-13 22:05:43,048 INFO&nbsp;&nbsp;[stdout] (default task-15) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</div><div>2016-04-13 22:05:43,049 INFO&nbsp;&nbsp;[stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1</div><div>2016-04-13 22:05:43,050 INFO&nbsp;&nbsp;[stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1</div><div>2016-04-13 22:05:43,050 INFO&nbsp;&nbsp;[stdout] (default task-15) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</div><div>2016-04-13 22:05:43,051 INFO&nbsp;&nbsp;[stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1</div><div>2016-04-13 22:05:43,052 INFO&nbsp;&nbsp;[stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1</div><div>2016-04-13 22:05:43,055 INFO&nbsp;&nbsp;[stdout] (default task-15) %% No cached client session</div><div>2016-04-13 22:05:43,056 INFO&nbsp;&nbsp;[stdout] (default task-15) *** ClientHello, TLSv1.2</div><div>2016-04-13 22:05:43,058 INFO&nbsp;&nbsp;[stdout] (default task-15) RandomCookie:&nbsp;&nbsp;GMT: 1460512151 bytes = { 14, 53, 153, 224, 92, 2, 43, 139, 161, 201, 181, 69, 65, 9, 110, 156, 40, 223, 11, 184, 237, 137, 9, 239, 221, 180, 164, 163}</div><div>2016-04-13 22:05:43,059 INFO&nbsp;&nbsp;[stdout] (default task-15) Session ID:&nbsp;&nbsp;{}</div><div>2016-04-13 22:05:43,060 INFO&nbsp;&nbsp;[stdout] (default task-15) Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]</div><div><br></div><div>Which ciphers are used by the Bouncycastle provider? Can I enable the use of ECDHE ciphers? These ciphers are enabled in the ssl proxy:</div><div><br></div><div>ssl_ciphers&nbsp;<span class="Apple-tab-span" style="white-space:pre">        </span><span class="Apple-tab-span" style="white-space:pre">        </span>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;</div><div><br></div><div><br></div><div>Best regards, Bart</div><div><br></div><div><br></div><div><span style="font-family: monospace;">Message: 2</span><br style="font-family: monospace;"><span style="font-family: monospace;">Date: Thu, 14 Apr 2016 13:28:19 +0200</span><br style="font-family: monospace;"><span style="font-family: monospace;">From: Stian Thorgersen &lt;</span><a href="mailto:sthorger@redhat.com" style="font-family: monospace;">sthorger@redhat.com</a><span style="font-family: monospace;">&gt;</span><br style="font-family: monospace;"><span style="font-family: monospace;">Subject: Re: [keycloak-user] Does Keycloak adhere to the JCA (Java</span><br style="font-family: monospace;"><span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cryptography Architecture)? i.e. if I change the JVM's crypto</span><br style="font-family: monospace;"><span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;provider, keycloak should use that.</span><br style="font-family: monospace;"><span style="font-family: monospace;">To: Akshay Kini &lt;</span><a href="mailto:kga.official@gmail.com" style="font-family: monospace;">kga.official@gmail.com</a><span style="font-family: monospace;">&gt;</span><br style="font-family: monospace;"><span style="font-family: monospace;">Cc: keycloak-user &lt;</span><a href="mailto:keycloak-user@lists.jboss.org" style="font-family: monospace;">keycloak-user@lists.jboss.org</a><span style="font-family: monospace;">&gt;</span><br style="font-family: monospace;"><span style="font-family: monospace;">Message-ID:</span><br style="font-family: monospace;"><span style="font-family: monospace;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;</span><a href="mailto:CAJgngAcMjw2g8Ti425RqDKiD1b2FDfeO6F+nb+1KS97AXMoq7w@mail.gmail.com" style="font-family: monospace;">CAJgngAcMjw2g8Ti425RqDKiD1b2FDfeO6F+nb+1KS97AXMoq7w@mail.gmail.com</a><span style="font-family: monospace;">&gt;</span><br style="font-family: monospace;"><span style="font-family: monospace;">Content-Type: text/plain; charset="utf-8"</span><br style="font-family: monospace;"><br style="font-family: monospace;"><span style="font-family: monospace;">Afraid it's hardcoded to use Bouncycastle as the provider. You can open a</span><br style="font-family: monospace;"><span style="font-family: monospace;">JIRA for it though.</span></div></body></html>