Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12017

Regression due to ubi-8/OpenJDK 11 upgrade: User Federation -> LDAP Connection doesn't support TLS < 1.2

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Explained
    • Affects Version/s: 7.0.1
    • Fix Version/s: None
    • Component/s: LDAP
    • Labels:
      None
    • Steps to Reproduce:
      • Configure a User Federation against an LDAP server using ldaps that only supports TLS 1.1
      • Use the "Test Authentication" button and get an error message.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Since the new 7.0.1 Docker image is based on ubi-minimal:8, the underlying version of OpenJDK has changed from 8 to 11.

      This breaks LDAPS connections against LDAP servers that only supports TLS 1.1 (in this case, an Active Directory 2012 R2 that can't be re-configured due to misc. reasons), with an error KC-SERVICES0055, + an exception javax.net.ssl.SSLHandshakeException; No appropriate protocol (protocol is disabled or cipher suites are inappropriate). Error when authenticating to LDAP; simple bind failed.

      Exactly the same configuration worked with the 7.0.0 image based on jboss/base-jdk:8

      PS: The versioning of Keycloak is a complete mess w.r.t. semantic version (which you probably don't follow anyways). Even though Keycloak was bumped to 7.0.1, the Docker image should really have its major version number bumped when you base it off a different base image with a different OpenJDK version.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              larsw Lars Wilhelmsen (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: