Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12017

Regression due to ubi-8/OpenJDK 11 upgrade: User Federation -> LDAP Connection doesn't support TLS < 1.2

    Details

    • Steps to Reproduce:
      • Configure a User Federation against an LDAP server using ldaps that only supports TLS 1.1
      • Use the "Test Authentication" button and get an error message.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      Since the new 7.0.1 Docker image is based on ubi-minimal:8, the underlying version of OpenJDK has changed from 8 to 11.

      This breaks LDAPS connections against LDAP servers that only supports TLS 1.1 (in this case, an Active Directory 2012 R2 that can't be re-configured due to misc. reasons), with an error KC-SERVICES0055, + an exception javax.net.ssl.SSLHandshakeException; No appropriate protocol (protocol is disabled or cipher suites are inappropriate). Error when authenticating to LDAP; simple bind failed.

      Exactly the same configuration worked with the 7.0.0 image based on jboss/base-jdk:8

      PS: The versioning of Keycloak is a complete mess w.r.t. semantic version (which you probably don't follow anyways). Even though Keycloak was bumped to 7.0.1, the Docker image should really have its major version number bumped when you base it off a different base image with a different OpenJDK version.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  larsw Lars Wilhelmsen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: