Olav Grønås Gjerde

Today I was struggling with a weird issue. For some reason my Nginx server on Debian would only allow TLSv1.3. And Apache Pulsar use a slighty older version of AsyncHttpClient that only supported TLSv1.2 and older for OAuth2 token exchange.

This caused the protocol_version SSL exception when starting my Java clients that connects to Apache Pulsar using OAuth2 Authentication.

The fix is easy though: First analyze what SSL Ciphers and protocols your web server allows.

nmap --script ssl-enum-ciphers -p 443 192.168.1.10
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

No support for TLSv1.2, even though I have this configured in my virtual host:

server {
  listen 443 ssl http2;
  ....
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers '......';
  ssl_prefer_server_ciphers  on;
    ....

Figuring this out was really frustrating, but the solution was simple. Debian does not provide a default 443 section, so you need to edit the file:

sudo vim /etc/nginx/sites-enabled/default

And add this to the bottom of the file:

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate     ...
    ssl_certificate_key ...

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers '....';
    ssl_prefer_server_ciphers  on;
}

The result:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|     cipher preference: server
|_  least strength: A

Keycloak has with version 26 refactored a the configuration for proxy setup and I run Keycloak behind Nginx. The documentation for upgrading to version 26 mention this without highlighting it, and links to another document that explains how to change this. This change is so stupid, because it is 100% unnecessary. And all the awesome tutorials written by people over time and published on the web, are no longer working.

Basically proxy = edge is no longer working, you need to replace this with 2 options:

proxy-headers = xforwarded
http-enabled = true

For Keycloak 25, they introduced "http-management-port". The default keycloak.conf, does not include that property and the default port value is the same as Clickhouse use for http. Again, you need to spend 1 hour, understanding the error log, reading through the documentation to find the cause and fix. I may be nit picking here, but that configuration option should be included in the keycloak.conf

I love Keycloak, and I am grateful for the work by the developers. But I hate maintaining it because of stupid changes. They have several major releases every year, and there is no LTS. So users have to upgrade it all the time to get all the bug and security fixes. For every version forward, where the upgrade process is not crystal clear, I will write down why it is stupid and what you need to do to fix it.