Skip to content

Secure Client-Initiated Renegotiation - disable by default #43020

New issue
New issue
Closed
#43092
Closed
Secure Client-Initiated Renegotiation - disable by default#43020
#43092
Assignees
ahus1
Labels
area/dist/quarkushelp wantedkind/featureCategorizes a PR related to a new featurerelease/26.0.16release/26.2.10release/26.4.1release/26.5.0team/cloud-native
@Erasure5959

Description

@Erasure5959
Erasure5959
opened on Sep 29, 2025

Description

Secure Client-Initiated Renegotiation is enabled by default on Keycloak:

Image

While it is possible to disable this on an installation, I would like to request this as a default setting.

Value Proposition

Secure Client-Initiated Renegotiation can be abused as a Denial-of-Service condition. Having this option disabled by default will remove/mitigate that potential avenue of attack.

Goals

As a security platform, Keycloak should follow a secure by default approach. This would allow for the closing of a potential attack vector which is present by default.

Non-Goals

N/A

Discussion

#25209

Notes

The easiest way I know of would be to add this to JAVA_OPTS in kc.sh.

Metadata

Metadata

Assignees

Labels

area/dist/quarkushelp wantedkind/featureCategorizes a PR related to a new featurerelease/26.0.16release/26.2.10release/26.4.1release/26.5.0team/cloud-native

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions