Skip to content

Disable Secure Client-Initiated Renegotiation by default #43092

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ahus1 merged 3 commits into from
Oct 1, 2025
Merged

Disable Secure Client-Initiated Renegotiation by default #43092

ahus1 merged 3 commits into from
Oct 1, 2025
+2 −2

Conversation

@Erasure5959
Copy link
Contributor

@Erasure5959 Erasure5959 commented Sep 30, 2025
edited by ahus1
Loading

Closes #43020

This PR aims to disable Secure Client-Initiated Renegotiation by default in Keycloak. The current configuration represents a potential attack vector via DoS; closing this avenue by default is desirable and should have no adverse side effects.

This is applicable to TLS 1.2 only; TLS 1.3 completely removes support for renegotiation.

@Erasure5959
Disable Secure Client-Initiated Renegotiation in kc.sh
b376197 
The parameter  -Djdk.tls.rejectClientInitiatedRenegotiation=true disables Secure Client-Initiated Renegotiation in Keycloak to resolve a potential DoS vulnerability. Note this is applicable only to TLS 1.2.

Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959
Disable Secure Client-Initiated Renegotiation in kc.bat
9b5a57b 
The parameter -Djdk.tls.rejectClientInitiatedRenegotiation=true disables Secure Client-Initiated Renegotiation in Keycloak to resolve a potential DoS vulnerability. Note this is applicable only to TLS 1.2.

Signed-off-by: Erasure5959 <[email protected]>
@Erasure5959 Erasure5959 requested review from a team as code owners September 30, 2025 16:23
@Erasure5959 Erasure5959 mentioned this pull request Sep 30, 2025
Closed
@ahus1
Review
d5cd91d 
Signed-off-by: Alexander Schwartz <[email protected]>
@ahus1 ahus1 self-assigned this Oct 1, 2025
ahus1
ahus1 approved these changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for contributing this change! I see one of our tests failed, and I had to remove a blank from one of the scripts.

@ahus1 ahus1 enabled auto-merge (squash) October 1, 2025 13:50
@Erasure5959
Copy link
Contributor Author

Erasure5959 commented Oct 1, 2025

Thank you for being open to the change and allowing me to contribute - apologies for my oversight. Much appreciated!

@ahus1 ahus1 merged commit 3d9eb43 into keycloak:main Oct 1, 2025
82 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahus1 ahus1 ahus1 approved these changes

Assignees

@ahus1 ahus1

Labels

team/cloud-native

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Secure Client-Initiated Renegotiation - disable by default

2 participants

@Erasure5959 @ahus1