fix: refining https-protocols documentation

closes: #43164 (cherry picked from commit 700b86fad85c17d90cc133013e5704e760f30686) Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2026-01-10 15:32:05 -03:30 · 2025-10-14 13:02:31 -04:00 · 2025-10-14 13:02:31 -04:00 · f20dd66196
commit f20dd66196
parent a97613bf7b
12 changed files with 35 additions and 13 deletions
--- a/docs/guides/server/enabletls.adoc
+++ b/docs/guides/server/enabletls.adoc
@ -52,7 +52,7 @@ However, as a temporary work-around, you can enable deprecated protocols by runn

 <@kc.start parameters="--https-protocols=<protocol>[,<protocol>]"/>

-To also allow TLSv1.2, use a command such as the following: `kc.sh start --https-protocols=TLSv1.3,TLSv1.2`.
+For example to only enable TLSv1.3, use a command such as the following: `kc.sh start --https-protocols=TLSv1.3`.

 == Switching the HTTPS port
 {project_name} listens for HTTPS traffic on port `8443`. To change this port, use the following command:
--- a/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java
+++ b/quarkus/config-api/src/main/java/org/keycloak/config/HttpOptions.java
@ -59,8 +59,10 @@ public class HttpOptions {

    public static final Option<List<String>> HTTPS_PROTOCOLS = OptionBuilder.listOptionBuilder("https-protocols", String.class)
            .category(OptionCategory.HTTP)
-            .description("The list of protocols to explicitly enable.")
-            .defaultValue(Arrays.asList("TLSv1.3,TLSv1.2"))
+            .description("The list of protocols to explicitly enable. If a value is not supported by the JRE / security configuration, it will be silently ignored.")
+            .expectedValues(Arrays.asList("TLSv1.3", "TLSv1.2"))
+            .strictExpectedValues(false)
+            .defaultValue(Arrays.asList("TLSv1.3", "TLSv1.2"))
            .build();

    public static final Option<String> HTTPS_CERTIFICATES_RELOAD_PERIOD = new OptionBuilder<>("https-certificates-reload-period", String.class)
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.approved.txt
@ -183,7 +183,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.approved.txt
@ -243,7 +243,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.approved.txt
@ -215,7 +215,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.approved.txt
@ -244,7 +244,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelp.approved.txt
@ -192,7 +192,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartOptimizedHelpAll.approved.txt
@ -221,7 +221,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelp.approved.txt
@ -214,7 +214,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityCheckHelpAll.approved.txt
@ -243,7 +243,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelp.approved.txt
@ -212,7 +212,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.
--- a/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt
+++ b/quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testUpdateCompatibilityMetadataHelpAll.approved.txt
@ -241,7 +241,9 @@ HTTP(S):
                       no value is set, it defaults to 'BCFKS'.
 --https-port <port>  The used HTTPS port. Default: 8443.
 --https-protocols <protocols>
-                     The list of protocols to explicitly enable. Default: TLSv1.3,TLSv1.2.
+                     The list of protocols to explicitly enable. If a value is not supported by the
+                       JRE / security configuration, it will be silently ignored. Possible values
+                       are: TLSv1.3, TLSv1.2, or a custom one. Default: TLSv1.3,TLSv1.2.
 --https-trust-store-file <file>
                     The trust store which holds the certificate information of the certificates to
                       trust.