<div dir="ltr"><div><div>I realized, that autogenerated JKS keystore probably won't work for Oracle/OpenJDK java in FIPS mode because of <a href="https://issues.jboss.org/browse/JBEAP-3789">https://issues.jboss.org/browse/JBEAP-3789</a><br></div>.<br></div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 3, 2016 at 9:28 AM, Stuart Douglas <span dir="ltr"><<a href="mailto:stuart.w.douglas@gmail.com" target="_blank">stuart.w.douglas@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br><br><div class="gmail_quote"><div dir="ltr">On Fri, 3 Jun 2016, 17:18 Martin Choma <<a href="mailto:mchoma@redhat.com" target="_blank">mchoma@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Hi Stuart, <br><br>I have couple of questions regarding self-signed certificate autogeneration:<br><br>What happens, when autogenerated certificate expires?<br></div></div></div></blockquote></div><div><br></div></span><div>I think we would go for ten year expiry so that would not be an issue. The developer could just delete the store and generate a new one anyway.</div><span class=""><div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div></div>How it will be decided if certificate should be autogenerate or not?<br></div></div></blockquote></div><div><br></div></span><div>An attribute in the management model would be needed to explicitly enable it.</div><span class=""><div><br></div><div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>What will be default keysize? It has to be probably choosen to work also without "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy"<br></div></div></blockquote></div><div><br></div></span><div>Probably the largest that is supported without JCE. It does not matter that much, self signed certs are inherently insecure, this is a developer usability feature, not something that can be used in production.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Stuart</div></font></span><div class="HOEnZb"><div class="h5"><div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div><br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote"></div></div><div class="gmail_extra"><div class="gmail_quote">On Thu, Jun 2, 2016 at 10:01 PM, Stuart Douglas <span dir="ltr"><<a href="mailto:stuart.w.douglas@gmail.com" target="_blank">stuart.w.douglas@gmail.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>So I guess we should talk about how this should actually work. <br><br></div>In terms of auto generating the key I was thinking we would need to add a new attribute to the 'keystore' element under the security realm, something like 'auto-generate-cert-host="localhost"'. I am not sure what other options we would need, or how configurable we should make it, but as this is for testing/development purposes I don't think we need to expose full control over the certificate generation process.<br><br></div><div>In terms of the implementation we could just implement an SSLContext wrapper, that can do the generation and then create a 'real' SSLContext the first time it is asked to create and SSLEngine.<span><font color="#888888"><br></font></span></div><span><font color="#888888"><div><br></div>Stuart<br></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 3, 2016 at 3:19 AM, Jason Greene <span dir="ltr"><<a href="mailto:jason.greene@redhat.com" target="_blank">jason.greene@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br>
> On Jun 2, 2016, at 11:29 AM, Harold Campbell <<a href="mailto:hcamp@muerte.net" target="_blank">hcamp@muerte.net</a>> wrote:<br>
><br>
> On Thu, 2016-06-02 at 09:22 +1000, Stuart Douglas wrote:<br>
>> Hi All,<br>
>><br>
>> I would like to propose that we add support for HTTP/2 out of the box<br>
>> in Wildfly 10.1.<br>
>><br>
><br>
> This lowly user desperately wants a release containing the fix to WFLY-<br>
> 6283 sooner rather than later. I'm sure other people have other pet<br>
> bugs awaiting release.<br>
><br>
> I have no opinion on HTTP/2 being added other than to ask that pent up<br>
> bug fixes be kept in mind.<br>
<br>
<br>
</span>Hi Harold,<br>
<br>
That fix is already in master, so it will be included in 10.1.<br>
<br>
--<br>
Jason T. Greene<br>
WildFly Lead / JBoss EAP Platform Architect<br>
JBoss, a division of Red Hat<br>
<br>
</blockquote></div><br></div>
</div></div><br></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a><br></blockquote></div></div></blockquote></div>
</div></div></blockquote></div><br></div>