Revisit default DSA algorithm for generate-key-pair operation ------------------------------------------------------------- Key: WFCORE-3750 URL: https://issues.jboss.org/browse/WFCORE-3750 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 5.0.0.Alpha2 Reporter: Martin Choma Priority: Major Generate-key-pair operation use default DSA algorithm. I am unable to connect to such SSL with Firefox or Chrome ("no cipher suite in common"). With RSA private key it works. Can we revisit the default? Can we add default information into the model description (algorithm)? In such case it would be best if defaults were specified on subsystem level and not rely on Elytron library defaults. Was thinking also about key-size and signature-algorithm, but realized these parameters are computed dynamically based on chosen algorithm. {code:title=TLS.handshake} 08:19:21,479 INFO [stdout] (management task-1) *** ClientHello, TLSv1.2 08:19:21,480 INFO [stdout] (management task-1) RandomCookie: GMT: -151315060 bytes = { 149, 83, 32, 135, 156, 106, 80, 46, 117, 158, 131, 177, 174, 235, 90, 7, 124, 236, 42, 183, 158, 180, 151, 31, 121, 146, 31, 146 } 08:19:21,480 INFO [stdout] (management task-1) Session ID: {} 08:19:21,480 INFO [stdout] (management task-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] 08:19:21,480 INFO [stdout] (management task-1) Compression Methods: { 0 } 08:19:21,480 INFO [stdout] (management task-1) Extension server_name, server_name: [type=host_name (0), value=localhost] 08:19:21,480 INFO [stdout] (management task-1) Extension extended_master_secret 08:19:21,480 INFO [stdout] (management task-1) Extension renegotiation_info, renegotiated_connection: <empty> 08:19:21,480 INFO [stdout] (management task-1) Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1, secp521r1} 08:19:21,480 INFO [stdout] (management task-1) Extension ec_point_formats, formats: [uncompressed] 08:19:21,480 INFO [stdout] (management task-1) Unsupported extension type_35, data: 08:19:21,480 INFO [stdout] (management task-1) Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 08:19:21,480 INFO [stdout] (management task-1) Unsupported extension status_request, data: 01:00:00:00:00 08:19:21,480 INFO [stdout] (management task-1) Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, Unknown (hash:0x8, signature:0x4), Unknown (hash:0x8, signature:0x5), Unknown (hash:0x8, signature:0x6), SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA1withRSA 08:19:21,480 INFO [stdout] (management task-1) *** 08:19:21,480 INFO [stdout] (management task-1) [read] MD5 and SHA1 hashes: len = 181 08:19:21,481 INFO [stdout] (management task-1) 0000: 01 00 00 B1 03 03 F7 FB 1E 8C 95 53 20 87 9C 6A ...........S ..j 08:19:21,481 INFO [stdout] (management task-1) 0010: 50 2E 75 9E 83 B1 AE EB 5A 07 7C EC 2A B7 9E B4 P.u.....Z...*... 08:19:21,482 INFO [stdout] (management task-1) 0020: 97 1F 79 92 1F 92 00 00 1E C0 2B C0 2F CC A9 CC ..y.......+./... 08:19:21,482 INFO [stdout] (management task-1) 0030: A8 C0 2C C0 30 C0 0A C0 09 C0 13 C0 14 00 33 00 ..,.0.........3. 08:19:21,483 INFO [stdout] (management task-1) 0040: 39 00 2F 00 35 00 0A 01 00 00 6A 00 00 00 0E 00 9./.5.....j..... 08:19:21,483 INFO [stdout] (management task-1) 0050: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 17 00 ....localhost... 08:19:21,483 INFO [stdout] (management task-1) 0060: 00 FF 01 00 01 00 00 0A 00 0A 00 08 00 1D 00 17 ................ 08:19:21,484 INFO [stdout] (management task-1) 0070: 00 18 00 19 00 0B 00 02 01 00 00 23 00 00 00 10 ...........#.... 08:19:21,484 INFO [stdout] (management task-1) 0080: 00 0E 00 0C 02 68 32 08 68 74 74 70 2F 31 2E 31 .....h2.http/1.1 08:19:21,484 INFO [stdout] (management task-1) 0090: 00 05 00 05 01 00 00 00 00 00 0D 00 18 00 16 04 ................ 08:19:21,485 INFO [stdout] (management task-1) 00A0: 03 05 03 06 03 08 04 08 05 08 06 04 01 05 01 06 ................ 08:19:21,485 INFO [stdout] (management task-1) 00B0: 01 02 03 02 01 ..... 08:19:21,486 INFO [stdout] (management task-1) %% Initialized: [Session-5, SSL_NULL_WITH_NULL_NULL] 08:19:21,486 INFO [stdout] (management task-1) management task-1, fatal error: 40: no cipher suites in common 08:19:21,486 INFO [stdout] (management task-1) javax.net.ssl.SSLHandshakeException: no cipher suites in common 08:19:21,486 INFO [stdout] (management task-1) %% Invalidated: [Session-5, SSL_NULL_WITH_NULL_NULL] 08:19:21,486 INFO [stdout] (management task-1) management task-1, SEND TLSv1.2 ALERT: fatal, description = handshake_failure 08:19:21,486 INFO [stdout] (management task-1) management task-1, WRITE: TLSv1.2 Alert, length = 2 08:19:21,487 INFO [stdout] (management I/O-2) management I/O-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common {code} {code:java|title=SelfSignedX509CertificateAndSigningKey.java} /** * The default key algorithm name. */ public static final String DEFAULT_KEY_ALGORITHM_NAME = "DSA"; {code}