I realized, that autogenerated JKS keystore probably won't work for
Oracle/OpenJDK java in FIPS mode because of
.
On Fri, Jun 3, 2016 at 9:28 AM, Stuart Douglas <stuart.w.douglas(a)gmail.com>
wrote:
On Fri, 3 Jun 2016, 17:18 Martin Choma <mchoma(a)redhat.com> wrote:
> Hi Stuart,
>
> I have couple of questions regarding self-signed certificate
> autogeneration:
>
> What happens, when autogenerated certificate expires?
>
I think we would go for ten year expiry so that would not be an issue. The
developer could just delete the store and generate a new one anyway.
How it will be decided if certificate should be autogenerate or not?
>
An attribute in the management model would be needed to explicitly enable
it.
What will be default keysize? It has to be probably choosen to work also
> without "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
> Policy"
>
Probably the largest that is supported without JCE. It does not matter
that much, self signed certs are inherently insecure, this is a developer
usability feature, not something that can be used in production.
Stuart
>
>
>
> On Thu, Jun 2, 2016 at 10:01 PM, Stuart Douglas <
> stuart.w.douglas(a)gmail.com> wrote:
>
>> So I guess we should talk about how this should actually work.
>>
>> In terms of auto generating the key I was thinking we would need to add
>> a new attribute to the 'keystore' element under the security realm,
>> something like 'auto-generate-cert-host="localhost"'. I am not
sure what
>> other options we would need, or how configurable we should make it, but as
>> this is for testing/development purposes I don't think we need to expose
>> full control over the certificate generation process.
>>
>> In terms of the implementation we could just implement an SSLContext
>> wrapper, that can do the generation and then create a 'real' SSLContext
the
>> first time it is asked to create and SSLEngine.
>>
>> Stuart
>>
>> On Fri, Jun 3, 2016 at 3:19 AM, Jason Greene <jason.greene(a)redhat.com>
>> wrote:
>>
>>>
>>> > On Jun 2, 2016, at 11:29 AM, Harold Campbell <hcamp(a)muerte.net>
>>> wrote:
>>> >
>>> > On Thu, 2016-06-02 at 09:22 +1000, Stuart Douglas wrote:
>>> >> Hi All,
>>> >>
>>> >> I would like to propose that we add support for HTTP/2 out of the
box
>>> >> in Wildfly 10.1.
>>> >>
>>> >
>>> > This lowly user desperately wants a release containing the fix to
>>> WFLY-
>>> > 6283 sooner rather than later. I'm sure other people have other pet
>>> > bugs awaiting release.
>>> >
>>> > I have no opinion on HTTP/2 being added other than to ask that pent up
>>> > bug fixes be kept in mind.
>>>
>>>
>>> Hi Harold,
>>>
>>> That fix is already in master, so it will be included in 10.1.
>>>
>>> --
>>> Jason T. Greene
>>> WildFly Lead / JBoss EAP Platform Architect
>>> JBoss, a division of Red Hat
>>>
>>>
>>
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>