[wildfly-dev] HTTP/2 out of the box in Wildfly 10.1
Martin Choma
mchoma at redhat.com
Mon Jun 6 00:59:35 EDT 2016
I realized, that autogenerated JKS keystore probably won't work for
Oracle/OpenJDK java in FIPS mode because of
https://issues.jboss.org/browse/JBEAP-3789
.
On Fri, Jun 3, 2016 at 9:28 AM, Stuart Douglas <stuart.w.douglas at gmail.com>
wrote:
>
>
> On Fri, 3 Jun 2016, 17:18 Martin Choma <mchoma at redhat.com> wrote:
>
>> Hi Stuart,
>>
>> I have couple of questions regarding self-signed certificate
>> autogeneration:
>>
>> What happens, when autogenerated certificate expires?
>>
>
> I think we would go for ten year expiry so that would not be an issue. The
> developer could just delete the store and generate a new one anyway.
>
> How it will be decided if certificate should be autogenerate or not?
>>
>
> An attribute in the management model would be needed to explicitly enable
> it.
>
>
> What will be default keysize? It has to be probably choosen to work also
>> without "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
>> Policy"
>>
>
> Probably the largest that is supported without JCE. It does not matter
> that much, self signed certs are inherently insecure, this is a developer
> usability feature, not something that can be used in production.
>
> Stuart
>
>
>>
>>
>>
>> On Thu, Jun 2, 2016 at 10:01 PM, Stuart Douglas <
>> stuart.w.douglas at gmail.com> wrote:
>>
>>> So I guess we should talk about how this should actually work.
>>>
>>> In terms of auto generating the key I was thinking we would need to add
>>> a new attribute to the 'keystore' element under the security realm,
>>> something like 'auto-generate-cert-host="localhost"'. I am not sure what
>>> other options we would need, or how configurable we should make it, but as
>>> this is for testing/development purposes I don't think we need to expose
>>> full control over the certificate generation process.
>>>
>>> In terms of the implementation we could just implement an SSLContext
>>> wrapper, that can do the generation and then create a 'real' SSLContext the
>>> first time it is asked to create and SSLEngine.
>>>
>>> Stuart
>>>
>>> On Fri, Jun 3, 2016 at 3:19 AM, Jason Greene <jason.greene at redhat.com>
>>> wrote:
>>>
>>>>
>>>> > On Jun 2, 2016, at 11:29 AM, Harold Campbell <hcamp at muerte.net>
>>>> wrote:
>>>> >
>>>> > On Thu, 2016-06-02 at 09:22 +1000, Stuart Douglas wrote:
>>>> >> Hi All,
>>>> >>
>>>> >> I would like to propose that we add support for HTTP/2 out of the box
>>>> >> in Wildfly 10.1.
>>>> >>
>>>> >
>>>> > This lowly user desperately wants a release containing the fix to
>>>> WFLY-
>>>> > 6283 sooner rather than later. I'm sure other people have other pet
>>>> > bugs awaiting release.
>>>> >
>>>> > I have no opinion on HTTP/2 being added other than to ask that pent up
>>>> > bug fixes be kept in mind.
>>>>
>>>>
>>>> Hi Harold,
>>>>
>>>> That fix is already in master, so it will be included in 10.1.
>>>>
>>>> --
>>>> Jason T. Greene
>>>> WildFly Lead / JBoss EAP Platform Architect
>>>> JBoss, a division of Red Hat
>>>>
>>>>
>>>
>>> _______________________________________________
>>> wildfly-dev mailing list
>>> wildfly-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20160606/ba1e5dee/attachment.html
More information about the wildfly-dev
mailing list