Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] QuicServerConnector severe security issue

This is normal.

The SslContextFactory can be configured via the normal start.jar + xml mechanism.
That supports the usual suspects of obfuscation choices. (see https://javadoc.io/doc/org.eclipse.jetty/jetty-util/latest/org.eclipse.jetty.util/org/eclipse/jetty/util/security/Password.html )
These all rely on the usual File System permissions to ensure that the password cannot be accessed by those unauthorized.
Without File System Permissions in place, there is no file storage technique that is safe, as the means to decode the password is present as well.

You can alternatively provide your own password management and supply the SslContextFactory with the password at runtime in the Server start phase, bypassing all of the Jetty provided mechanisms for password storage/management.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Thu, Jun 9, 2022 at 4:05 PM Thomas Lußnig via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:
Hi,

if i read the code of the QuicServerConnector (Version 10.0.9) correct
than the decrypted plain private key is stored on the filesystem.
This is an absolute no go.

Gruß Thomas Lußnig

org.eclipse.jetty.quic.server.QuicServerConnector

     doStart()
             char[] keyStorePassword =
this.sslContextFactory.getKeyStorePassword().toCharArray();
             String keyManagerPassword =
this.sslContextFactory.getKeyManagerPassword();
             SSLKeyPair keyPair = new
SSLKeyPair(this.sslContextFactory.getKeyStoreResource().getFile(),
                     this.sslContextFactory.getKeyStoreType(),
keyStorePassword, alias,
                     keyManagerPassword == null ? keyStorePassword :
keyManagerPassword.toCharArray());
             File[] pemFiles = keyPair.export(new
File(System.getProperty("java.io.tmpdir")));
             this.privateKeyFile = pemFiles[0];
             this.certificateChainFile = pemFiles[1];

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

Back to the top