[HTTPCLIENT-1329] SSLSocketFactory keystorePassword constructor parameter should be char[] instead of java.lang.String - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.2.2
Fix Version/s: 4.3 Beta1
Component/s: HttpClient (classic)
Labels:
- ssl

Description

The constructor signatures for creating an SSLSocketFactory take a java.lang.String as a parameter. This can lead to potential attack vectors because the password will be stored within the string pool of the VM. As a suggestion, in a future version, deprecate this API and add a signature taking a char[] parameter. This way the value of the password will not be cached for an excessive duration and will be garbage collected when out of reference.

This is based on recommendations from the GIAC Secure Software Programmer for Java course.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: David Graff

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 19/Mar/13 14:19

Updated:: 05/Oct/13 19:42

Resolved:: 02/Apr/13 14:56