[jetty-dev] QuicServerConnector severe security issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] QuicServerConnector severe security issue

From: Thomas Lußnig <jetty@xxxxxxxxx>
Date: Thu, 9 Jun 2022 23:05:33 +0200
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1

Hi,

if i read the code of the QuicServerConnector (Version 10.0.9) correctthan the decrypted plain private key is stored on the filesystem.

This is an absolute no go.

Gruß Thomas Lußnig

org.eclipse.jetty.quic.server.QuicServerConnector

    doStart()

char[] keyStorePassword =this.sslContextFactory.getKeyStorePassword().toCharArray(); String keyManagerPassword =this.sslContextFactory.getKeyManagerPassword(); SSLKeyPair keyPair = newSSLKeyPair(this.sslContextFactory.getKeyStoreResource().getFile(), this.sslContextFactory.getKeyStoreType(),keyStorePassword, alias, keyManagerPassword == null ? keyStorePassword :keyManagerPassword.toCharArray()); File[] pemFiles = keyPair.export(newFile(System.getProperty("java.io.tmpdir")));

            this.privateKeyFile = pemFiles[0];
            this.certificateChainFile = pemFiles[1];

Follow-Ups:
- Re: [jetty-dev] QuicServerConnector severe security issue
  - From: Joakim Erdfelt

Prev by Date: [jetty-dev] Jetty 9.x support from Webtidal
Next by Date: Re: [jetty-dev] QuicServerConnector severe security issue
Previous by thread: [jetty-dev] Jetty 9.x support from Webtidal
Next by thread: Re: [jetty-dev] QuicServerConnector severe security issue
Index(es):
- Date
- Thread

Breadcrumbs