Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] QuicServerConnector severe security issue

This is normal.

The SslContextFactory can be configured via the normal start.jar + xml mechanism.
That supports the usual suspects of obfuscation choices. (see )
These all rely on the usual File System permissions to ensure that the password cannot be accessed by those unauthorized.
Without File System Permissions in place, there is no file storage technique that is safe, as the means to decode the password is present as well.

You can alternatively provide your own password management and supply the SslContextFactory with the password at runtime in the Server start phase, bypassing all of the Jetty provided mechanisms for password storage/management.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Jun 9, 2022 at 4:05 PM Thomas Lußnig via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:

if i read the code of the QuicServerConnector (Version 10.0.9) correct
than the decrypted plain private key is stored on the filesystem.
This is an absolute no go.

Gruß Thomas Lußnig


             char[] keyStorePassword =
             String keyManagerPassword =
             SSLKeyPair keyPair = new
keyStorePassword, alias,
                     keyManagerPassword == null ? keyStorePassword :
             File[] pemFiles = keyPair.export(new
             this.privateKeyFile = pemFiles[0];
             this.certificateChainFile = pemFiles[1];

jetty-dev mailing list
To unsubscribe from this list, visit

Back to the top