Re: [jetty-dev] QuicServerConnector severe security issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] QuicServerConnector severe security issue

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Thu, 9 Jun 2022 16:37:43 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-dev/>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

This is normal.

The SslContextFactory can be configured via the normal start.jar + xml mechanism.

That supports the usual suspects of obfuscation choices. (see https://javadoc.io/doc/org.eclipse.jetty/jetty-util/latest/org.eclipse.jetty.util/org/eclipse/jetty/util/security/Password.html )

These all rely on the usual File System permissions to ensure that the password cannot be accessed by those unauthorized.

Without File System Permissions in place, there is no file storage technique that is safe, as the means to decode the password is present as well.

You can alternatively provide your own password management and supply the SslContextFactory with the password at runtime in the Server start phase, bypassing all of the Jetty provided mechanisms for password storage/management.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Jun 9, 2022 at 4:05 PM Thomas Lußnig via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:

Hi,

if i read the code of the QuicServerConnector (Version 10.0.9) correct
than the decrypted plain private key is stored on the filesystem.
This is an absolute no go.

Gruß Thomas Lußnig

org.eclipse.jetty.quic.server.QuicServerConnector

    doStart()
            char[] keyStorePassword =
this.sslContextFactory.getKeyStorePassword().toCharArray();
            String keyManagerPassword =
this.sslContextFactory.getKeyManagerPassword();
            SSLKeyPair keyPair = new
SSLKeyPair(this.sslContextFactory.getKeyStoreResource().getFile(),
                    this.sslContextFactory.getKeyStoreType(),
keyStorePassword, alias,
                    keyManagerPassword == null ? keyStorePassword :
keyManagerPassword.toCharArray());
            File[] pemFiles = keyPair.export(new
File(System.getProperty("java.io.tmpdir")));
            this.privateKeyFile = pemFiles[0];
            this.certificateChainFile = pemFiles[1];

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

References:
- [jetty-dev] QuicServerConnector severe security issue
  - From: Thomas Lußnig

Prev by Date: [jetty-dev] QuicServerConnector severe security issue
Next by Date: Re: [jetty-dev] Jetty 9.x support from Webtidal
Previous by thread: [jetty-dev] QuicServerConnector severe security issue
Next by thread: [jetty-dev] JDK 19: Rampdown Phase 1 + EA builds 26 & JDK 20: EA builds 1
Index(es):
- Date
- Thread

Breadcrumbs