Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Question regd jetty ssl configuration.

John,

Not secure at all, nor is it intended to be.

The issue is that if the server is to be started automatically without the need to enter a passphrase, then encryption cannot be used since the server needs to provide the keystore passwords at runtime.    OBF is simply a way to put the pass phrases into a configuration file so that a casual observer looking over your shoulder cannot easily remember the configured passwords.    MD5 cannot be used at all in this situation (it is provided for checking things like BASIC authentication where a credential is sent over "the wire" but we want to avoid storing such credentials on the server, so we check the MD5 of the provided credential with the stored MD5).

BCrypt would not help, as it requires a passphrase.    If we put that passphrase in a config file, then it's just the same problem... how to protect the passphrase needed to recover the password needed to recover the private key ....

Ultimately if a server is to start automatically, without human intervention, then you need to rely on the OS security to keep a configuration file secure.

cheers









On Fri, 16 Jul 2021 at 01:52, John English <john.foreign@xxxxxxxxx> wrote:
On 15/07/2021 18:27, Joakim Erdfelt wrote:
> The `MD5:` format Credential / Password is what's known as a 1-way hash
> (this is not encryption)
> You can take a password and generate a MD5.
> Then later, when a password is provided, you can run the hash again and
> compare the resulting MD5 to know if the password that was provided is a
> match.

Ouch. MD5? Not terribly secure. I prefer BCrypt.

--
John English
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com

Back to the top