hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Graff (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCLIENT-1329) SSLSocketFactory keystorePassword constructor parameter should be char[] instead of java.lang.String
Date Tue, 19 Mar 2013 14:21:15 GMT
David Graff created HTTPCLIENT-1329:
---------------------------------------

             Summary: SSLSocketFactory keystorePassword constructor parameter should be char[]
instead of java.lang.String
                 Key: HTTPCLIENT-1329
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1329
             Project: HttpComponents HttpClient
          Issue Type: Improvement
          Components: HttpClient
    Affects Versions: 4.2.2
            Reporter: David Graff


The constructor signatures for creating an SSLSocketFactory take a java.lang.String as a parameter.
 This can lead to potential attack vectors because the password will be stored within the
string pool of the VM. As a suggestion, in a future version, deprecate this API and add a
signature taking a char[] parameter. This way the value of the password will not be cached
for an excessive duration and will be garbage collected when out of reference.

This is based on recommendations from the GIAC Secure Software Programmer for Java course.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message