Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 50231 invoked from network); 2 Sep 2010 15:29:33 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 2 Sep 2010 15:29:33 -0000 Received: (qmail 2174 invoked by uid 500); 2 Sep 2010 15:29:30 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 1943 invoked by uid 500); 2 Sep 2010 15:29:27 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 1761 invoked by uid 99); 2 Sep 2010 15:29:26 -0000 Received: from Unknown (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Sep 2010 15:29:26 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [76.96.62.40] (HELO qmta04.westchester.pa.mail.comcast.net) (76.96.62.40) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Sep 2010 15:29:02 +0000 Received: from omta06.westchester.pa.mail.comcast.net ([76.96.62.51]) by qmta04.westchester.pa.mail.comcast.net with comcast id 1nqd1f00116LCl054rUiDU; Thu, 02 Sep 2010 15:28:42 +0000 Received: from [192.168.1.202] ([69.143.109.145]) by omta06.westchester.pa.mail.comcast.net with comcast id 1rUi1f00638FjT13SrUi2u; Thu, 02 Sep 2010 15:28:42 +0000 Message-ID: <4C7FC2AA.3040009@christopherschultz.net> Date: Thu, 02 Sep 2010 11:28:42 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: clear text keystore password in server.xml References: <4C7833D1.50804@christopherschultz.net> <1283150526.2983.10.camel@localhost.localdomain> In-Reply-To: <1283150526.2983.10.camel@localhost.localdomain> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Luca, On 8/30/2010 2:42 AM, Luca Gervasi wrote: > I'm working to secure this, but...it's not too easy (and i'm surely not > a skilled programmer...). > > But I hope this topic will be kept up! There is virtually nothing you can do about this. The only solutions here are: 1. Use a password entered on the console during start-up (the "Apache httpd strategy") 2. Remove the password from the keystore Removing the password from the keystore is just about as (in)secure as having the password in server.xml in plain-text. All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx/wqoACgkQ9CaO5/Lv0PBcrACfUVih9nF6BorLy5KCAQ8Gk2xe k2IAni9IqXoI4TOTN6AN1qToY3ypyiTK =DMfB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org