Re: [jetty-users] Question regd jetty ssl configuration.
On 16/07/2021 00:25, Greg Wilkins wrote: John, Not secure at all, nor is it intended to be. The issue is that if the server is to be started automatically without the need to enter a passphrase, then encryption cannot be used since the server needs to provide the keystore passwords at runtime. OBF is simply a way to put the pass phrases into a configuration file so that a casual observer looking over your shoulder cannot easily remember the configured passwords. MD5 cannot be used at all in this situation (it is provided for checking things like BASIC authentication where a credential is sent over "the wire" but we want to avoid storing such credentials on the server, so we check the MD5 of the provided credential with the stored MD5). Ah, I misread -- I was thinking of password authentication when I read it. Apols. -- John English ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Re: [jetty-users] Question regd jetty ssl configuration.
Hello Joakin, John and Greg, Thanks a lot for your prompt reply, this has helped me a great deal. I will go ahead with using the OBF format in my configurations. Thanks, Smita On Fri, Jul 16, 2021 at 2:55 AM Greg Wilkins wrote: > > John, > > Not secure at all, nor is it intended to be. > > The issue is that if the server is to be started automatically without the > need to enter a passphrase, then encryption cannot be used since the server > needs to provide the keystore passwords at runtime.OBF is simply a way > to put the pass phrases into a configuration file so that a casual observer > looking over your shoulder cannot easily remember the configured > passwords.MD5 cannot be used at all in this situation (it is provided > for checking things like BASIC authentication where a credential is sent > over "the wire" but we want to avoid storing such credentials on the > server, so we check the MD5 of the provided credential with the stored MD5). > > BCrypt would not help, as it requires a passphrase.If we put that > passphrase in a config file, then it's just the same problem... how to > protect the passphrase needed to recover the password needed to recover the > private key > > Ultimately if a server is to start automatically, without human > intervention, then you need to rely on the OS security to keep a > configuration file secure. > > cheers > > > > > > > > > > On Fri, 16 Jul 2021 at 01:52, John English wrote: > >> On 15/07/2021 18:27, Joakim Erdfelt wrote: >> > The `MD5:` format Credential / Password is what's known as a 1-way hash >> > (this is not encryption) >> > You can take a password and generate a MD5. >> > Then later, when a password is provided, you can run the hash again and >> > compare the resulting MD5 to know if the password that was provided is >> a >> > match. >> >> Ouch. MD5? Not terribly secure. I prefer BCrypt. >> >> -- >> John English >> ___ >> jetty-users mailing list >> jetty-users@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > > > -- > Greg Wilkins CTO http://webtide.com > ___ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Re: [jetty-users] Question regd jetty ssl configuration.
John, Not secure at all, nor is it intended to be. The issue is that if the server is to be started automatically without the need to enter a passphrase, then encryption cannot be used since the server needs to provide the keystore passwords at runtime.OBF is simply a way to put the pass phrases into a configuration file so that a casual observer looking over your shoulder cannot easily remember the configured passwords.MD5 cannot be used at all in this situation (it is provided for checking things like BASIC authentication where a credential is sent over "the wire" but we want to avoid storing such credentials on the server, so we check the MD5 of the provided credential with the stored MD5). BCrypt would not help, as it requires a passphrase.If we put that passphrase in a config file, then it's just the same problem... how to protect the passphrase needed to recover the password needed to recover the private key Ultimately if a server is to start automatically, without human intervention, then you need to rely on the OS security to keep a configuration file secure. cheers On Fri, 16 Jul 2021 at 01:52, John English wrote: > On 15/07/2021 18:27, Joakim Erdfelt wrote: > > The `MD5:` format Credential / Password is what's known as a 1-way hash > > (this is not encryption) > > You can take a password and generate a MD5. > > Then later, when a password is provided, you can run the hash again and > > compare the resulting MD5 to know if the password that was provided is a > > match. > > Ouch. MD5? Not terribly secure. I prefer BCrypt. > > -- > John English > ___ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins CTO http://webtide.com ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Re: [jetty-users] Question regd jetty ssl configuration.
On 15/07/2021 18:27, Joakim Erdfelt wrote: The `MD5:` format Credential / Password is what's known as a 1-way hash (this is not encryption) You can take a password and generate a MD5. Then later, when a password is provided, you can run the hash again and compare the resulting MD5 to know if the password that was provided is a match. Ouch. MD5? Not terribly secure. I prefer BCrypt. -- John English ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Re: [jetty-users] Question regd jetty ssl configuration.
The `MD5:` format Credential / Password is what's known as a 1-way hash (this is not encryption) You can take a password and generate a MD5. Then later, when a password is provided, you can run the hash again and compare the resulting MD5 to know if the password that was provided is a match. There's no way for the Keystore to reverse out the password it needs to use from the MD5 hash. The `MD5:` format in the Credential / Password exists for tooling / specs / libraries that use them. Such as Digest authentication in the HTTP spec, which takes the user password on the user-agent (browser), tacks other information into it, hashes the resulting string, and only sends the MD5 hash over the network to the server. Then the server simply performs a hash comparison to know if the password was correct (or not). Your choices for Keystore passwords OBF, CRYPT, or plaintext. Joakim Erdfelt / joa...@webtide.com On Thu, Jul 15, 2021 at 1:09 AM TSmitha wrote: > Hi, > > I am using jetty version -- jetty-9.4.40.v20210413 - 13 April 2021 on > java 1.8 platform. > > I am setting up ssl by referring to this documentation regarding putting > obfuscated/encrypted password in jetty-ssl-context.xml -- > https://www.eclipse.org/jetty/documentation/jetty-9/index.html#configuring-security-secure-passwords > > If i provide OBF: format passwords for (keystore and truststore) then > jetty server runs fine but if i put MD5: format password in this xml file, > jetty server fails to run, i have found this log in jetty/logs > > java.security.PrivilegedActionException: java.io.IOException: Keystore was > tampered with, or password was incorrect > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1857) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.eclipse.jetty.start.Main.invokeMain(Main.java:218) > > at org.eclipse.jetty.start.Main.start(Main.java:491) > > at org.eclipse.jetty.start.Main.main(Main.java:77) > > Caused by: > > java.io.IOException: Keystore was tampered with, or password was incorrect > > at > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) > > > > Can you please provide your guidance about the right way to achieve this? > > > Thanks, > > Smita > ___ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
[jetty-users] Question regd jetty ssl configuration.
Hi, I am using jetty version -- jetty-9.4.40.v20210413 - 13 April 2021 on java 1.8 platform. I am setting up ssl by referring to this documentation regarding putting obfuscated/encrypted password in jetty-ssl-context.xml -- https://www.eclipse.org/jetty/documentation/jetty-9/index.html#configuring-security-secure-passwords If i provide OBF: format passwords for (keystore and truststore) then jetty server runs fine but if i put MD5: format password in this xml file, jetty server fails to run, i have found this log in jetty/logs java.security.PrivilegedActionException: java.io.IOException: Keystore was tampered with, or password was incorrect at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1857) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.eclipse.jetty.start.Main.invokeMain(Main.java:218) at org.eclipse.jetty.start.Main.start(Main.java:491) at org.eclipse.jetty.start.Main.main(Main.java:77) Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) Can you please provide your guidance about the right way to achieve this? Thanks, Smita ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
