[
https://issues.apache.org/jira/browse/HTTPCLIENT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13606523#comment-13606523
]
Sebb commented on HTTPCLIENT-1329:
----------------------------------
Also, once the password has been used, the char array can (should) be
overwritten, e.g. with nulls.
> SSLSocketFactory keystorePassword constructor parameter should be char[]
> instead of java.lang.String
> ----------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1329
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1329
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.2.2
> Reporter: David Graff
> Labels: ssl
>
> The constructor signatures for creating an SSLSocketFactory take a
> java.lang.String as a parameter. This can lead to potential attack vectors
> because the password will be stored within the string pool of the VM. As a
> suggestion, in a future version, deprecate this API and add a signature
> taking a char[] parameter. This way the value of the password will not be
> cached for an excessive duration and will be garbage collected when out of
> reference.
> This is based on recommendations from the GIAC Secure Software Programmer for
> Java course.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
