[
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16131368#comment-16131368
]
Gary Gregory commented on LOG4J2-1896:
--------------------------------------
I added the API clearSecrets() which could be used by advanced call-sites or
this way generically since the location and password are not needed once the
{{SSLContext}} is created in the ctor:
{noformat}
diff --git
a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java
b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java
index b129184..a1162a5 100644
---
a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java
+++
b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java
@@ -53,6 +53,7 @@
this.trustStoreConfig = trustStoreConfig;
this.protocol = protocol == null ? SslConfigurationDefaults.PROTOCOL :
protocol;
this.sslContext = this.createSslContext();
+ this.clearSecrets();
}
/**
{noformat}
Thoughts?
> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String
> to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-1896
> URL: https://issues.apache.org/jira/browse/LOG4J2-1896
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Reporter: Gary Gregory
> Assignee: Gary Gregory
> Fix For: 2.9
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
