[
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16180775#comment-16180775
]
Remko Popma edited comment on LOG4J2-1896 at 9/26/17 2:01 PM:
--------------------------------------------------------------
The most general interface for SSL seems to be
[ManagerFactoryParameters|http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/ManagerFactoryParameters.html].
If we ever want to support creating an SSL context with initialization
parameters that are not based on keystores, this is the interface to use.
If we want to make things more general we should look at using this interface
rather than creating a generic SecretProvider<T> interface.
Looking at refactoring to use ManagerFactoryParameters: with a bit of work we
can use a standard ManagerFactoryParameters implementation that uses keystores
([KeyStoreBuilderParameters|http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/KeyStoreBuilderParameters.html]).
I still need to investigate whether it is possible to avoid keeping the
password {{char[]}} array resident in memory during the life of the process. We
can [clear this password
array|http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.PasswordProtection.html#destroy()],
once the SSL context is created, but I worry that if we do so we won't be able
to create another SSL session if we lose the connection and need to reconnect.
The nice thing about the current PasswordProvider interface is that it can load
the password on demand. The JDK built-in KeyStore.PasswordProtection class does
not have that ability.
was (Author: [email protected]):
The most general interface for SSL seems to be
[ManagerFactoryParameters|http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/ManagerFactoryParameters.html].
If we ever want to support creating an SSL context with initialization
parameters that are not based on keystores, this is the interface to use.
Our default configuration does use KeyStores. Java provides a
ManagerFactoryParameters implementation that uses keystores
([KeyStoreBuilderParameters|http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/KeyStoreBuilderParameters.html]).
I still need to investigate whether it is possible to avoid keeping the
password {{char[]}} array resident in memory during the life of the process. We
can [clear this password
array|http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.PasswordProtection.html#destroy()],
once the SSL context is created, but I worry that then we cannot create
another SSL session if we lose the connection and need to reconnect.
> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String
> to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-1896
> URL: https://issues.apache.org/jira/browse/LOG4J2-1896
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Reporter: Gary Gregory
> Assignee: Remko Popma
> Fix For: 2.10.0
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
