jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard

Published 20 hours ago verified publisher icon jetty

`SslContextFactory` is hardcoded to use `Password`.

Open Tony-the-Tech opened this issue 1 year ago • 1 comments
trafficstars

Jetty version(s) Issue probably exists in all versions since the fix for "Bug 485625" 9 years ago. Specifically found in 12.0.10

Jetty Environment core

Java version/vendor (use: java -version) openjdk version "17.0.10"

OS type/version Linux 5.10.102.1-microsoft-standard-WSL2 Also Windows 11

Description SslContextFactory uses new Password(password) to create it's credential for obfucated secrets for keystore, truststore and keymanager. There seems to be no reason not to use credential.

The issue is that if someone creates a module to have a custom CredentialProvider, it will not work in this case. Only OBF or plaintext will work.

The fix is somewhat trivial, and I can create a pull request if you like.

How to reproduce?

Create a custom credential provider and try to use it for secrets in your ssl.ini.

Tony-the-Tech avatar Aug 19 '24 20:08 Tony-the-Tech

Please create a pull request.

Follow: https://github.com/jetty/jetty.project/blob/jetty-12.0.x/CONTRIBUTING.md

sbordet avatar Aug 19 '24 21:08 sbordet