You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "David Graff (JIRA)" <ji...@apache.org> on 2013/03/19 15:21:15 UTC

[jira] [Created] (HTTPCLIENT-1329) SSLSocketFactory keystorePassword constructor parameter should be char[] instead of java.lang.String

David Graff created HTTPCLIENT-1329:
---------------------------------------

             Summary: SSLSocketFactory keystorePassword constructor parameter should be char[] instead of java.lang.String
                 Key: HTTPCLIENT-1329
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1329
             Project: HttpComponents HttpClient
          Issue Type: Improvement
          Components: HttpClient
    Affects Versions: 4.2.2
            Reporter: David Graff


The constructor signatures for creating an SSLSocketFactory take a java.lang.String as a parameter.  This can lead to potential attack vectors because the password will be stored within the string pool of the VM. As a suggestion, in a future version, deprecate this API and add a signature taking a char[] parameter. This way the value of the password will not be cached for an excessive duration and will be garbage collected when out of reference.

This is based on recommendations from the GIAC Secure Software Programmer for Java course.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org