You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "David Graff (JIRA)" <ji...@apache.org> on 2013/03/19 15:21:15 UTC
[jira] [Created] (HTTPCLIENT-1329) SSLSocketFactory
keystorePassword constructor parameter should be char[] instead of
java.lang.String
David Graff created HTTPCLIENT-1329:
---------------------------------------
Summary: SSLSocketFactory keystorePassword constructor parameter should be char[] instead of java.lang.String
Key: HTTPCLIENT-1329
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1329
Project: HttpComponents HttpClient
Issue Type: Improvement
Components: HttpClient
Affects Versions: 4.2.2
Reporter: David Graff
The constructor signatures for creating an SSLSocketFactory take a java.lang.String as a parameter. This can lead to potential attack vectors because the password will be stored within the string pool of the VM. As a suggestion, in a future version, deprecate this API and add a signature taking a char[] parameter. This way the value of the password will not be cached for an excessive duration and will be garbage collected when out of reference.
This is based on recommendations from the GIAC Secure Software Programmer for Java course.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org