David Graff created HTTPCLIENT-1329:
---------------------------------------
Summary: SSLSocketFactory keystorePassword constructor parameter
should be char[] instead of java.lang.String
Key: HTTPCLIENT-1329
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1329
Project: HttpComponents HttpClient
Issue Type: Improvement
Components: HttpClient
Affects Versions: 4.2.2
Reporter: David Graff
The constructor signatures for creating an SSLSocketFactory take a
java.lang.String as a parameter. This can lead to potential attack vectors
because the password will be stored within the string pool of the VM. As a
suggestion, in a future version, deprecate this API and add a signature taking
a char[] parameter. This way the value of the password will not be cached for
an excessive duration and will be garbage collected when out of reference.
This is based on recommendations from the GIAC Secure Software Programmer for
Java course.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
