[
https://issues.apache.org/jira/browse/LOG4J2-3548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564998#comment-17564998
]
Piotr Karwasz edited comment on LOG4J2-3548 at 7/11/22 2:40 PM:
----------------------------------------------------------------
[~kristofarkas],
I was rather thinking about aligning the Log4j2 defaults to those used by
Tomcat (see
[SSLUtilBase|https://github.com/apache/tomcat/blob/ec4002ea51492e2bd231db715eaf3a6325a41717/java/org/apache/tomcat/util/net/SSLUtilBase.java#L179],
[SSLHostConfigCertificate|https://github.com/apache/tomcat/blob/ec4002ea51492e2bd231db715eaf3a6325a41717/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java#L62]
and similar). Basically:
* the default keystore password is {{{}"changeit"{}}},
* the default keystore location is:
{noformat}
${user.home}/.keystore{noformat}
* the "javax.net.ssl.*" variables are taken into account to change these
defaults,
* if the configuration provides an empty password, it is interpreted
heuristically as {{null}} if the keystore type is not JKS or PKCS12, as ""
otherwise,
* if the configuration provides an empty location, it is interpreted as
{{null}}.
Feel free to send a PR, I am not currently working on this.
was (Author: pkarwasz):
[~kristofarkas],
I was rather thinking about aligning the Log4j2 defaults to those used by
Tomcat (see
[SSLUtilBase|https://github.com/apache/tomcat/blob/ec4002ea51492e2bd231db715eaf3a6325a41717/java/org/apache/tomcat/util/net/SSLUtilBase.java#L179],
[SSLHostConfigCertificate|https://github.com/apache/tomcat/blob/ec4002ea51492e2bd231db715eaf3a6325a41717/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java#L62]
and similar). Basically:
* the default keystore password is {{{}"changeit"{}}},
* the default keystore location is:
{noformat}
${user.home}/.keystore{noformat}
* the "javax.net.ssl.*" variables are taken into account to change these
defaults,
* if the configuration provides an empty password, it is interpreted
heuristically as {{null}} if the keystore type is not JKS or PKCS12, as ""
otherwise,
* if the configuration provides an empty location, it is interpreted as
{{null}}.
> Password-less key stores fail to initialise StoreConfiguration
> --------------------------------------------------------------
>
> Key: LOG4J2-3548
> URL: https://issues.apache.org/jira/browse/LOG4J2-3548
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.18.0
> Reporter: Kristof Farkas-Pall
> Priority: Major
>
> In LOG4J2-3439 there was a change in AbstractKeyStoreConfiguration that
> replaces null passwords with a default value. This means that when
> password-less key stores initialized, the integrity is checked with the
> default password ("changeit"), which of course fails.
> I think the replacement should be reverted, to allow for password-less key
> stores to be initalized correctly.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
