6 Replies Latest reply on Jul 24, 2012 9:49 AM by pathduck

javax.net.ssl.trustStore - only way to specify client trust?

pathduck Jul 24, 2012 6:31 AM

Hi,

at the moment we use the property javax.net.ssl.trustStore under <system-properties> to specify a truststore for outbound SSL. This works, but is not very elegant, and is a bit of a security hole, i.e. having to specify the password in plain text and having it exposed as a custom property.

Is there any other way to do outbound SSL trust than using java custom properties, or is this in the plans for coming versions?

- Stian

1. Re: javax.net.ssl.trustStore - only way to specify client trust?

dlofthouse Jul 24, 2012 6:37 AM (in response to pathduck)

and is a bit of a security hole

What is the exploit you are trying to prevent that having the password in the clear makes you worry about?
Actions
2. Re: javax.net.ssl.trustStore - only way to specify client trust?

pathduck Jul 24, 2012 6:49 AM (in response to dlofthouse)

Darran Lofthouse wrote:

and is a bit of a security hole

What is the exploit you are trying to prevent that having the password in the clear makes you worry about?

There are certain third-party applications that think it's a good idea to easily expose java properties (in the UI) as a way of 'debugging' - it forces us to enable authentication for these applications when it's not really needed, just to control who can see the trust-store password or not.

Apache Solr is an example.
Actions
3. Re: javax.net.ssl.trustStore - only way to specify client trust?

dlofthouse Jul 24, 2012 7:02 AM (in response to pathduck)

But in what way do you think this password is going to be used?
Actions
4. Re: javax.net.ssl.trustStore - only way to specify client trust?

pathduck Jul 24, 2012 7:13 AM (in response to dlofthouse)

We don't want to expose passwords in plain text in any way - so let's say it's more of a principle than a major route for exploits

You could argue that to be able to open the truststore you need access to the file system, and if you have access to the file system, then everything else is a moot point... however I would prefer to know that this password is not this easily accessible.

Would be great if it was possible to specify a general SSL config for all outbound connections.
Actions
5. Re: javax.net.ssl.trustStore - only way to specify client trust?

dlofthouse Jul 24, 2012 7:27 AM (in response to pathduck)

Have you also reset the password for your cacerts files?

Regarding the outbound communications what type of outbound connection is this - the underlying issue here is that each protocol manages this independently so having a single solution is not as simple as it sounds.
Actions
6. Re: javax.net.ssl.trustStore - only way to specify client trust?

pathduck Jul 24, 2012 9:49 AM (in response to dlofthouse)

No I've not changed the cacerts password, so I guess it's not really safe anyway if someone can get access to the files...

I was just checking to see if there is another way than using custom java properties, but I understand your point in that every protocol is different, and that it's non-trivial to do something about.

I am coming from a WAS standpoint where it is quite flexible in regards to what SSL Config to use for inbound and outbound connections, but everything's got it's drawbacks I guess
Actions

Go to original post