-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jetty-demo/etc/keystore should not be distributed #1673
Comments
This would apply to the |
Agreed. However, I'll fix #1615 first and create a testssl module, which we can then experiment with using a scripting approach rather than a distributed keystore. The major hurdle here is actually documentation/education. @WalkerWatch what do you think about these changes? Should we do them in 10.0.x? I'm thinking we could do them in 9.4.x but it has been like this for literally decades, so no huge hurry to fix. |
@gregw I think this is something we should tackle as part of Jetty 10.x. As you've said, it has been like this for many, many years. I think it might be worthwhile writing up a blog or page that goes into the contents of the distribution more specifically. I'd be remiss if I didn't say though that there is only so much we can do to protect users from themselves. I do think this would be a smart move, but it is worth noting that Jetty does spit out several warnings about using |
This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@gregw should I experiment with a scripting approach to generating the keystore, or are we happy now we have the |
I think before the certs next expire, we should look at a scripting approach. So let's do it... bu low priority. |
The cert already expired |
This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions. |
@lachlan-roberts @gregw nudge. |
We've moved the keystores into demo only modules... but scripting would still be better. |
Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
Signed-off-by: Lachlan Roberts <[email protected]>
…eystore Issue #1673 - generate test keystore instead of distributing one
Updated documentation: now the test-keystore is generated on-the-fly. Signed-off-by: Simone Bordet <[email protected]>
Jetty should not be distributing a static private and public key within their Jetty-distribution, which is currently distributed in the file
jetty-demo/etc/keystore
, you should move to a model of scripting the creation of a unique private and public key within a keystore, and instructing users of thejetty-demo
folder to run that script before hand.If you leave these keys hanging around, somebody can, will and has managed to use these as part of their live Jetty configuration.
I've noted this related ticket #1615, but this relates only to they password in the default configuration. Ideally, you should also be scripting the insertion of the password into a relevant part of configuration [also in
jetty-demo
]Observed in jetty-distribution-9.4.6.v20170531
The text was updated successfully, but these errors were encountered: