jetty-demo/etc/keystore should not be distributed

[jagland]

Jetty should not be distributing a static private and public key within their Jetty-distribution, which is currently distributed in the file jetty-demo/etc/keystore, you should move to a model of scripting the creation of a unique private and public key within a keystore, and instructing users of the jetty-demo folder to run that script before hand.

If you leave these keys hanging around, somebody can, will and has managed to use these as part of their live Jetty configuration.

I've noted this related ticket #1615, but this relates only to they password in the default configuration. Ideally, you should also be scripting the insertion of the password into a relevant part of configuration [also in jetty-demo]

Observed in jetty-distribution-9.4.6.v20170531

[joakime]

This would apply to the jetty-home-<version>.<archive> distribution.

[gregw]

Agreed. However, I'll fix #1615 first and create a testssl module, which we can then experiment with using a scripting approach rather than a distributed keystore.

The major hurdle here is actually documentation/education. @WalkerWatch what do you think about these changes? Should we do them in 10.0.x? I'm thinking we could do them in 9.4.x but it has been like this for literally decades, so no huge hurry to fix.

[WalkerWatch]

@gregw I think this is something we should tackle as part of Jetty 10.x. As you've said, it has been like this for many, many years. I think it might be worthwhile writing up a blog or page that goes into the contents of the distribution more specifically.

I'd be remiss if I didn't say though that there is only so much we can do to protect users from themselves. I do think this would be a smart move, but it is worth noting that Jetty does spit out several warnings about using demo-base in production.

[stale]

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

[lachlan-roberts]

@gregw should I experiment with a scripting approach to generating the keystore, or are we happy now we have the test-keystore module?

[gregw]

I think before the certs next expire, we should look at a scripting approach. So let's do it... bu low priority.

[lachlan-roberts]

The cert already expired Tuesday, 18 August 2015 at 21:38:03 so I will look into this.

[stale]

This issue has been automatically marked as stale because it has been a full year without activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sbordet]

@lachlan-roberts @gregw nudge.

[gregw]

We've moved the keystores into demo only modules... but scripting would still be better.
We probably need a feature for a module to be able to run a script... but then it needs to be portable...