Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] SslContextFactory bulletproofing

Hi,

I ended by stop using GitHub Desktop app and other GUI tools... 
Switched back to command line.

Best regards,

Guillaume Maillard

2016-03-29 13:53 GMT+02:00 Guillaume Maillard <guillaume.maillard@xxxxxxxxx>:
Damned, epic fail.
The PR seems to imply a merge from master to 9.3x :(

2016-03-29 13:47 GMT+02:00 Guillaume Maillard <guillaume.maillard@xxxxxxxxx>:
Hi,

Because I have 2 github accounts, my commits was sent to outer space... without errors ;)

Using the Github app fixed the issue : see https://github.com/eclipse/jetty.project/pull/462
for the patch.

I explored other SSL related issues but due to the lack of control of Oracle code from
 org.eclipse.jetty.io.ssl.SslConnection.fill()   ->  _sslEngine.getDelegatedTask().run();
the exercice is a quite hard.

Best regards,

Guillaume Maillard  


2016-03-25 23:13 GMT+01:00 Greg Wilkins <gregw@xxxxxxxxxxx>:
Just to chime in with a yes please!  SslContextFactory was invented kind of as an after thought and then has had several different maintainers, plus lots of new requirements put onto it over the years.    It is a class that could do with a lot of luv'n so really keen to see some pull requests to start tidying up that class.

Note that we cannot be too radical in the 9.3.x branch, so if the are big changes you want to make, then the master branch (will be 9.4 or 10.0) is perfectly timed to receive such refactors.

cheers



On 26 March 2016 at 07:44, Guillaume Maillard <guillaume.maillard@xxxxxxxxx> wrote:
Hi,

I would like to know if you would be interested in some patchs to bulletproof SSL configuration.

Having spent hours on missing error chekcing, I would be happy to contribute on this subject.

As you know,
- sslContextFactory.setKeyStorePath accepts missing or broken keystore...
- setKeyStorePassword and setKeyManagerPassword don't report any issue if they cannot unlock the keystore...
- certAlias isnot reporting not found alias
- etc etc... the list is VERY long.

All of these kind of error don't prevent starting a Server and no logs are used to help.


The only symptom is a https server that close connection after receiving some bytes.
Forums and stackoverflow are full of deseperated users wanting to add security on their jetty,
don't you think it's time to add some debug info?


Best regards,

Guillaume Maillard

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev



--




Back to the top