Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10477

SSL key/trust store is not thread-safe

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 3.3.0
    • 3.0.1
    • SSL
    • 1
    • Sprint 91, Platform Team - Sprint 92

    Description

      1. Hook NX up for debugging and set a breakpoint at https://github.com/sonatype/nexus-internal/blob/738eb86c8013f524802cef87e2961975b1f5793a/components/nexus-ssl/src/main/java/org/sonatype/nexus/ssl/internal/geronimo/FileKeystoreInstance.java#L283
      2. Using two browser tabs, import a SSL certificate into the trust store
      3. Observe that the breakpoint is reached by both HTTP request threads concurrently

      FileKeystoreInstance uses several basic collections (ArrayList, HashMap) that are not thread-safe by themselves and concurrent operations on the key store can cause corruption/failure. We should synchronize all access to FileKeystoreInstance, potentially even at a higher level like the methods in KeyStoreManagerImpl.

      Attachments

        Activity

          People

            fmilens Frederick Milens [X] (Inactive)
            bentmann Benjamin Bentmann
            Peter Lynch Peter Lynch
            Nexus - Platform
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              tigCommentSecurity.panel-title