Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10477

SSL key/trust store is not thread-safe

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.1
    • Fix Version/s: 3.3.0
    • Component/s: SSL
    • Labels:
    • Story Points:
      1
    • Sprint:
      Sprint 91, Platform Team - Sprint 92

      Description

      1. Hook NX up for debugging and set a breakpoint at https://github.com/sonatype/nexus-internal/blob/738eb86c8013f524802cef87e2961975b1f5793a/components/nexus-ssl/src/main/java/org/sonatype/nexus/ssl/internal/geronimo/FileKeystoreInstance.java#L283
      2. Using two browser tabs, import a SSL certificate into the trust store
      3. Observe that the breakpoint is reached by both HTTP request threads concurrently

      FileKeystoreInstance uses several basic collections (ArrayList, HashMap) that are not thread-safe by themselves and concurrent operations on the key store can cause corruption/failure. We should synchronize all access to FileKeystoreInstance, potentially even at a higher level like the methods in KeyStoreManagerImpl.

        Attachments

          Activity

            People

            Assignee:
            fmilens Frederick Milens
            Reporter:
            bentmann Benjamin Bentmann
            Last Updated By:
            Peter Lynch
            Team:
            Nexus - Platform
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title