I host a java project on github offering classes that wrap all the complicated socket input/output-looping-sending-receiving-things, I call it "Simple Server Client".
Since the latest version, you'll have the option to enable SSL, which actually just creates the socket in the following way on the server side:
System.setProperty("javax.net.ssl.keyStore", "ssc.store");
System.setProperty("javax.net.ssl.keyStorePassword", "SimpleServerClient");
server = ((SSLServerSocketFactory) SSLServerSocketFactory.getDefault()).createServerSocket(port);
and on the client side:
System.setProperty("javax.net.ssl.trustStore", "ssc.store");
System.setProperty("javax.net.ssl.keyStorePassword", "SimpleServerClient");
Socket socket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket(address.getAddress(), address.getPort());
And there is the ssc.store keystore file in the library package. Both server and client implementations will use it using the hardcoded password SimpleServerClient. The keystore has been created using JDK's keytool.
The question is: Is it secure enough (SSL!) to use a static keystore/truststore in the library package with a hardcoded password ("SimpleServerClient") everyone using this library can see, use and decrypt? If the connection still be encrypted and relatively safe against eavesdroppers?
Aucun commentaire:
Enregistrer un commentaire