Tolerate missing keystore password, for example for tests

[Vlatombe]

Discovered while working on jenkinsci/jenkins-test-harness#858

Testing done

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[jglick]

Does it work to just pass a new char[0] or is that considered distinct from “no password”?

[jglick]

winstone/src/main/resources/winstone/LocalStrings.properties

Line 66 in 3afbe6c

\ --httpsKeyStorePassword = the password for the SSL KeyStore file. Default is null\n\

so does this mean that not passing that parameter caused Winstone to crash with an NPE? Has this been broken forever? Seems like something that would get noticed quickly.

[Vlatombe]

not passing that parameter caused Winstone to crash with an NPE?

yup

[jglick]

If that is a regression, it sounds like an lts-candidate.

[Vlatombe]

#16 then fceac88.

[jglick]

Huh. I guess everyone has been forced to set a password for the past decade?! Seems weird to me, because it adds little apparent security: you are making the password accessible to the machine running Jenkins (in fact part of the /proc command line, and the JVM’s reported args, and presumably in some service wrapper config), so it is not as if you are making it harder for someone who steals the keystore off the filesystem to use it.

[Vlatombe]

Doesn't even seem to be possible to create a keystore using keytool without setting a password. Programatically this seems possible.