> I understand Diwaker's comment [1] in the JIRA issue that configuring your own module is not exactly "trivial", but seeing as we seem to agree at this point that this issue does *not* pose an immediate security risk to jclouds users generally, I feel that we can get away with the above proposal.
In this case, the static method on HttpUrlConnection approach may be more appropriate. Basically we can point to documentation about it and it requires no special knowledge and can be plopped in at bootstrap code. > @Adrian: TL;DR: if "untrusted" here means "trust all certs", I'm not sure we should allow it to be insecure in all kinds of *other* ways, too. But since we are looking for a different fix in any case, we'll probably end up discussing this in more detail after 1.8.1 anyway ;-) Honestly, I get what you are saying. Untrusted was made so that folks using test proxies and self-signed certs can work. I hope it isn't used over the internet, as that is worse than poodle. If you wish to be thorough, I would make sure it is tested. There's a cost to that, and documentation and maintenance. > > [1] https://issues.apache.org/jira/browse/JCLOUDS-753?focusedCommentId=14174271&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14174271
