[jira] [Updated] (JCLOUDS-753) HttpCommandExecutorService(s) vulnerable to POODLE

Diwaker Gupta (JIRA) Thu, 16 Oct 2014 13:57:06 -0700

     [ 
https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Diwaker Gupta updated JCLOUDS-753:
----------------------------------
             Priority: Critical  (was: Major)
    Affects Version/s: 1.7.3
        Fix Version/s: 1.8.1

> HttpCommandExecutorService(s) vulnerable to POODLE
> --------------------------------------------------
>
>                 Key: JCLOUDS-753
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-753
>             Project: jclouds
>          Issue Type: Bug
>          Components: jclouds-core
>    Affects Versions: 1.7.3, 1.8.0
>            Reporter: Diwaker Gupta
>            Priority: Critical
>             Fix For: 1.8.1
>
>         Attachments: disable-sslv3.patch
>
>
> SSLModule configures the SSLContext thus:
> {noformat}
>             sc = SSLContext.getInstance("SSL");
>             sc.init(null, new TrustManager[] { trustAllCerts }, new 
> SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE 
> (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should enforce TLS on all client connections.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (JCLOUDS-753) HttpCommandExecutorService(s) vulnerable to POODLE

Reply via email to