> +If you are concerned about secure connections, it is almost never a good > idea to use this option in the first place. If you absolutely need to trust > all certificates _and_ disable SSLv3, you can: > + > + * create an SSLContext with the appropriate settings (see > [SSLModule](https://github.com/jclouds/jclouds/blob/master/core/src/main/java/org/jclouds/http/config/SSLModule.java) > for an example of how to create a trust manager that trusts all certs) > + * set it as the default socket factory for HttpsURLConnection as described > above > + * set `jclouds.trust-all-certs` to false, to prevent jclouds from using > its own SSLContext > + > +2) If you are using the [Azure > Compute](https://github.com/jclouds/jclouds-labs/tree/master/azurecompute) or > [FCGP](https://github.com/jclouds/jclouds-labs/tree/master/fgcp) labs > providers > + > +jclouds sets a specific SSL configuration for these providers to support the > key-based authentication they require. If you are using either of these > providers and need to disable SSLv3, follow the same steps as above > + > +* create an SSLContext with the appropriate settings (see > [here](https://github.com/jclouds/jclouds-labs/blob/master/azurecompute/src/main/java/org/jclouds/azurecompute/suppliers/SSLContextWithKeysSupplier.java) > for Azure Compute and > [here](https://github.com/jclouds/jclouds-labs/blob/master/fgcp/src/main/java/org/jclouds/fujitsu/fgcp/suppliers/SSLContextWithKeysSupplier.java) > for FCGP) > + * set it as the default socket factory for HttpsURLConnection as described > above > + > +#### Why does jclouds not simply disable SSLv3 for all secure connections? > + > +At this point in time, it is not possible to determine the impact that > disabling SSLv3 for secure connections to **all** providers (supported and > custom) would have on functionality. Many providers have already disabled > SSLv3 on the server side of the connection, protecting users automatically.
> In other words, let's please not start picking up responsibility below our > abstraction level! Thanks for all the detailed comments! I'll try to put together an updated version later today. Definitely agree that we want to keep the release notes as short as possible - hence putting this in a blog post, if that wasn't clear. Text from the release note itself is below: ``` jclouds 1.8.1 and older versions are vulnerable to POODLE since, in the majority of cases, jclouds uses the default JVM SSL settings. [Read more](/blog/2014/10/22/poodle-jclouds/) about the potential impact of POODLE on your jclouds applications and mitigation options. ``` Suggestions for alternatives here? --- Reply to this email directly or view it on GitHub: https://github.com/jclouds/jclouds-site/pull/138/files#r19294424
