[
https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14182414#comment-14182414
]
Adrian Cole commented on JCLOUDS-753:
-------------------------------------
FYI: dropping fgcp in JCLOUD-757 leaves us with only one caller of non-default
SSLContext (azure).
> Investigate HttpCommandExecutorService(s) with regards to POODLE
> ----------------------------------------------------------------
>
> Key: JCLOUDS-753
> URL: https://issues.apache.org/jira/browse/JCLOUDS-753
> Project: jclouds
> Issue Type: Bug
> Components: jclouds-core, jclouds-drivers
> Affects Versions: 1.5.10, 1.6.3, 1.7.3, 1.8.0, 1.8.1
> Reporter: Diwaker Gupta
> Priority: Minor
> Fix For: 1.8.2
>
> Attachments: disable-sslv3.patch
>
>
> SSLModule configures the SSLContext when using "untrusted" configuration:
> {noformat}
> sc = SSLContext.getInstance("SSL");
> sc.init(null, new TrustManager[] { trustAllCerts }, new
> SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE
> (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should consider enforcing TLS on all client connections, even on ones
> already susceptible to MITM attacks.
> We should also investigate other uses of SSLContext in jclouds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
