[
https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14339928#comment-14339928
]
Ignasi Barrera commented on JCLOUDS-753:
----------------------------------------
Given all the discussion on this and the GitHub pull request, the issue can be
properly addressed by using the OkHttp driver. Actually the Docker provider is
currently using it to configure custom TLS connections, so I'd suggest we close
this issue as fixed.
> Investigate HttpCommandExecutorService(s) with regards to POODLE
> ----------------------------------------------------------------
>
> Key: JCLOUDS-753
> URL: https://issues.apache.org/jira/browse/JCLOUDS-753
> Project: jclouds
> Issue Type: Bug
> Components: jclouds-core, jclouds-drivers
> Affects Versions: 1.5.10, 1.6.3, 1.7.3, 1.8.0, 1.8.1
> Reporter: Diwaker Gupta
> Priority: Minor
> Fix For: 1.9.0
>
> Attachments: disable-sslv3.patch
>
>
> SSLModule configures the SSLContext when using "untrusted" configuration:
> {noformat}
> sc = SSLContext.getInstance("SSL");
> sc.init(null, new TrustManager[] { trustAllCerts }, new
> SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE
> (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should consider enforcing TLS on all client connections, even on ones
> already susceptible to MITM attacks.
> We should also investigate other uses of SSLContext in jclouds.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
