[ https://issues.apache.org/jira/browse/JCLOUDS-1570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17395710#comment-17395710 ]
Andrew Gaul commented on JCLOUDS-1570: -------------------------------------- I see conflicting information on the web about Java and TLS versions. For example, Oracle claims that Java 8 defaults to TLS 1.2 and will downgrade to 1.0: [https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default] Does "TLS" mean select any version? If we hard-code "TLSv1.3" or "TLSv1.2" do either prevent users from connecting to older services? Ideally we would allow overriding this value but does the following suffice? {{System.setProperty("https.protocols", "SSLv3,TLSv1,TLSv1.1,TLSv1.2");}} > Usage of TLS is insecure > ------------------------ > > Key: JCLOUDS-1570 > URL: https://issues.apache.org/jira/browse/JCLOUDS-1570 > Project: jclouds > Issue Type: Improvement > Reporter: Md Mahir Asef Kabir > Priority: Major > > Description: In > “apis/docker/src/main/java/org/jclouds/docker/suppliers/SSLContextBuilder.java” > file the following code was written in line 107 > SSLContext sslContext = SSLContext.getInstance("TLS"); > The vulnerability is, using "TLS” as the argument to SSLContext.getInstance > method. > Security Impact: TLS 1.0 is vulnerable to man-in-the-middle attacks. > > Useful Resources: > https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php > Solution we suggest: Using SSLContext.getInstance("TLSv1.3"). > Please share with us your opinions/comments if there is any: > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)