[
https://issues.apache.org/jira/browse/JCLOUDS-1570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17395710#comment-17395710
]
Andrew Gaul commented on JCLOUDS-1570:
--------------------------------------
I see conflicting information on the web about Java and TLS versions. For
example, Oracle claims that Java 8 defaults to TLS 1.2 and will downgrade to
1.0:
[https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default]
Does "TLS" mean select any version? If we hard-code "TLSv1.3" or "TLSv1.2" do
either prevent users from connecting to older services? Ideally we would allow
overriding this value but does the following suffice?
{{System.setProperty("https.protocols", "SSLv3,TLSv1,TLSv1.1,TLSv1.2");}}
> Usage of TLS is insecure
> ------------------------
>
> Key: JCLOUDS-1570
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1570
> Project: jclouds
> Issue Type: Improvement
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> Description: In
> “apis/docker/src/main/java/org/jclouds/docker/suppliers/SSLContextBuilder.java”
> file the following code was written in line 107
> SSLContext sslContext = SSLContext.getInstance("TLS");
> The vulnerability is, using "TLS” as the argument to SSLContext.getInstance
> method.
> Security Impact: TLS 1.0 is vulnerable to man-in-the-middle attacks.
>
> Useful Resources:
> https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php
> Solution we suggest: Using SSLContext.getInstance("TLSv1.3").
> Please share with us your opinions/comments if there is any:
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
