jclouds-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ignasi Barrera (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCLOUDS-753) Investigate HttpCommandExecutorService(s) with regards to POODLE
Date Fri, 27 Feb 2015 09:26:05 GMT

    [ https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14339928#comment-14339928
] 

Ignasi Barrera commented on JCLOUDS-753:
----------------------------------------

Given all the discussion on this and the GitHub pull request, the issue can be properly addressed
by using the OkHttp driver. Actually the Docker provider is currently using it to configure
custom TLS connections, so I'd suggest we close this issue as fixed.

> Investigate HttpCommandExecutorService(s) with regards to POODLE
> ----------------------------------------------------------------
>
>                 Key: JCLOUDS-753
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-753
>             Project: jclouds
>          Issue Type: Bug
>          Components: jclouds-core, jclouds-drivers
>    Affects Versions: 1.5.10, 1.6.3, 1.7.3, 1.8.0, 1.8.1
>            Reporter: Diwaker Gupta
>            Priority: Minor
>             Fix For: 1.9.0
>
>         Attachments: disable-sslv3.patch
>
>
> SSLModule configures the SSLContext when using "untrusted" configuration:
> {noformat}
>             sc = SSLContext.getInstance("SSL");
>             sc.init(null, new TrustManager[] { trustAllCerts }, new SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should consider enforcing TLS on all client connections, even on ones already
susceptible to MITM attacks.
> We should also investigate other uses of SSLContext in jclouds.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message