[ https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14172901#comment-14172901 ]
Diwaker Gupta commented on JCLOUDS-753: --------------------------------------- I should note that `getInstance("TLS")` or even `getInstance("TLSv1.2")` is *not* sufficient. The set of supported protocols must be explicitly restricted to TLS+ (e.g. via SSLEngine.setEnabledProtocols) > HttpCommandExecutorService(s) vulnerable to POODLE > -------------------------------------------------- > > Key: JCLOUDS-753 > URL: https://issues.apache.org/jira/browse/JCLOUDS-753 > Project: jclouds > Issue Type: Bug > Components: jclouds-core > Affects Versions: 1.8.0 > Reporter: Diwaker Gupta > > SSLModule configures the SSLContext thus: > {noformat} > sc = SSLContext.getInstance("SSL"); > sc.init(null, new TrustManager[] { trustAllCerts }, new > SecureRandom()); > {noformat} > This makes the client end of the SSL connection vulnerable to POODLE > (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html) > jclouds should enforce TLS on all client connections. -- This message was sent by Atlassian JIRA (v6.3.4#6332)