[ https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14173828#comment-14173828 ]
Ignasi Barrera commented on JCLOUDS-753: ---------------------------------------- If I'm not wrong, the OkHttp driver is also vulnerable, as it [uses the SSLContext defined in the SSLModule|https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/src/main/java/org/jclouds/http/okhttp/OkHttpCommandExecutorService.java#L75]. The ApacheHC driver [configures SSL differently (and using TLS)|https://github.com/jclouds/jclouds/blob/master/drivers/apachehc/src/main/java/org/jclouds/http/apachehc/config/ApacheHCHttpCommandExecutorServiceModule.java], but I've not seen an evidence that it restricts the list of supported protocols. > HttpCommandExecutorService(s) vulnerable to POODLE > -------------------------------------------------- > > Key: JCLOUDS-753 > URL: https://issues.apache.org/jira/browse/JCLOUDS-753 > Project: jclouds > Issue Type: Bug > Components: jclouds-core > Affects Versions: 1.8.0 > Reporter: Diwaker Gupta > > SSLModule configures the SSLContext thus: > {noformat} > sc = SSLContext.getInstance("SSL"); > sc.init(null, new TrustManager[] { trustAllCerts }, new > SecureRandom()); > {noformat} > This makes the client end of the SSL connection vulnerable to POODLE > (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html) > jclouds should enforce TLS on all client connections. -- This message was sent by Atlassian JIRA (v6.3.4#6332)