[
https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14173828#comment-14173828
]
Ignasi Barrera commented on JCLOUDS-753:
----------------------------------------
If I'm not wrong, the OkHttp driver is also vulnerable, as it [uses the
SSLContext defined in the
SSLModule|https://github.com/jclouds/jclouds/blob/master/drivers/okhttp/src/main/java/org/jclouds/http/okhttp/OkHttpCommandExecutorService.java#L75].
The ApacheHC driver [configures SSL differently (and using
TLS)|https://github.com/jclouds/jclouds/blob/master/drivers/apachehc/src/main/java/org/jclouds/http/apachehc/config/ApacheHCHttpCommandExecutorServiceModule.java],
but I've not seen an evidence that it restricts the list of supported
protocols.
> HttpCommandExecutorService(s) vulnerable to POODLE
> --------------------------------------------------
>
> Key: JCLOUDS-753
> URL: https://issues.apache.org/jira/browse/JCLOUDS-753
> Project: jclouds
> Issue Type: Bug
> Components: jclouds-core
> Affects Versions: 1.8.0
> Reporter: Diwaker Gupta
>
> SSLModule configures the SSLContext thus:
> {noformat}
> sc = SSLContext.getInstance("SSL");
> sc.init(null, new TrustManager[] { trustAllCerts }, new
> SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE
> (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should enforce TLS on all client connections.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
