[ https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174512#comment-14174512 ]
Andrew Phillips commented on JCLOUDS-753: ----------------------------------------- > see Ignasi's comment earlier and my follow up. Sorry, I had missed those. Thanks for repeating that! > HttpCommandExecutorService(s) vulnerable to POODLE > -------------------------------------------------- > > Key: JCLOUDS-753 > URL: https://issues.apache.org/jira/browse/JCLOUDS-753 > Project: jclouds > Issue Type: Bug > Components: jclouds-core > Affects Versions: 1.7.3, 1.8.0 > Reporter: Diwaker Gupta > Priority: Critical > Fix For: 1.8.1 > > Attachments: disable-sslv3.patch > > > SSLModule configures the SSLContext thus: > {noformat} > sc = SSLContext.getInstance("SSL"); > sc.init(null, new TrustManager[] { trustAllCerts }, new > SecureRandom()); > {noformat} > This makes the client end of the SSL connection vulnerable to POODLE > (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html) > jclouds should enforce TLS on all client connections. -- This message was sent by Atlassian JIRA (v6.3.4#6332)