You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@jclouds.apache.org by "Adrian Cole (JIRA)" <ji...@apache.org> on 2014/11/26 19:24:12 UTC

[jira] [Commented] (JCLOUDS-753) Investigate HttpCommandExecutorService(s) with regards to POODLE

    [ https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14226572#comment-14226572 ] 

Adrian Cole commented on JCLOUDS-753:
-------------------------------------

As mentioned on https://github.com/jclouds/jclouds/pull/615 to [~andreaturli]..

This is getting really nasty. Rather than continue to yak on this, I suggest we only support okhttp when providers have constraints, or otherwise muck with TLS.

OkHttp 2.1 has a safe means to express cipher and protocol constraints, and has a very low dependency footprint.

https://github.com/square/okhttp/blob/master/okhttp/src/main/java/com/squareup/okhttp/ConnectionSpec.java

> Investigate HttpCommandExecutorService(s) with regards to POODLE
> ----------------------------------------------------------------
>
>                 Key: JCLOUDS-753
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-753
>             Project: jclouds
>          Issue Type: Bug
>          Components: jclouds-core, jclouds-drivers
>    Affects Versions: 1.5.10, 1.6.3, 1.7.3, 1.8.0, 1.8.1
>            Reporter: Diwaker Gupta
>            Priority: Minor
>             Fix For: 1.8.2
>
>         Attachments: disable-sslv3.patch
>
>
> SSLModule configures the SSLContext when using "untrusted" configuration:
> {noformat}
>             sc = SSLContext.getInstance("SSL");
>             sc.init(null, new TrustManager[] { trustAllCerts }, new SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should consider enforcing TLS on all client connections, even on ones already susceptible to MITM attacks.
> We should also investigate other uses of SSLContext in jclouds.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)