You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@jclouds.apache.org by "Diwaker Gupta (JIRA)" <ji...@apache.org> on 2014/10/16 22:56:34 UTC
[jira] [Updated] (JCLOUDS-753) HttpCommandExecutorService(s)
vulnerable to POODLE
[ https://issues.apache.org/jira/browse/JCLOUDS-753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Diwaker Gupta updated JCLOUDS-753:
----------------------------------
Attachment: disable-sslv3.patch
Attached patch seems to work, but should be independently tested by others!
> HttpCommandExecutorService(s) vulnerable to POODLE
> --------------------------------------------------
>
> Key: JCLOUDS-753
> URL: https://issues.apache.org/jira/browse/JCLOUDS-753
> Project: jclouds
> Issue Type: Bug
> Components: jclouds-core
> Affects Versions: 1.7.3, 1.8.0
> Reporter: Diwaker Gupta
> Fix For: 1.8.1
>
> Attachments: disable-sslv3.patch
>
>
> SSLModule configures the SSLContext thus:
> {noformat}
> sc = SSLContext.getInstance("SSL");
> sc.init(null, new TrustManager[] { trustAllCerts }, new SecureRandom());
> {noformat}
> This makes the client end of the SSL connection vulnerable to POODLE (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)
> jclouds should enforce TLS on all client connections.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)