[jira] [Commented] (JCLOUDS-1570) Usage of TLS is insecure

["Andrew Gaul (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/JCLOUDS-1570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17395710#comment-17395710 ] 

Andrew Gaul commented on JCLOUDS-1570:
--------------------------------------

I see conflicting information on the web about Java and TLS versions.  For example, Oracle claims that Java 8 defaults to TLS 1.2 and will downgrade to 1.0:

 

[https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default]

 

Does "TLS" mean select any version?  If we hard-code "TLSv1.3" or "TLSv1.2" do either prevent users from connecting to older services?  Ideally we would allow overriding this value but does the following suffice?

{{System.setProperty("https.protocols", "SSLv3,TLSv1,TLSv1.1,TLSv1.2");}}

> Usage of TLS is insecure
> ------------------------
>
>                 Key: JCLOUDS-1570
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1570
>             Project: jclouds
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> Description: In “apis/docker/src/main/java/org/jclouds/docker/suppliers/SSLContextBuilder.java” file the following code was written in line 107
> SSLContext sslContext = SSLContext.getInstance("TLS");
> The vulnerability is, using "TLS” as the argument to SSLContext.getInstance method.
> Security Impact: TLS 1.0 is vulnerable to man-in-the-middle attacks.
>  
> Useful Resources: https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php
> Solution we suggest: Using SSLContext.getInstance("TLSv1.3").
> Please share with us your opinions/comments if there is any:
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)