Uploaded image for project: 'jclouds'
  1. jclouds
  2. JCLOUDS-753

Investigate HttpCommandExecutorService(s) with regards to POODLE

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 1.5.10, 1.6.3, 1.7.3, 1.8.0, 1.8.1
    • 1.9.0
    • jclouds-core, jclouds-drivers
    • None

    Description

      SSLModule configures the SSLContext when using "untrusted" configuration:

                  sc = SSLContext.getInstance("SSL");
            sc.init(null, new TrustManager[] { trustAllCerts }, new SecureRandom());

      This makes the client end of the SSL connection vulnerable to POODLE (http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html)

      jclouds should consider enforcing TLS on all client connections, even on ones already susceptible to MITM attacks.

      We should also investigate other uses of SSLContext in jclouds.

      Attachments

        1. disable-sslv3.patch
          0.7 kB
          Diwaker Gupta

        Activity

          People

            Unassigned Unassigned
            diwaker Diwaker Gupta
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: