users Digest, Vol 20, Issue 90

Praveen Pinto praveen.pinto at peopleadmin.com
Thu Feb 28 14:58:02 EST 2013


Hi Scott,

Here is the part of log where it blacklists rsa 1.5 when it first comes up.
Ubuntu 10.04 LTS, Shibboleth version 2.5.1

Thanks!
Praveen

Shibd.log:
2013-02-28 11:32:00 INFO Shibboleth.Listener : registered remoted message
endpoint (touch::StorageService::SessionCache)
2013-02-28 11:32:00 WARN Shibboleth.Config : deprecated/legacy
SecurityPolicy configuration, consider externalizing with
<SecurityPolicyProvider>
2013-02-28 11:32:00 DEBUG Shibboleth.SecurityPolicyProvider.XML : no
resource uri/path/name supplied, will load inline configuration

2013-02-28 11:32:00 DEBUG Shibboleth.SecurityPolicyProvider.XML : loading
inline configuration...
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(default)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property validate
(false)
2013-02-28 11:32:00 WARN Shibboleth.SecurityPolicyProvider.XML : detected
deprecated Policy configuration, consider converting to new PolicyRule
syntax
2013-02-28 11:32:00 INFO Shibboleth.SecurityPolicyProvider.XML :
installing a default Conditions rule in policy (default) for compatibility
with legacy configuration
2013-02-28 11:32:00 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Audience
2013-02-28 11:32:00 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Ignore
2013-02-28 11:32:00 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Ignore
2013-02-28 11:32:00 INFO OpenSAML.SecurityPolicyRule.Conditions : building
SecurityPolicyRule of type Ignore
2013-02-28 11:32:00 INFO Shibboleth.Config : automatically blacklisting
security algorithm (http://www.w3.org/2001/04/xmldsig-more#rsa-md5)
2013-02-28 11:32:00 INFO Shibboleth.Config : automatically blacklisting
security algorithm (http://www.w3.org/2001/04/xmldsig-more#md5)
2013-02-28 11:32:00 INFO Shibboleth.Config : automatically blacklisting
security algorithm (http://www.w3.org/2001/04/xmlenc#rsa-1_5)
2013-02-28 11:32:00 INFO Shibboleth.Config : building ProtocolProvider of
type XML...
2013-02-28 11:32:00 DEBUG Shibboleth.ProtocolProvider.XML : using local
resource (/usr/local/etc/shibboleth/protocols.xml), will not monitor for
changes
2013-02-28 11:32:00 DEBUG Shibboleth.ProtocolProvider.XML : loading
configuration from external resource...
2013-02-28 11:32:00 INFO Shibboleth.ProtocolProvider.XML : loaded XML
resource (/usr/local/etc/shibboleth/protocols.xml)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(SAML2)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/POST)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/POST-SimpleSign)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/Artifact)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:PAOS)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property path
(/SAML2/ECP)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(SAML2)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property id
(urn:oasis:names:tc:SAML:2.0:bindings:SOAP)
2013-02-28 11:32:00 DEBUG Shibboleth.PropertySet : added property path
(/SLO/SOAP)



----------------------------------------------------------------

Just to have it in the same message, here is what I get when they try to
log in.

Shibd.log:

2013-02-28 13:52:33 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]:
evaluating message flow policy (replay checking on, expiration 60)
2013-02-28 13:52:33 DEBUG XMLTooling.StorageService [2]: inserted record
(id-jxOWHURt79HrVPlvRGoghpw7ymc-) in context (MessageFlow) with expiration
(1362083013)
2013-02-28 13:52:33 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
validating signature profile
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolving
ds:X509Certificate
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved
1 certificate(s)
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved
0 CRL(s)
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolving
ds:X509Certificate
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved
1 certificate(s)
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved
0 CRL(s)
2013-02-28 13:52:33 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]:
attempting to validate signature with the peer's credentials
2013-02-28 13:52:33 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]:
signature validated with credential
2013-02-28 13:52:33 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]:
signature verified against message issuer
2013-02-28 13:52:33 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation
[2]: assertion satisfied bearer confirmation requirements
2013-02-28 13:52:33 DEBUG XMLTooling.KeyInfoResolver.Inline [2]: resolved
0 certificate(s)
2013-02-28 13:52:33 WARN XMLTooling.Decrypter [2]: XMLSecurity exception
while decrypting key: XSECAlgorithmMapper::mapURIToHandler - URI
http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist
policy
2013-02-28 13:52:33 WARN XMLTooling.Decrypter [2]: unable to decrypt key,
generating random key for defensive purposes
2013-02-28 13:52:33 ERROR Shibboleth.SSO.SAML2 [2]: failed to decrypt
NameID: XMLSecurity exception while decrypting:
OpenSSL:SymmetricKey::decryptFinish - Out of range padding value in final
block
2013-02-28 13:52:33 DEBUG Shibboleth.SSO.SAML2 [2]: SSO profile processing
completed successfully
2013-02-28 13:52:33 DEBUG Shibboleth.SSO.SAML2 [2]: extracting pushed
attributes...
2013-02-28 13:52:33 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to
extract attributes, unknown XML object type: samlp:Response



------------------------------------------------------------------------

On 2/27/13 12:34 PM, "Praveen Pinto" <praveen.pinto at peopleadmin.com> wrote:

>I pulled the impacted customer to a new server, and set the logs to debug
>so that I could get a clear picture of what is happening, and excerpts
>from the logs are below.

You're not including the part that matters, which will log the
installation of the blacklist information at startup time.

>shibboleth version 2.5.1 and Ubuntu 10.04 LTS. We have tried to get the
>customer to move away from RSA 1.5, but for the short term are stuck with
>it.

If you're stuck with Ubuntu, you may have to reproduce the problem on a
supported platform. I've done what I can do to verify the behavior and
don't see anything wrong, but I'll look at the logs and see if anything
looks off.

-- Scott



More information about the users mailing list