Shibboleth 2.5.1 blacklist of RSA 1.5

praveen praveen.pinto at peopleadmin.com
Tue Jan 29 12:10:10 EST 2013 

Hi Scott

Thanks for replying to my post..  The only response I get in my logs after
setting IncludeDefaultBlacklist to false is it continues to blacklist rsa
1.5.  Anywhere else I can look, or force it to bypass that?  the
security-policy.xml IncludeDefaultBlacklist setting doesn't seem to take,
and I have verified both the /etc/shibboleth and /var/run/shibboleth copies
have that set to false..  I even tried explicitly setting rsa1.5 to
whitelist, but I guess blacklist trumps whitelist?  Below are excerpts from
my logs.. 
Thanks for any and all help..  I've spent a long time going through various
shibboleth files, and read the user docs on this, and like you said, it
should be straightforward, but for some reason, it isn't in my
implementation.


shibd_warn.log:2013-01-15 15:55:25 WARN XMLTooling.Decrypter [52]:
XMLSecurity exception while decrypting key:
XSECAlgorithmMapper::mapURIToHandler - URI
http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist
policy 



shibd_warn.log:2013-01-15 15:55:25 WARN XMLTooling.Decrypter [52]:
XMLSecurity exception while decrypting key:
XSECAlgorithmMapper::mapURIToHandler - URI
http://www.w3.org/2001/04/xmlenc#rsa-1_5 disallowed by whitelist/blacklist
policy 


shibd.log.1:2013-01-15 18:15:09 INFO Shibboleth.Config : automatically
blacklisting security algorithm
(http://www.w3.org/2001/04/xmldsig-more#rsa-md5) 
shibd.log.1:2013-01-15 18:15:09 INFO Shibboleth.Config : automatically
blacklisting security algorithm (http://www.w3.org/2001/04/xmldsig-more#md5) 
shibd.log.1:2013-01-15 18:15:09 INFO Shibboleth.Config : automatically
blacklisting security algorithm (http://www.w3.org/2001/04/xmlenc#rsa-1_5) 








security-policy.xml content: 

<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">

    <Policy id="default" validate="false">
        <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
        <PolicyRule type="Conditions">
            <PolicyRule type="Audience"/>
                      
        </PolicyRule>
        <PolicyRule type="ClientCertAuth" errorFatal="true"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
        <PolicyRule type="SimpleSigning" errorFatal="true"/>
    </Policy>

    <Policy id="entity-attributes">
        <PolicyRule type="Conditions"/>
        <PolicyRule type="XMLSigning" errorFatal="true"/>
    </Policy>
   
    <AlgorithmBlacklist includeDefaultBlacklist="false"/>

</SecurityPolicies>




--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Shibboleth-2-5-1-blacklist-of-RSA-1-5-tp7584187p7584334.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.

More information about the users mailing list