OpenSSL advisory
Cantor, Scott
cantor.2 at osu.edu
Thu Jul 9 12:27:35 EDT 2015
On 7/9/15, 12:25 PM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
>* Cantor, Scott <cantor.2 at osu.edu> [2015-07-09 17:50]:
>> I would strongly suggest people consider turning PKIX off in the SP in shibboleth2.xml:
>>
>> ...metadata providers...
>>
>> <TrustEngine type="ExplicitKey" />
>>
>> ...attribute extractors, etc....
>
>The current default config ships with no TrustEngine elements defined,
>and the documentation doesn't state the default behaviour in case zero
>TrustEngine elements occur:
>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplication#NativeSPApplication-ChildElements
>So how to turn it off then?
The above change. The default is what's currently in the example-shibboleth2.xml file, which I've added to the page.
-- Scott
More information about the users
mailing list