Encryption Error
Brent Putman
putmanb at georgetown.edu
Wed Jul 6 19:03:59 EDT 2016
On 7/6/16 6:43 PM, Klingenstein, Nate wrote:
>> And the documented metadata for the TestShib SP does list the GCM
>> ones first also:
>>
>> http://www.testshib.org/metadata/testshib-providers.xml
>
> If there's a different ordering or set of algorithms that would be
> preferred by the developers, we could make that change pretty easily.
> I don't think we've encountered a problem with it prior to this,
> though, and if anything, it's probably good that it got caught.
>
No, it's not really in general a problem per se. We in general want
GCM mode to be used if it's supported, so it really ought to be listed
first.
The only problematic edge case deployment-wise is it you have
deliberately configured an *older* version of BC <= 1.50. I highly
suspect that is what the OP has. But maybe he can confirm at some point.
If you have Java 7 + BC >=1.51, it will work fine I think. And if you
haven't configured BC at all (the vast majority case for most people),
then it will either successfully do AES CBC (Java 7) or AES GCM (Java
8), given that metadata. In the former case AES GCM isn't supported by
the runtime, so it falls through to the later algorithms in the list in
metadata.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160706/d2ce1b46/attachment.html>
More information about the users
mailing list