Shibboleth Identity Provider Security Advisory [4 October 2017]

Cantor, Scott cantor.2 at osu.edu
Wed Nov 15 13:56:14 EST 2017


On 11/15/17, 1:33 PM, "users on behalf of Baron Fujimoto" <users-bounces at shibboleth.net on behalf of baron at hawaii.edu> wrote:

> At the risk of beating a dead horse, this is what I think I understand the
> situation to be based on the thread so far.

No, you have a major part of it backwards.

> The trustfile can be the CA (bundle?). This is a better choice to use than
> the cert for the LDAP host itself because you don't need coordinate
> changes to the LDAP cert (e.g. expiration);

No, that's a generally necessary choice, not a better choice, but I'm not going to keep contaminating this conversation with my opinions. Stipulate that you're trusting the CA and we'll move on.

> the CA cert bundle is typically kept updated with Java updates, so if you keep Java relatively
> updated, this aspect is probably handled for you.

No. You will be warned if you do this, and in 4.0 it will fail.

You MUST explicitly configure every single connection to a server with the trusted keys to be used for that connection. The JVM's trust store is, or will be, irrelevant. That is what the advisory says:

"Note that as of V3.3.2, the software will now warn in most cases if the
default JVM trust approach is used in the LDAP connector, and a future
version will no longer support this approach, as it continues to be a
source of security problems."

> At least, identifying the certificate in question (for the LDAP host)
> would have helped.

An advisory cannot be a tutorial in how to configure the software but if the LDAP page needs more explanation on how to configure trust, then that's the best place to fix it.

> perhaps mentioning it as
> a resource typically typically maintained with Java updates would have
> also been helpful – presumably this is not uncommon. (Assuming I'm not
> off in left field somewhere).

That's exactly what you can't do...

-- Scott




More information about the users mailing list