IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata

Cantor, Scott cantor.2 at
Thu Nov 12 14:57:38 UTC 2020

The security configuration you're talking about doesn't disallow GCM, it simply sets the default to CBC when there is no guidance. The metadata says GCM is favored, so the IdP uses it. Actually disallowing GCM would require building security configuration beans to explicitly enumerate only CBC algorithms or disallow GCM in that particular configuration.

Unless this is a federation supplying the metadata for the SP (in which case I'd contact the federation), a much simpler fix is to follow best practice and never trust remote metadata in the first place, so it can be fixed as required.

-- Scott

More information about the users mailing list