IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata

[Robert Bradley]

On 12/11/2020 14:57, Cantor, Scott wrote:
> The security configuration you're talking about doesn't disallow GCM,
> it simply sets the default to CBC when there is no guidance. The
> metadata says GCM is favored, so the IdP uses it. Actually
> disallowing GCM would require building security configuration beans
> to explicitly enumerate only CBC algorithms or disallow GCM in that
> particular configuration.
> 

That would definitely explain what I was seeing.  I can look into 
building such a bean later, but it'll be easier to fix the metadata at 
source.

> Unless this is a federation supplying the metadata for the SP (in
> which case I'd contact the federation), a much simpler fix is to
> follow best practice and never trust remote metadata in the first
> place, so it can be fixed as required.
> 

These particular SPs are federation-sourced rather than remote metadata, 
so I was expecting a bit of a delay for changes to propagate through. 
Our traditional position has always been to require third-party SPs to 
supply metadata via eduGAIN or the UK AMF, although today's SaaS 
providers have made that trickier to enforce...  For those, we have had 
to resort to local metadata copies for just that reason.

-- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x9461A7CA76AFE3BE.asc
Type: application/pgp-keys
Size: 16768 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20201112/68c2522b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20201112/68c2522b/attachment.sig>