IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata
Cantor, Scott
cantor.2 at osu.edu
Thu Nov 12 18:27:52 UTC 2020
On 11/12/20, 1:11 PM, "users on behalf of Alan Buxey via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> this is because IdP 4.x uses GCM by default whereas 3.x and earlier used CBC by default, yes? So whilst
> saying it can do GCM is metadata (probably the metadata generated from a previous Sib instance they ran)
> is bad....there are those SPs out there that cant/(wont?) do GCM that will require a exception list defining :/
If you choose to maintain the defaut, then one way or the other, you need an exception list or metadata signaling. The same is true if you don't maintain the default but do want to allow GCM when it's supported.
-- Scott
More information about the users
mailing list