Shibboleth.DEPRECATION : MetadataGenerator handler
Peter Schober
peter.schober at univie.ac.at
Mon Dec 6 18:22:15 UTC 2021
* Cantor, Scott <cantor.2 at osu.edu> [2021-12-06 17:10]:
> > OK, so the Apache module (as the one initiating connections to
> > shibd) would handle the TLS client-side and stunnel would provide
> > the TLS server, itself connecting to a non-TLS TCP socket
> > listening on the Java side?
>
> That is a possibility, yes. It puts the hassle of managing TLS on
> the people who want to run it that way instead of the project. You
> have to bear in mind this isn't "just TLS". It has to be
> client-authenticated TLS to be worth doing.
Thinking about this a bit, if the Java side ("java-shibd") has no TLS
server and mod_shib side has no cert-wielding TLS client (maybe it
does via libcurl?), we're talking about two stunnel processes:
One (server mode) connecting to the Java TCP listener and exposing a
TLS server (and expecting client certs from a certain CA/chain). And
another one (client mode) for mod_shib to connect to (on a non-TLS TCP
port), itself connecting to the TLS server on the Java side with a
client cert.
That's still sounds very much doable if you need to connect both parts
over a possibly hostile network (and sharing a unix domain socket
isn't an option).
-peter
More information about the users
mailing list