Shibboleth.DEPRECATION : MetadataGenerator handler

Peter Schober peter.schober at
Mon Dec 6 18:22:15 UTC 2021

* Cantor, Scott <cantor.2 at> [2021-12-06 17:10]:
> > OK, so the Apache module (as the one initiating connections to
> > shibd) would handle the TLS client-side and stunnel would provide
> > the TLS server, itself connecting to a non-TLS TCP socket
> > listening on the Java side?
> That is a possibility, yes. It puts the hassle of  managing TLS on
> the people who want to run it that way instead of the project. You
> have to bear in mind this isn't "just TLS". It has to be
> client-authenticated TLS to be worth doing.

Thinking about this a bit, if the Java side ("java-shibd") has no TLS
server and mod_shib side has no cert-wielding TLS client (maybe it
does via libcurl?), we're talking about two stunnel processes:

One (server mode) connecting to the Java TCP listener and exposing a
TLS server (and expecting client certs from a certain CA/chain).  And
another one (client mode) for mod_shib to connect to (on a non-TLS TCP
port), itself connecting to the TLS server on the Java side with a
client cert.

That's still sounds very much doable if you need to connect both parts
over a possibly hostile network (and sharing a unix domain socket
isn't an option).


More information about the users mailing list