Shibboleth.DEPRECATION : MetadataGenerator handler

Cantor, Scott cantor.2 at
Mon Dec 6 18:35:14 UTC 2021

On 12/6/21, 1:22 PM, "users on behalf of Peter Schober" <users-bounces at on behalf of peter.schober at> wrote:

>    Thinking about this a bit, if the Java side ("java-shibd") has no TLS
>    server and mod_shib side has no cert-wielding TLS client (maybe it
>    does via libcurl?), we're talking about two stunnel processes:

If you're doing it, you're presumably separating them across a network, so yes, there's going to be two.

>    That's still sounds very much doable if you need to connect both parts
>    over a possibly hostile network (and sharing a unix domain socket
>    isn't an option).

Yes, it's doable, but if we don't have to do it, we don't have to depend on TLS code, deal with library conflicts, rely on Windows APIs, provide a trust configuration, etc.

-- Scott

More information about the users mailing list