How to find out if a Shib SP would be able to decrypt using AES128-GCM?
cantor.2 at osu.edu
Wed Jan 13 17:00:47 UTC 2021
On 1/13/21, 11:37 AM, "users on behalf of Thomas Lenggenhager" <users-bounces at shibboleth.net on behalf of lenggenhager at switch.ch> wrote:
> However, I haven't found any hint how I as SP administrator could easily
> find out whether my SP would be able to decrypt AES128-GCM encrypted
> assertions, if its metadata would publish support for this algorithm.
With few exceptions (I don't know of any, but it's theoretically possible), just hit /Shibboleth.sso/Metadata and if the supported algorithm extensions include it, it's going to work.
> I guess it depends on the SP version as well as the OpenSSL version in
> use. Any other dependencies?
The xml-security-c version also matters but normally is updated along with the SP anyway.
> Has someone hands on experience with AES128-GCM on Shib SPs?
I've tagged most of my campus SPs and most of the InCommon SPs we use that support it. I ran into a few so rotted that they don't, which of course means they also have gaping security bugs anyway.
More information about the users