InCommon Baseline TLS 1.2
cantor.2 at osu.edu
Wed Jun 30 21:50:22 UTC 2021
On 6/30/21, 5:41 PM, "users on behalf of Brent Goebel" <users-bounces at shibboleth.net on behalf of Brent.Goebel at du.edu> wrote:
> Which webserver are you running? I’m running Jetty so if you have any insight on how you modified it that
> would be helpful as well. I started looking around and some say to modify jetty-ssl.xml to ‘ExcludeProtocols’ for
> 1.0 and 1.1 while another site said to update jetty-https.xml.
Our Jetty examples include manipulating Jetty SSL settings in the proper way, but Java 11 as of a recent patch already blocks TLS < 1.2 by default so you have to turn it on deliberately.
My exposure is down-level SPs on old Linux needing my metadata that I happened to host on my IdP server, which was a bad idea. I'm working on getting those SPs to switch to InCommon's MDQ endpoint, so that should mostly take care of it.
As for clients...this is about help desk issues. If you have a bad help desk or a bad relationship with them, then you're in a bad situation in the end and if not, you're probably fine. Somebody is going to complain, and the issue is what the organization is willing to tell them. If you don't have backing, that's not a good situation.
From what I've been told, Med Centers are a particular hive of scum and villainy when it comes to claiming they "have to run IE 6" or some such nonsense. None of that is ever true, but it's a consequence of the bad management issue.
More information about the users