InCommon Baseline TLS 1.2
IAM David Bantz
dabantz at alaska.edu
Wed Jun 30 22:56:38 UTC 2021
Our UA IdP v 4 on tomcat 8 instances directly support TLS 1.2 connections
(SSLLabs “A”). However nearly all clients connect via a load balancer
supporting TLS 1.2 and 1.3 (SSLLabs “A+”). Our Shibboleth IdP is also our
institutional CAS server used for logins to ERP, and CAS services including
back-channel ticket validation requests also worked without a hitch. I am
aware of zero support calls or complaints related to turning off older TLS
versions about a year ago.
We previously ran IdP v3 on jetty 9; in that environment I edited
addExcludeCipherSuites.xml,
but follow Scott Cantor’s Jetty SSL settings advice.
David
On 30Jun, 2021 at 13:41:33, Brent Goebel <Brent.Goebel at du.edu> wrote:
> ...
>
> So have you updated your IdP to use TLS 1.2 and above? Did you see any
> issue with doing so for your IdP for your applications using your IdP for
> SSO?
>
> Which webserver are you running? I’m running Jetty so if you have any
> insight on how you modified it that would be helpful as well. I started
> looking around and some say to modify jetty-ssl.xml to ‘ExcludeProtocols’
> for 1.0 and 1.1 while another site said to update jetty-https.xml.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210630/6fbeade1/attachment.htm>
More information about the users
mailing list