[External] Re: jetty
Cantor, Scott
cantor.2 at osu.edu
Thu Mar 18 16:29:48 UTC 2021
On 3/18/21, 12:19 PM, "users on behalf of Donald Lohr" <users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:
> I'd be interested in more information on why you say you "will be unable
> to meet it for a while". You want reply offline if you would like.
I have a strict "no secrets" policy when it comes to dirty laundry, one of many reasons I'm so "adored".
It's largely self-inflicted. I host our IdP's metadata for campus on the same server I run our IdP, and we have ancient RH5 and older systems around that can't fetch metadata with the SP using TLS 1.2. Simple as that.
I either try and get them to proxy the access themselves (i.e. they do work), I come up with a workaround (i.e. I do work) or I just assume nobody's going to report me to the IC advisory panel on compliance with baseline practices. I suspect I'll pick option #3. Supposedly most of our RH5 internally is going away in July, but I'll believe it when I see it.
I don't think we really have significant client exposure to TLS 1.1 and if we do I suspect breaking them would be welcomed by most of our security folks, even if I take the heat for it.
-- Scott
More information about the users
mailing list