[External] Re: jetty

Cantor, Scott cantor.2 at osu.edu
Thu Mar 18 16:29:48 UTC 2021


On 3/18/21, 12:19 PM, "users on behalf of Donald Lohr" <users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:

>    I'd be interested in more information on why you say you "will be unable 
>    to meet it for a while". You want reply offline if you would like.

I have a strict "no secrets" policy when it comes to dirty laundry, one of many reasons I'm so "adored".

It's largely self-inflicted. I host our IdP's metadata for campus on the same server I run our IdP, and we have ancient RH5 and older systems around that can't fetch metadata with the SP using TLS 1.2. Simple as that.

I either try and get them to proxy the access themselves (i.e. they do work), I come up with a workaround (i.e. I do work) or I just assume nobody's going to report me to the IC advisory panel on compliance with baseline practices. I suspect I'll pick option #3. Supposedly most of our RH5 internally is going away in July, but I'll believe it when I see it.

I don't think we really have significant client exposure to TLS 1.1 and if we do I suspect breaking them would be welcomed by most of our security folks, even if I take the heat for it.

-- Scott




More information about the users mailing list