OpenSSL bug

Peter Schober peter.schober at
Wed Nov 2 18:31:45 UTC 2022

* Spencer Thomas via users <users at> [2022-11-02 19:16]:
> Ok, same question for the SP?

Well, the current issues are reported to be
specific to openssl 3.x for a start. Not sure the Shib SP even runs
with this, yet (or ever)?

Also, the current openssl issues effect certificate validation which
is not used in deployments based on SAMLMetadataIOP[1], though that
assumes knowledge of the code paths of the implementation (which I
don't claim to have).  More to the point, if the Shib SP were affected
by this we'd have seen an announcement via so that's what you'd look
out for wrt any official statements from the project.

Finally, according to the current openssl security advisory "[i]n a
TLS server, this can be triggered if the server requests client
authentication and a malicious client connects." -- but that's another
thing very few SAML SPs will do as they will likely be using SAML for
authentication -- not client certificates -- at the SP end.



More information about the users mailing list