OpenSSL bug
Peter Schober
peter.schober at univie.ac.at
Wed Nov 2 18:31:45 UTC 2022
* Spencer Thomas via users <users at shibboleth.net> [2022-11-02 19:16]:
> Ok, same question for the SP?
Well, the current issues
https://www.openssl.org/news/secadv/20221101.txt are reported to be
specific to openssl 3.x for a start. Not sure the Shib SP even runs
with this, yet (or ever)?
Also, the current openssl issues effect certificate validation which
is not used in deployments based on SAMLMetadataIOP[1], though that
assumes knowledge of the code paths of the implementation (which I
don't claim to have). More to the point, if the Shib SP were affected
by this we'd have seen an announcement via
https://shibboleth.net/pipermail/announce/ so that's what you'd look
out for wrt any official statements from the project.
Finally, according to the current openssl security advisory "[i]n a
TLS server, this can be triggered if the server requests client
authentication and a malicious client connects." -- but that's another
thing very few SAML SPs will do as they will likely be using SAML for
authentication -- not client certificates -- at the SP end.
Best,
-peter
[1] https://wiki.oasis-open.org/security/SAML2MetadataIOP
More information about the users
mailing list