[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: IdP v4.0.1 issues with CBC relying-party overrides and SPs with cipher-suite metadata
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2020-11-12 18:27:52
Message-ID: BB60F09F-FFAE-4AC2-B1C1-305A08C25A30 () osu ! edu
[Download RAW message or body]

On 11/12/20, 1:11 PM, "users on behalf of Alan Buxey via users" \
<users-bounces@shibboleth.net on behalf of users@shibboleth.net> wrote:

> this is because IdP 4.x uses GCM by default whereas 3.x and earlier used CBC by \
> default, yes?   So whilst saying it can do GCM is metadata (probably the metadata \
> generated from a previous Sib instance they ran) is bad....there are those SPs out \
> there that cant/(wont?) do GCM that will require a exception list defining :/

If you choose to maintain the defaut, then one way or the other, you need an \
exception list or metadata signaling. The same is true if you don't maintain the \
default but do want to allow GCM when it's supported.

-- Scott


-- 
For Consortium Member technical support, see \
https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]