Shibboleth Developers

[Chad La Joie <>]

Any effect on Shibboleth, we believe, is restricted to indirect issues 
visited upon us by the container itself.  That is, the Shib code itself 
does not seem to do anything that would allow it to be exploited but the 
containers in which the code runs may allow this.  Certainly Apache is 
vulnerable to client-cert auth vulnerabilities and so that, in turn, can 
compromise the attribute query and artifact resolution vulnerable.

Scott and I are currently discussing if there are things we can do 
within the Shib code itself to mitigate any transport layer issues.  In 
general we should be able to use message level security options that 
have been available in Shib 2 since its initial release in place of 
transport layer security.  A small bug, now fixed in SVN, showed in the 
SP during our testing but otherwise  the actual idea seemed to work 
fine.  As a happy side-effect this would, in theory, also mean that a 
separate back channel port wouldn't be needed to do things like 
attribute queries (but at the cost of extra compute cycles spent on 
doing XML crypto operations).

Lukas Haemmerle wrote:
> I just read about the OpenSSL Renegotiation issue and were wondering
> whether this affects the Shibboleth SP. In particular, if X.509
> clientAuth is enabled on a directory/location basis and not for the
> whole VirtualHost, renegotiation is used if I remember correctly.
> So, this could affect some installations if they upgrade their openssl
> version whose default then is set to not use renegotiation.
>
> Infos:
> http://openssl.org/news/secadv_20091111.txt
> http://isc.sans.org/diary.html?storyid=7543
>
> Cheers
> Lukas

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch