md-distro - Re: [md-distro] Thursday's call
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: Ian Young <>
- To:
- Subject: Re: [md-distro] Thursday's call
- Date: Fri, 25 Oct 2013 11:52:22 +0100
On 24 Oct 2013, at 15:03, "Cantor, Scott"
<>
wrote:
> I would certainly not call into question the project's own people, but at
> one time my understanding was their crypto support via PHP came from
> OpenSSL.
Judging from what the developers are saying on the SSP list, that hasn't
changed.
Jaime says this:
> SSP relies on xmlseclibs which in turn relies on OpenSSL for all the
> hashing functions. I don’t think that means we’re back to “it depends”. I
> don’t know how recently did OpenSSL incorporate support for SHA-2 family of
> algorithms, but I don’t expect any system running SSP 1.11 (which is needed
> for SHA-2 support) with PHP 5.3 (which is the minimum version required by
> SSP 1.11, I think), with an OpenSSL version old enough to not support
> SHA-2. It might be possible, yes, but I think it’s really unlikely.
So *if* you can upgrade to SSP 1.11, you will almost certainly get SHA-2
support. However, you may not be able to do so on some platforms, in
particular things like RHEL 4.
Scott again:
> I assume that's not the case from their response, but if it were,
> that clearly isn't complete since support would depend on the OpenSSL
> version.
The SSP developers are obviously looking at things from a rather different
perspective. They don't support systems like RHEL 4 with their current
release *AT ALL*, because of things like the PHP version requirement, so they
don't see an inability to use SHA-2 on such platforms as even being on the
radar.
The ultimate effect of this is that for people running on a platform like
RHEL 4, SSP ends up being in exactly the same position as Shibboleth: you
need to upgrade both the underlying OS as well as the SAML software in order
to get SHA-2 support.
Because the Shibboleth SP has had SHA-2 support for so much longer than SSP
(SSP 1.11 is only from June this year), you *also* need to upgrade to the
latest version of SSP in order to get SHA-2 support on later platforms.
-- Ian
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [md-distro] Thursday's call, John Krienke, 10/23/2013
- Re: [md-distro] Thursday's call, Mark K. Miller, 10/23/2013
- Re: [md-distro] Thursday's call, Tom Scavo, 10/23/2013
- Re: [md-distro] Thursday's call, Tom Scavo, 10/24/2013
- Re: [md-distro] Thursday's call, Cantor, Scott, 10/24/2013
- Re: [md-distro] Thursday's call, Ian Young, 10/25/2013
- Re: [md-distro] Thursday's call, Cantor, Scott, 10/25/2013
- Re: [md-distro] Thursday's call, Ian Young, 10/25/2013
- Re: [md-distro] Thursday's call, Cantor, Scott, 10/24/2013
- Re: [md-distro] Thursday's call, Cantor, Scott, 10/24/2013
- Re: [md-distro] Thursday's call, Tom Scavo, 10/24/2013
Archive powered by MHonArc 2.6.16.