Skip to content
Snippets Groups Projects
Commit 6baf7814 authored by Jaime Perez's avatar Jaime Perez
Browse files

Blacklist 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' (RSA encryption with...

Blacklist 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' (RSA encryption with PKCS#1 v1.5 padding) by default.
parent 6b8b5b25
No related branches found
No related tags found
No related merge requests found
...@@ -172,6 +172,12 @@ The following SAML 2.0 options are available: ...@@ -172,6 +172,12 @@ The following SAML 2.0 options are available:
: Note that this option can be set for each SP in the [SP-remote metadata](./simplesamlphp-reference-sp-remote). : Note that this option can be set for each SP in the [SP-remote metadata](./simplesamlphp-reference-sp-remote).
: The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for security reasons. Any assertions
encrypted with this algorithm will therefore fail to decrypt. You can override this limitation by defining an empty
array in this option (or blacklisting any other algorithms not including that one). However, it is strongly
discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if
you make use of this option.
`https.certificate` `https.certificate`
: The certificate used by the webserver when handling connections. : The certificate used by the webserver when handling connections.
This certificate will be added to the generated metadata of the IdP, This certificate will be added to the generated metadata of the IdP,
......
...@@ -105,6 +105,12 @@ The following SAML 2.0 options are available: ...@@ -105,6 +105,12 @@ The following SAML 2.0 options are available:
entry in the IdP-remote metadata overrides the option in the entry in the IdP-remote metadata overrides the option in the
[SP configuration](./saml:sp). [SP configuration](./saml:sp).
: The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for security reasons. Any assertions
encrypted with this algorithm will therefore fail to decrypt. You can override this limitation by defining an empty
array in this option (or blacklisting any other algorithms not including that one). However, it is strongly
discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if
you make use of this option.
`nameid.encryption` `nameid.encryption`
: Whether NameIDs sent to this IdP should be encrypted. The default : Whether NameIDs sent to this IdP should be encrypted. The default
value is `FALSE`. value is `FALSE`.
......
...@@ -162,6 +162,12 @@ The following SAML 2.0 options are available: ...@@ -162,6 +162,12 @@ The following SAML 2.0 options are available:
entry in the SP-remote metadata overrides the option in the entry in the SP-remote metadata overrides the option in the
[IdP-hosted metadata](./simplesamlphp-reference-idp-hosted). [IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
: The RSA encryption algorithm with PKCS#1 v1.5 padding is blacklisted by default for security reasons. Any assertions
encrypted with this algorithm will therefore fail to decrypt. You can override this limitation by defining an empty
array in this option (or blacklisting any other algorithms not including that one). However, it is strongly
discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if
you make use of this option.
`ForceAuthn` `ForceAuthn`
: Set this `TRUE` to force the user to reauthenticate when the IdP : Set this `TRUE` to force the user to reauthenticate when the IdP
receives authentication requests from this SP. The default is receives authentication requests from this SP. The default is
......
...@@ -316,7 +316,7 @@ class sspmod_saml_Message { ...@@ -316,7 +316,7 @@ class sspmod_saml_Message {
$blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', NULL); $blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', NULL);
if ($blacklist === NULL) { if ($blacklist === NULL) {
$blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', array()); $blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', array(XMLSecurityKey::RSA_1_5));
} }
return $blacklist; return $blacklist;
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment