Document that SHA-1 must not be used #242
Conversation
settings_example.php
Outdated
| */ | ||
| // 'certFingerprint' => '', | ||
| // 'certFingerprintAlgorithm' => 'sha1', | ||
| // 'certFingerprintAlgorithm' => 'sha256', |
There was a problem hiding this comment.
the fingerprint is something public, so we don't need to enforce sha256 here
There was a problem hiding this comment.
ok, reverted this change.
| @@ -276,6 +276,25 @@ file, rename and edit it. | |||
| <?php | |||
|
|
|||
| $settings = array ( | |||
| // Security settings that must be set to avoid insecure SHA-1 usage. | |||
There was a problem hiding this comment.
that block where signatureAlgorithm digestAlgorithm are described already appears down...
There was a problem hiding this comment.
Right, but we need that block in the basic settings now. We need parts of the security options here, but the advanced options list all security options. So maybe that duplication is fine?
There was a problem hiding this comment.
Basic settings only contain IdP and SP info, security stuff is on advanced_settings
If you want you can add a new section about the sha1 deprecation info on the README after
https://github.com/onelogin/php-saml#idp-with-multiple-certificates
Something like SHA-1 Deprecation, and explain it why is important
There was a problem hiding this comment.
Good idea, there is already a security warning section about the strict parameter, added SHA1 info there.
Basic settings already contain baseurl and strict so I think it is fine to also include the signature and digest algorithm there?
| // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' | ||
| // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' | ||
| // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' | ||
| 'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', | ||
| // Insecure options that must not be used (still available for backwards compatibility): |
There was a problem hiding this comment.
maybe add a reference why sha1 is deprecated and its use must be avoided?
There was a problem hiding this comment.
This is covered now in the security warnings section.
|
Can we apply the suggested changes (remove algorithm info from basic settings files (including readme section) so I can merge? |
|
The problem is that the SHA-256 security settings are basic settings now, since you always need to set them to have a secure setup. If we remove it then people will not set it? |
Follow-up to #237 . We cannot change SHA1 as default value in the 2.x version of this library, but we can at least warn new users to use the correct settings.