-
-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document that SHA-1 must not be used #242
Conversation
settings_example.php
Outdated
*/ | ||
// 'certFingerprint' => '', | ||
// 'certFingerprintAlgorithm' => 'sha1', | ||
// 'certFingerprintAlgorithm' => 'sha256', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the fingerprint is something public, so we don't need to enforce sha256 here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, reverted this change.
@@ -276,6 +276,25 @@ file, rename and edit it. | |||
<?php | |||
|
|||
$settings = array ( | |||
// Security settings that must be set to avoid insecure SHA-1 usage. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that block where signatureAlgorithm digestAlgorithm are described already appears down...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, but we need that block in the basic settings now. We need parts of the security options here, but the advanced options list all security options. So maybe that duplication is fine?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Basic settings only contain IdP and SP info, security stuff is on advanced_settings
If you want you can add a new section about the sha1 deprecation info on the README after
https://github.com/onelogin/php-saml#idp-with-multiple-certificates
Something like SHA-1 Deprecation, and explain it why is important
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, there is already a security warning section about the strict parameter, added SHA1 info there.
Basic settings already contain baseurl
and strict
so I think it is fine to also include the signature and digest algorithm there?
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' | ||
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' | ||
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' | ||
'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', | ||
// Insecure options that must not be used (still available for backwards compatibility): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a reference why sha1 is deprecated and its use must be avoided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is covered now in the security warnings section.
Can we apply the suggested changes (remove algorithm info from basic settings files (including readme section) so I can merge? |
The problem is that the SHA-256 security settings are basic settings now, since you always need to set them to have a secure setup. If we remove it then people will not set it? |
Follow-up to #237 . We cannot change SHA1 as default value in the 2.x version of this library, but we can at least warn new users to use the correct settings.