Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turn warning about no signature verification into an error #866

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Commits on Aug 8, 2022

  1. Turn not verifying any signature into an error

    Not checking any signature is completely insecure and we'd want to
    go through great lenghts to avoid this. Just logging a warning does
    not suffice, since will read logs when it doesn't work, but it does.
    thijskh committed Aug 8, 2022
    Configuration menu
    Copy the full SHA
    3ab4d4e View commit details
    Browse the repository at this point in the history
  2. Default want_assertions_or_response_signed to True

    Given that the other signature verification options want_assertions_signed
    and want_response_signed will overrule this setting, defaulting it to true
    does not impact any configuration that has one of those settings. It does
    however catch the situation where someone has disabled response signature
    checking. This prevents that user from landing on an error about an
    insecure config, and rather employs this reasonable fallback scenario.
    thijskh committed Aug 8, 2022
    Configuration menu
    Copy the full SHA
    8c2f880 View commit details
    Browse the repository at this point in the history

Commits on Aug 12, 2022

  1. Reordering the phrases to put emphasis on insecure.Update src/saml2/c…

    …lient_base.py
    
    Co-authored-by: Ivan Kanakarakis <[email protected]>
    thijskh and c00kiemon5ter authored Aug 12, 2022
    Configuration menu
    Copy the full SHA
    2218697 View commit details
    Browse the repository at this point in the history