Skip to content

Commit 5e2dc90

Browse files
pitbulkpitbulk
committed
Document that SHA-1 must not be used
1 parent b121cbd commit 5e2dc90

2 files changed

Lines changed: 9 additions & 3 deletions

File tree

README.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -130,8 +130,10 @@ start, for example to use the static method getSelfURLNoQuery use:
130130
Security warning
131131
----------------
132132

133-
In production, the `strict` parameter **MUST** be set as `"true"`. Otherwise
134-
your environment is not secure and will be exposed to attacks.
133+
In production, the `strict` parameter **MUST** be set as `"true"` and the
134+
`signatureAlgorithm` and `digestAlgorithm` under `security` must be set to
135+
something other than SHA1 (see https://shattered.io/ ). Otherwise your
136+
environment is not secure and will be exposed to attacks.
135137

136138

137139
Getting started
@@ -462,13 +464,15 @@ $advancedSettings = array (
462464
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
463465
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
464466
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
467+
// Notice that rsa-sha1 is a deprecated algorithm and should not be used
465468
'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
466469

467470
// Algorithm that the toolkit will use on digest process. Options:
468471
// 'http://www.w3.org/2000/09/xmldsig#sha1'
469472
// 'http://www.w3.org/2001/04/xmlenc#sha256'
470473
// 'http://www.w3.org/2001/04/xmldsig-more#sha384'
471474
// 'http://www.w3.org/2001/04/xmlenc#sha512'
475+
// Notice that sha1 is a deprecated algorithm and should not be used
472476
'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
473477

474478
// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses

advanced_settings_example.php

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
$advancedSettings = array (
44

5-
// Compression settings
5+
// Compression settings
66
// Handle if the getRequest/getResponse methods will return the Request/Response deflated.
77
// But if we provide a $deflate boolean parameter to the getRequest or getResponse
88
// method it will have priority over the compression settings.
@@ -87,13 +87,15 @@
8787
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
8888
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
8989
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
90+
// Notice that rsa-sha1 is a deprecated algorithm and should not be used
9091
'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
9192

9293
// Algorithm that the toolkit will use on digest process. Options:
9394
// 'http://www.w3.org/2000/09/xmldsig#sha1'
9495
// 'http://www.w3.org/2001/04/xmlenc#sha256'
9596
// 'http://www.w3.org/2001/04/xmldsig-more#sha384'
9697
// 'http://www.w3.org/2001/04/xmlenc#sha512'
98+
// Notice that sha1 is a deprecated algorithm and should not be used
9799
'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
98100

99101
// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses

0 commit comments

Comments
 (0)