Qestion about service provider

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Qestion about service provider

Yaroslav Nakonechnikov
Hello,

few years ago it was asked about TLS support for memcahed.

now, memcahed supports it:  https://github.com/memcached/memcached/wiki/TLS 
so, i would like to know - what client version library is used in new Shibboleth-sp? Does it support TLS connection to memcached?   

--
Yaroslav

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Qestion about service provider

Cantor, Scott E.
On 12/11/19, 8:26 AM, "users on behalf of Yaroslav Nakonechnikov" <[hidden email] on behalf of [hidden email]> wrote:

> so, i would like to know - what client version library is used in new Shibboleth-sp? Does it support TLS connection to
> memcached?  

The libraries used are whatever people build it with, and the only one we have any exposure to as a project is whatever Red Hat has included, I think it was called libmemcache. And I believe they no longer include it on RH8.

I doubt it would allow TLS without additional configuration we don't expose (and if it did you shouldn't trust it), unless it has some way to control trust material based on environment or OS level configuration.

As a project, there's really de facto no support for this at this point, and I regretted ever including it due to the lack of ownership of that code by anybody working directly with the project. I should have moved it into the unsupported state for 3.0 officially as "provided as-is but not supported".

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Qestion about service provider

Yaroslav Nakonechnikov
ok, thanks! 

so, for now - there is no information, and no one is interested. 
Why I'm asking, cause our SOC team members forces to move to encrypted channels, even on private AWS VPC. 

On Wed, Dec 11, 2019 at 5:16 PM Cantor, Scott <[hidden email]> wrote:
On 12/11/19, 8:26 AM, "users on behalf of Yaroslav Nakonechnikov" <[hidden email] on behalf of [hidden email]> wrote:

> so, i would like to know - what client version library is used in new Shibboleth-sp? Does it support TLS connection to
> memcached?   

The libraries used are whatever people build it with, and the only one we have any exposure to as a project is whatever Red Hat has included, I think it was called libmemcache. And I believe they no longer include it on RH8.

I doubt it would allow TLS without additional configuration we don't expose (and if it did you shouldn't trust it), unless it has some way to control trust material based on environment or OS level configuration.

As a project, there's really de facto no support for this at this point, and I regretted ever including it due to the lack of ownership of that code by anybody working directly with the project. I should have moved it into the unsupported state for 3.0 officially as "provided as-is but not supported".

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
Yaroslav

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Qestion about service provider

Cantor, Scott E.
On 12/12/19, 3:24 AM, "users on behalf of Yaroslav Nakonechnikov" <[hidden email] on behalf of [hidden email]> wrote:

> so, for now - there is no information, and no one is interested.

It's not a question of interest, I don't know memcache and don't have enough exposure to it to properly support or enhance the code. If somebody else does, they're welcome to volunteer. If members want and need it, then we would have to make an effort to locate resources to pay to address it.

The cookie session feature is generally a better solution for most cases, though it does have a bug fix we need to release.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]