Hi Stephen
I don't think that will be a problem, in the UK federation at least. None of the algorithms that are flagged at INFO level are the default ones that the v3 Shibboleth IdP uses [1]. And none of the UK federation-registered SPs which contain algorithm agility metadata to override those defaults specify that they support any of the RIPEMD-160 algorithms.
However, it's typically only the later versions of the Shibboleth SP that advertise which security algorithms they support, but I reckon that we on the UK federation support team would have heard if a federated SP was built on older libraries and only supported the RIPEMD-160 algorithms.
Hope that helps,
Alex
[1] Default security algorithms listed on the Shibboleth v3 Security Configuration page
https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration#SecurityConfiguration-Notes
> On 8 Jun 2017, at 15:38, Stephen Lovell <[log in to unmask]> wrote:
>
> Hello all.
>
> We're running up a v3 IdP with Oracle Java 8 and their unlimited policy
> JCE files. We see the following at IdP startup, and wonder if it's
> indicative of a problem?
>
> "idp-process.log":
>
> {someTimestamp} - INFO
> [org.opensaml.xmlsec.algorithm.AlgorithmRegistry:206] - Algorithm failed
> runtime support check, will not be usable:
> http://www.w3.org/2001/04/xmlenc#ripemd160
>
> {someTimestamp} - INFO
> [org.opensaml.xmlsec.algorithm.AlgorithmRegistry:206] - Algorithm failed
> runtime support check, will not be usable:
> http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160
>
> {someTimestamp} - INFO
> [org.opensaml.xmlsec.algorithm.AlgorithmRegistry:206] - Algorithm failed
> runtime support check, will not be usable:
> http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
>
> I've searched wiki.shibboleth.net, used the 6-letter-search-engine *and*
> looked in the Shib source cloned from git for some Clue, but can't find
> out if we've hit a problem or not.
>
> Thanks in advance,
>
> Stephen
> --
> Stephen Lovell
> University of Cambridge
>
—
Alex Stuart
UK federation support team
[log in to unmask]
|