Late last year a flaw was revealed in the TLS/SSL protocol that affects "rengotiationrenegotiation", which is a process for changing the details of a handshake after having connected to a server. One case in which renegotiation comes into play is when a client certificate is presented, or asked for, after initially connecting without one. Either the client or server can ask for this.
...
If no other work-around is available, an SP deployer may be able to re-establish connectivity by disabling TLS client authentication and enabling signing, if the IdP supports this option. This is achieved by creating a <RelyingParty> element for the IdP like so:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<RelyingParty Name="https://affected.idp.org/idp/shibboleth" authType="none" signing="back"/>
|
...