LinuxRH6

Created by Rod Widdowson
Last updated: Nov 19, 2021 by Scott Cantor

The SP is compatible with Red Hat and CentOS 6 and 7, but if the OS-supplied version of libcurl is used then various features that may or may not be crucial to your deployment won't function correctly. Red Hat imprudently rebuilt many packages on top of the Netscape Security Services stack (NSS) instead of OpenSSL, including curl.

It's a bad idea for all kinds of reasons, but for the SP this is a breaking change because curl does not have the same feature set when used with NSS, and one of the features it loses is required by the SP for basic operation in some deployments, though this is becoming more rare. Specifically, if your SP requires the use of back-channel SOAP communication with IdP (this describes most scenarios involving legacy SAML 1.1 IdPs and attribute queries, or use of the artifact profile/binding), it won't function without the workaround noted below or other alterations such as enabling message signing.

The Service Provider package set includes a curl-openssl package that installs to /opt/shibboleth and does not overwrite or interfere with the OS-supplied version. It is also based on a more recent version of libcurl and is kept updated as relevant curl security updates are released.

On affected platforms (RH6/7, CentOS 6/7, etc.), the shibboleth packages now depend on this look-aside package and ensure its installation in the normal fashion. The /etc/sysconfig/shibd script in v6 and /etc/systemd/system/multi-user.target.wants/shibd.service in v7(due to the Linux distributions moving from init to systemd) installed for you will also include a LD_LIBRARY_PATH variable that directs the shibd process to load the alternative version of libcurl.so instead of the normal one.

The new package set should not require any special adjustments to your OS upgrade stream, and the lookaside package will not impact any other software unless you manually set the same LD_LIBRARY_PATH variable in the invoking shell.

Note also that some of the utilities accompanying the SP, such as the resolvertest program, may not function properly without the same variable being set, but there is no shell script provided for you to set this; you'll have to do this by hand.

Finally, RHEL/CentOS 8 have reverted this change, demonstrating that it was a mistake to begin with, so the workaround is not applied there.