SSPCPP-641 - add ability to set SOAP cipher suites

https://issues.shibboleth.net/jira/browse/SSPCPP-641

diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index 7095253..046dd66 100644 (file)
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -462,6 +462,7 @@
     <attribute name="chunkedEncoding" type="boolean"/>
     <attribute name="connectTimeout" type="unsignedShort"/>
     <attribute name="timeout" type="unsignedShort"/>
+    <attribute name="cipherSuites" type="string"/>
     <attribute name="requireConfidentiality" type="boolean"/>
     <attribute name="requireTransportAuth" type="boolean"/>
     <attribute name="requireSignedAssertions" type="boolean"/>

diff --git a/shibboleth.spec.in b/shibboleth.spec.in
index fef3ece..29b8249 100644 (file)
--- a/shibboleth.spec.in
+++ b/shibboleth.spec.in
@@ -11,9 +11,9 @@ BuildRoot:    %{_tmppath}/%{name}-sp-%{version}-root
 Obsoletes:     shibboleth-sp = 2.5.0
 Requires:      openssl
 %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600 || 0%{?amzn} >= 1
-PreReq:                xmltooling-schemas%{?_isa} >= 1.5.5, opensaml-schemas%{?_isa} >= 2.6.0
+PreReq:                xmltooling-schemas%{?_isa} >= 1.6.0, opensaml-schemas%{?_isa} >= 2.6.0
 %else
-PreReq:                xmltooling-schemas >= 1.5.5, opensaml-schemas >= 2.6.0
+PreReq:                xmltooling-schemas >= 1.6.0, opensaml-schemas >= 2.6.0
 %endif
 %if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
 PreReq:                %{insserv_prereq} %{fillup_prereq}
@@ -27,7 +27,7 @@ BuildRequires:        libxerces-c-devel >= 3.1
 %endif
 %endif
 BuildRequires: libxml-security-c-devel >= 1.7.3
-BuildRequires: libxmltooling-devel >= 1.5.5
+BuildRequires: libxmltooling-devel >= 1.6.0
 BuildRequires: libsaml-devel >= 2.6.0
 %{?_with_log4cpp:BuildRequires: liblog4cpp-devel >= 1.0}
 %{!?_with_log4cpp:BuildRequires: liblog4shib-devel >= 1.0.4}
@@ -95,7 +95,7 @@ Requires:     xerces-c-devel >= 3.1
 Requires:      libxerces-c-devel >= 3.1
 %endif
 Requires:      libxml-security-c-devel >= 1.7.3
-Requires:      libxmltooling-devel >= 1.5.5
+Requires:      libxmltooling-devel >= 1.6.0
 Requires:      libsaml-devel >= 2.6.0
 %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
 %{!?_with_log4cpp:Requires: liblog4shib-devel >= 1.0.4}

diff --git a/shibsp/binding/impl/SOAPClient.cpp b/shibsp/binding/impl/SOAPClient.cpp
index 46d7fe6..bbc214a 100644 (file)
--- a/shibsp/binding/impl/SOAPClient.cpp
+++ b/shibsp/binding/impl/SOAPClient.cpp
@@ -38,6 +38,7 @@
 #include <xmltooling/signature/Signature.h>
 #include <xmltooling/soap/SOAP.h>
 #include <xmltooling/soap/HTTPSOAPTransport.h>
+#include <xmltooling/soap/OpenSSLSOAPTransport.h>
 #include <xmltooling/util/NDC.h>
 
 using namespace shibsp;
@@ -219,6 +220,14 @@ void SOAPClient::prepareTransport(SOAPTransport& transport)
         http->useChunkedEncoding(flag.first && flag.second);
         http->setRequestHeader(PACKAGE_NAME, PACKAGE_VERSION);
     }
+
+    OpenSSLSOAPTransport* openssl = dynamic_cast<OpenSSLSOAPTransport*>(&transport);
+    if (openssl) {
+        pair<bool, const char*> ciphers = m_relyingParty->getString("cipherSuites");
+        if (ciphers.first) {
+            openssl->setCipherSuites(ciphers.second);
+        }
+    }
 }
 
 void SOAPClient::reset()