Add warning about the use of fingerprint on signature verification method

pitbulk · pitbulk · commit 2992d885d618 · 2018-03-05T13:08:39.000+01:00
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ and supported by OneLogin Inc.
 Warning
 -------
 
+php-saml is not affected by [201803-01](https://simplesamlphp.org/security/201803-01) 
+
 Update php-saml to 2.10.4, this version includes a security patch related to
 [signature validations on LogoutRequests/LogoutResponses](https://github.com/onelogin/php-saml/commit/949359f5cad5e1d085c4e5447d9aa8f49a6e82a1)
 
@@ -157,6 +159,7 @@ In production, the `strict` parameter **MUST** be set as `"true"` and the
 something other than SHA1 (see https://shattered.io/ ). Otherwise your
 environment is not secure and will be exposed to attacks.
 
+In production also we highly recommended to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a siganture validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
 Getting started
 ---------------
@@ -379,7 +382,8 @@ $settings = array (
         'x509cert' => '',
         /*
          *  Instead of use the whole x509cert you can use a fingerprint in order to
-         *  validate a SAMLResponse.
+         *  validate a SAMLResponse, but we don't recommend to use that
+         *  method on production since is exploitable by a collision attack.
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *   or add for example the -sha256 , -sha384 or -sha512 parameter)
          *
diff --git a/settings_example.php b/settings_example.php
@@ -101,7 +101,10 @@
         // Public x509 certificate of the IdP
         'x509cert' => '',
         /*
-         *  Instead of use the whole x509cert you can use a fingerprint
+         *  Instead of use the whole x509cert you can use a fingerprint in
+         *  order to validate the SAMLResponse, but we don't recommend to use
+         *  that method on production since is exploitable by a collision
+         *  attack.
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *   or add for example the -sha256 , -sha384 or -sha512 parameter)
          *
