Add warning about the use of fingerprint on signature verification method

pitbulk · pitbulk · commit 6193f55d359f · 2018-03-07T14:54:59.000+01:00
diff --git a/README.md b/README.md
@@ -135,6 +135,7 @@ In production, the `strict` parameter **MUST** be set as `"true"` and the
 something other than SHA1 (see https://shattered.io/ ). Otherwise your
 environment is not secure and will be exposed to attacks.
 
+In production also we highly recommended to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a siganture validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment.
 
 Getting started
 ---------------
@@ -345,7 +346,8 @@ $settings = array (
         'x509cert' => '',
         /*
          *  Instead of use the whole x509cert you can use a fingerprint in order to
-         *  validate a SAMLResponse.
+         *  validate a SAMLResponse, but we don't recommend to use that
+         *  method on production since is exploitable by a collision attack.
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *   or add for example the -sha256 , -sha384 or -sha512 parameter)
          *
diff --git a/settings_example.php b/settings_example.php
@@ -101,7 +101,10 @@
         // Public x509 certificate of the IdP
         'x509cert' => '',
         /*
-         *  Instead of use the whole x509cert you can use a fingerprint
+         *  Instead of use the whole x509cert you can use a fingerprint in
+         *  order to validate the SAMLResponse, but we don't recommend to use
+         *  that method on production since is exploitable by a collision
+         *  attack.
          *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
          *   or add for example the -sha256 , -sha384 or -sha512 parameter)
          *
