https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
--- Comment #11 from Michael Osipov <micha...@apache.org> --- (In reply to Markus Schlegel from comment #10) > We are also facing this strange log entry since we upgraded Tomcat recently. > I have read through this issue's description and comments, but the changed > text in 8.5.96 alone does not help in my opinion. I really required to debug > and read through the respective code sections in order to get an > understanding of this log statement. > Now I understand the reasoning behind it, but I still have a problem with > that. Let me explain why. > We are configuring our (embedded) Tomcat's SSL since years with the > following code: > > ... > Connector sslConnector = new > Connector("org.apache.coyote.http11.Http11Nio2Protocol"); > sslConnector.setPort(sslPort); > sslConnector.setSecure(true); > sslConnector.setScheme("https"); > sslConnector.setProperty("ciphers", > "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH:+ECDH"); > sslConnector.setProperty("sslEnabledProtocols", "TLSv1.2"); > sslConnector.setProperty("useServerCipherSuiteOrder", "true"); > ... > > We explicitly set the ciphers configuration since the default config which > comes with Tomcat still includes the (normal) Diffie-Helman ciphers which > are considered to be insecure (but not the ECDH's!). > There is still nothing wrong with that config as far as I could understand. > Nevertheless, there is now a warning in the logfile which we CAN'T TURN OFF > since we use our custom ciphers configuration, which leds "warnOnSkip" being > set to true. > Those skipped ciphers are of no interest for us or our customers since they > appear only because Tomcat - as of my understanding - uses the ciphers-set > from OpenSSL to build the complete list of theoretically available ciphers. > > It would help us with explaining this to the customers if the log statement > would be logged on level "debug" rather than as a "warning" or if we had a > way to turn off logging it. I have raised more or less the same concern and how it can be solved... -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org