https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
--- Comment #11 from Michael Osipov <micha...@apache.org> ---
(In reply to Markus Schlegel from comment #10)
> We are also facing this strange log entry since we upgraded Tomcat recently.
> I have read through this issue's description and comments, but the changed
> text in 8.5.96 alone does not help in my opinion. I really required to debug
> and read through the respective code sections in order to get an
> understanding of this log statement.
> Now I understand the reasoning behind it, but I still have a problem with
> that. Let me explain why.
> We are configuring our (embedded) Tomcat's SSL since years with the
> following code:
>
> ...
> Connector sslConnector = new
> Connector("org.apache.coyote.http11.Http11Nio2Protocol");
> sslConnector.setPort(sslPort);
> sslConnector.setSecure(true);
> sslConnector.setScheme("https");
> sslConnector.setProperty("ciphers",
> "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH:+ECDH");
> sslConnector.setProperty("sslEnabledProtocols", "TLSv1.2");
> sslConnector.setProperty("useServerCipherSuiteOrder", "true");
> ...
>
> We explicitly set the ciphers configuration since the default config which
> comes with Tomcat still includes the (normal) Diffie-Helman ciphers which
> are considered to be insecure (but not the ECDH's!).
> There is still nothing wrong with that config as far as I could understand.
> Nevertheless, there is now a warning in the logfile which we CAN'T TURN OFF
> since we use our custom ciphers configuration, which leds "warnOnSkip" being
> set to true.
> Those skipped ciphers are of no interest for us or our customers since they
> appear only because Tomcat - as of my understanding - uses the ciphers-set
> from OpenSSL to build the complete list of theoretically available ciphers.
>
> It would help us with explaining this to the customers if the log statement
> would be logged on level "debug" rather than as a "warning" or if we had a
> way to turn off logging it.
I have raised more or less the same concern and how it can be solved...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
