TC 8.5.14 and noticed in the logs the following warning:

"The truststoreProvider [AnyCert] does not support the 
certificateVerificationDepth configuration option"

In our case, we're using Shib's AnyCert trust manager to accept any client cert 
on a particular connector as described here [1]. I noticed that now one can 
inject the trust manager directly via "trustManagerClassName" so I am planning 
to go that route to eliminate the warning from the logs. But I looked at 
JSSEUtils.java#getTrustManagers() and it looks like the warning is emitted for 
any algorithm other than "PKIX". My question is, what if an algorithm 
implementation doesn't care about "certificateVerificationDepth"? By setting 
different algorithm the user should realize that they are deviating from PKIX 
and therefore configuration parameters that apply to PKIX (such as 
"trustMaxCertLength" would not be passed down to the trust manager. Doesn't it 
make sense to be logged at INFO level?

George


[1] https://wiki.shibboleth.net/confluence/display/SHIB/TomcatClientCertAuthN

Reply via email to