TC 8.5.14 and noticed in the logs the following warning: "The truststoreProvider [AnyCert] does not support the certificateVerificationDepth configuration option"
In our case, we're using Shib's AnyCert trust manager to accept any client cert on a particular connector as described here [1]. I noticed that now one can inject the trust manager directly via "trustManagerClassName" so I am planning to go that route to eliminate the warning from the logs. But I looked at JSSEUtils.java#getTrustManagers() and it looks like the warning is emitted for any algorithm other than "PKIX". My question is, what if an algorithm implementation doesn't care about "certificateVerificationDepth"? By setting different algorithm the user should realize that they are deviating from PKIX and therefore configuration parameters that apply to PKIX (such as "trustMaxCertLength" would not be passed down to the trust manager. Doesn't it make sense to be logged at INFO level? George [1] https://wiki.shibboleth.net/confluence/display/SHIB/TomcatClientCertAuthN