On 30/04/17 12:02, Mark Thomas wrote: > On 29/04/17 15:13, George Stanchev wrote: >> TC 8.5.14 and noticed in the logs the following warning: >> >> "The truststoreProvider [AnyCert] does not support the >> certificateVerificationDepth configuration option" >> >> In our case, we're using Shib's AnyCert trust manager to accept any >> client cert on a particular connector as described here [1]. I >> noticed that now one can inject the trust manager directly via >> "trustManagerClassName" so I am planning to go that route to >> eliminate the warning from the logs. But I looked at >> JSSEUtils.java#getTrustManagers() and it looks like the warning is >> emitted for any algorithm other than "PKIX". My question is, what if >> an algorithm implementation doesn't care about >> "certificateVerificationDepth"? By setting different algorithm the >> user should realize that they are deviating from PKIX and therefore >> configuration parameters that apply to PKIX (such as >> "trustMaxCertLength" would not be passed down to the trust manager. >> Doesn't it make sense to be logged at INFO level? > > I think not. > > What would be better is if the warning was only logged if the attribute > was explicitly set.
This has been fixed in 8.5.x for 8.5.15 onwards and 9.0.x for 9.0.0.M21 onwards. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
