https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
--- Comment #10 from Markus Schlegel <sch...@gmail.com> ---
We are also facing this strange log entry since we upgraded Tomcat recently.
I have read through this issue's description and comments, but the changed text
in 8.5.96 alone does not help in my opinion. I really required to debug and
read through the respective code sections in order to get an understanding of
this log statement.
Now I understand the reasoning behind it, but I still have a problem with that.
Let me explain why.
We are configuring our (embedded) Tomcat's SSL since years with the following
code:
...
Connector sslConnector = new
Connector("org.apache.coyote.http11.Http11Nio2Protocol");
sslConnector.setPort(sslPort);
sslConnector.setSecure(true);
sslConnector.setScheme("https");
sslConnector.setProperty("ciphers",
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH:+ECDH");
sslConnector.setProperty("sslEnabledProtocols", "TLSv1.2");
sslConnector.setProperty("useServerCipherSuiteOrder", "true");
...
We explicitly set the ciphers configuration since the default config which
comes with Tomcat still includes the (normal) Diffie-Helman ciphers which are
considered to be insecure (but not the ECDH's!).
There is still nothing wrong with that config as far as I could understand.
Nevertheless, there is now a warning in the logfile which we CAN'T TURN OFF
since we use our custom ciphers configuration, which leds "warnOnSkip" being
set to true.
Those skipped ciphers are of no interest for us or our customers since they
appear only because Tomcat - as of my understanding - uses the ciphers-set from
OpenSSL to build the complete list of theoretically available ciphers.
It would help us with explaining this to the customers if the log statement
would be logged on level "debug" rather than as a "warning" or if we had a way
to turn off logging it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
