Thales e-Security - Programmers are strange..

This one can probably be filed under 'do they ever give up?' or 'Can I ever win?'

In my day-job I am working with this Thales cryptographic security module - the nCipher netHSM.

The application normally runs as a daemon on Linux so I didn't notice this message until I started it under the debugger.

Basically it constantly issues this message

2014-11-09 22:59:06 [16458] t00c71fc6ff7f0000: pkcs11-sam: 000008d2 Warning: key is considered weak; set CKNFAST_OVERRIDE_SECURITY_ASSURANCES=weak_des to allow

Now I completely agree with this warning in the sense that I wouldn't use DES for anything security critical either. The thing is we are just using the HSM as a fast asymmetric (RSA) key generator and the quickest way to get the private key off the device (and avoid the key policing woe) is to encrypt it and then decrypt it again. For whatever reason the guy who wrote this chose DES as the algorithm so I get this message.

So I set the environment variable and ran it again. It still keeps spitting out a message but this time it says:

t00c71fc6ff7f0000: pkcs11-sam: 000008d1 Warning: key considered adequate because CKNFAST_OVERRIDE_SECURITY_ASSURANCES=weak_des set

Is there any way to make it actually STFU?