Java 如何在 Tomcat 7 服务器上修复“ssl_error_no_cypher_overlap”?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29449966/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to fix "ssl_error_no_cypher_overlap" on a Tomcat 7 server?
提问by user3120173
The latest versions of Chrome and Firefox have disabled SSLv3.0 by default, due to the POODLE vulnerability. This leads to the following error when I attempt to open a site I have set up (and which was working fine):
由于POODLE 漏洞,最新版本的 Chrome 和 Firefox 默认禁用了 SSLv3.0 。当我尝试打开我设置的站点(并且工作正常)时,这会导致以下错误:
With Chrome:
使用铬:
A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
With Firefox:
使用 Firefox:
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
I have researched this issue with Chrome, Firefox, Tomcatand more Tomcat docs. I understand the problem, but I can't find the documentation to configure Tomcat 7 to use only the TLS ciphers and protocols that are now safe. I'm not sure if I need to create a new cert/keypair, change my server.xml, or install a new version of Tomcat, or what. I'm not even sure what versions of cipher/protocol are now considered "acceptable" by these browsers. Can anyone point me to the docs or an example setup for this?
我已经使用 Chrome、Firefox、Tomcat和更多 Tomcat 文档研究过这个问题。我理解这个问题,但我找不到配置 Tomcat 7 以仅使用现在安全的 TLS 密码和协议的文档。我不确定是否需要创建新的证书/密钥对、更改我的 server.xml 或安装新版本的 Tomcat,或者其他什么。我什至不确定这些浏览器现在认为哪些版本的密码/协议是“可接受的”。任何人都可以指出我的文档或示例设置吗?
I'm using OpenJDK 1.7 on Ubuntu 14.04 with Tomcat 7.
我在 Ubuntu 14.04 和 Tomcat 7 上使用 OpenJDK 1.7。
Here's my cert file (redacted):
这是我的证书文件(已编辑):
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: something
Creation date: May 4, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=something, OU=something, O=something, L=something, ST=something, C=something
Issuer: CN=something, OU=something, O=something, L=something, ST=something, C=something
Serial number: ...
Valid from: Sat May 04 17:28:21 MST 2013 until: Tue May 02 17:28:21 MST 2023
Certificate fingerprints:
MD5: ...
SHA1: ...
SHA256: ...
Signature algorithm name: SHA1withDSA
Version: 3
Here's my server.xmlentry for HTTPS support:
这是我server.xml的 HTTPS 支持条目:
<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/mykeystore"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLS" />
采纳答案by user207421
You need to widen sslEnabledProtocolsto include TLSv1 &ff, depending on your Java version.
您需要扩大sslEnabledProtocols以包含 TLSv1 &ff,具体取决于您的 Java 版本。
You specify ciphers with the cipherselement of the connector.
您可以使用ciphers连接器的元素指定密码。
Nothing to do with the certificate.
与证书无关。
回答by MrZcxfph
I had the problem on a new installation using Tomcat 8.0.23 and Java 8 build 1.8.0_45. I finally discovered that I had failed to specify the -keyalg RSAoption when I created my self signed certificate with the Java keytool utility. I deleted the old key store and made sure to include that option when I made a new keystore. That fixed the problem.
我在使用 Tomcat 8.0.23 和 Java 8 build 1.8.0_45 进行新安装时遇到了问题。我终于发现,当我使用 Java keytool 实用程序创建我的自签名证书时,我未能指定-keyalg RSA选项。我删除了旧密钥库,并确保在创建新密钥库时包含该选项。这解决了问题。
回答by Weidian Huang
The complete Tomcat server.xml Connector element:
完整的 Tomcat server.xml 连接器元素:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore.jks" keystorePass="changeit"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />
This works for me, I am using JRE1.7 and Tomcat7 server also. But setting sslEnabledProtocolsnot work for me, here using sslProtocol="TLS" instead, and specify the ciphering algorithm explicitly.
这对我有用,我也在使用 JRE1.7 和 Tomcat7 服务器。但是设置sslEnabledProtocols对我不起作用,这里使用 sslProtocol="TLS" 代替,并明确指定加密算法。
