Linux (错误代码:ssl_error_rx_record_too_long)Tomcat+OpenSSL
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4277560/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
(Error code: ssl_error_rx_record_too_long) Tomcat+OpenSSL
提问by Ivan Mushketyk
I am trying to enable SSL in my Tomcat. But when I start Tomcat and go to https://localhost:8443I see
我正在尝试在我的 Tomcat 中启用 SSL。但是当我启动 Tomcat 并转到https://localhost:8443 时,我看到
An error occurred during a connection to localhost:8443.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
To do that I used CA.sh to generate private key and signed certificate like this:
为此,我使用 CA.sh 生成私钥和签名证书,如下所示:
progerlaptop:/usr/share/ssl/misc # ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
................................++++++
.............................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase: pass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Chernihiv
Locality Name (eg, city) []:Chernihiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University
Organizational Unit Name (eg, section) []:student
Common Name (eg, YOUR name) []:localhost
Email Address []:proger@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c6:55:7e:58:1b:4d:9c:7e
Validity
Not Before: Nov 25 13:17:31 2010 GMT
Not After : Nov 24 13:17:31 2013 GMT
Subject:
countryName = UK
stateOrProvinceName = Chernihiv
organizationName = University
organizationalUnitName = student
commonName = localhost
emailAddress = proger@localhost
X509v3 extensions:
X509v3 Subject Key Identifier:
C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66
X509v3 Authority Key Identifier:
keyid:C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 24 13:17:31 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
progerlaptop:/usr/share/ssl/misc # ./CA.sh -newreq
Generating a 1024 bit RSA private key
............++++++
.........................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase: pass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Chernihiv
Locality Name (eg, city) []:Chernihiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University
Organizational Unit Name (eg, section) []:student
Common Name (eg, YOUR name) []:localhost
Email Address []:proger@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
progerlaptop:/usr/share/ssl/misc # CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: pass
...
Sign the certificate? [y/n]:y
...
Signed certificate is in newcert.pem
Copied key and cert in to my Tomcat directory.
将密钥和证书复制到我的 Tomcat 目录中。
cp newcert.pem newkey.pem /path/to/tomcat-6.0.29/ssl/
Added Connector to my server.xml:
将连接器添加到我的 server.xml:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEngine="on".
SSLCertificateFile="${catalina.base}/ssl/newcert.pem"
SSLCertificateKeyFile="${catalina.base}/ssl/newkey.pem".
SSLPassword="pass"/>
Then I start catalina.sh run.
And when I go to https://localhost:8443/I see this nasty error.
When I do I do wrong?
Thank you in advance
然后我开始 catalina.sh 运行。当我转到https://localhost:8443/ 时,我看到了这个令人讨厌的错误。我什么时候做错了?
先感谢您
采纳答案by Pavel
回答by Thiago Figueiro
It looks like you're using APR/OpenSSL for https, in which case SSLEngine="on" is correct.
看起来您正在为 https 使用 APR/OpenSSL,在这种情况下 SSLEngine="on" 是正确的。
Did you install libtcnative?
你安装了 libtcnative 吗?
Assuming tomcat 6: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
假设 tomcat 6:http: //tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
Quick steps:
快速步骤:
tar zxf tomcat-native-1.1.20-src.tar.gz
cd tomcat-native-1.1.20-src/jni/native/
./configure --with-apr=/usr/bin/apr-1-config --with-ssl=yes
make && make install
cd /usr/java/default/jre/lib/amd64/
ln -s /usr/local/apr/lib/libtcnative-1.so
When you start tomcat you have to see this line in your catalina.out:
当您启动 tomcat 时,您必须在 catalina.out 中看到这一行:
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
The alternative is to use JSSE and add your certificates/keys to a java keystore (.keystore file). I find the java keystore a pain in the arse to use so I usually go with APR.
另一种方法是使用 JSSE 并将您的证书/密钥添加到 java 密钥库(.keystore 文件)。我发现 java 密钥库使用起来很麻烦,所以我通常使用 APR。
回答by damian
I was having the same issue. I fixed it by adding protocol="org.apache.coyote.http11.Http11NioProtocol"to the connector
我遇到了同样的问题。我通过添加protocol="org.apache.coyote.http11.Http11NioProtocol"到连接器来修复它
回答by gks
I hope you should have the keystore file in you machine
我希望你的机器上应该有密钥库文件
Make sure in the server.xml file and also refer this linkit could be helpful for you to solve
确保在 server.xml 文件中并参考此链接,它可能有助于您解决
<Connector port=”8443” maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
**keystoreFile=”/../../../Tomcat/mycert.jks”**
clientAuth=”false” sslProtocol=”TLS>
回答by akelec
I managed to solve this problem by changing a portvalue. The value 443 was reserved, so I put 1443, restart Tomcat and it worked.
我通过更改端口值设法解决了这个问题。值 443 是保留的,所以我放了 1443,重新启动 Tomcat 并且它工作了。
My Connectoris:
我的Connector是:
<Connector port="1443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="D:/path_to_ca.jks"
keystorePass="somePass" />
Now the URL is:
现在网址是:
https://localhost:1443/index.jsp
https://localhost:1443/index.jsp
Cheers!
干杯!
