java 如何控制 Tomcat 可用的 SSL 密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7417809/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to control the SSL ciphers available to Tomcat
提问by Mike
I'm unable to disable weak SSL ciphers in Tomcat as documented in many places e.g. http://www.techstacks.com/howto/secure-ssl-in-tomcat.html.
Currently, my connector looks as follows:
我无法禁用 Tomcat 中的弱 SSL 密码,如许多地方所述,例如http://www.techstacks.com/howto/secure-ssl-in-tomcat.html。
目前,我的连接器如下所示:
..Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Programs\apache-tomcat-6.0.33\keystore" keystorePass="nn"/>
when I attempt a connection (using IE or ssldigger) I get the following error in Tomcat:
当我尝试连接(使用 IE 或 ssldigger)时,我在 Tomcat 中收到以下错误:
java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_RC4_128_SHA
at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(Unknown Source)
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknown Source)
at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1141)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1096)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1315)
at java.lang.Thread.run(Unknown Source)
Incidentally, I removed the unsupported ciphers (almost one by one) and the only one I was left with that seems to be supported is SSL_RSA_WITH_RC4_128_MD5
顺便说一句,我删除了不支持的密码(几乎一个一个),剩下的唯一一个似乎受支持的密码是 SSL_RSA_WITH_RC4_128_MD5
Also, I'm assuming that an unsupported cipher is not related to Tomcats's specific key pair but more generally to the broadly available ciphers.
此外,我假设不受支持的密码与 Tomcat 的特定密钥对无关,但更普遍地与广泛可用的密码有关。
What is wrong here?
这里有什么问题?
回答by Mike
I figured it out..the comma separated list of ciphers is whitespace sensitive i.e. the culprit is the space character after the comma
我想通了..逗号分隔的密码列表对空格敏感,即罪魁祸首是逗号后的空格字符
回答by ghoulfolk
It wouldn't hurt for you to have told the Tomcat version, as it depends on which tags can be used in the Connection block. I have this similar issue with a web service running on Tomcat 6.0, and have read that for e.g.
告诉 Tomcat 版本不会有什么坏处,因为这取决于可以在 Connection 块中使用哪些标签。我在 Tomcat 6.0 上运行的 Web 服务遇到了类似的问题,并且已经阅读了例如
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,..."
Might not work correctly, as the "ciphers" might need to be as SSLCipherSuite, but I am not 100% sure on this. Document which led me to think this might be applicable is found here: https://tomcat.apache.org/tomcat-6.0-doc/apr.html. In that same page, it is also said that the delimiter is not a comma (,) but a colon (:). So for Tomcat 6.0 I would suggest using either:
可能无法正常工作,因为“密码”可能需要与SSLCipherSuite 一样,但我对此不是 100% 确定。让我认为这可能适用的文档可以在这里找到:https: //tomcat.apache.org/tomcat-6.0-doc/apr.html。在同一页面中,还说分隔符不是逗号 (,) 而是冒号 (:)。所以对于 Tomcat 6.0,我建议使用:
SSLCipherSuite="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:..."
or
或者
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:..."
Hope this helps someone who has to struggle with Tomcat 6.0 (disregard this answer for Tomcat 6.0.XX or higher.)
希望这可以帮助那些不得不与 Tomcat 6.0 斗争的人(忽略 Tomcat 6.0.XX 或更高版本的这个答案。)
