java SSL 不适用于 Tomcat 8
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/45129667/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SSL not working for Tomcat 8
提问by JavaGeek
I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working
我正在尝试为 tomcat 8 配置 SSL(https) 并已完成以下步骤,但仍然无法正常工作
1) Create the keystore file using
1)使用创建密钥库文件
keytool -genkey -alias myservername -keyalg RSA
2) Generated CSR as below
2)生成的CSR如下
keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore
3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below
3)然后我们已经生成了证书,然后导入了链式证书和证书,如下所示
keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer
keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer
4) Finally Did the changes in tomcat server.xml as below
4) 最后在 tomcat server.xml 中做了如下改动
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>
Restarted the tomcat and its not working and showing below screen
重新启动了 tomcat 并且它不工作并显示在屏幕下方
In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher
tag in connection, Enabled TLS 1,2,3
, changing https port etc no avail.
在 tomcat 日志中,它没有显示任何错误,我也尝试了其他选项,例如保持cipher
标签连接Enabled TLS 1,2,3
、更改 https 端口等,但无济于事。
Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working
我还测试了 https 端口 443,当我使用 netstat 时它显示为正在侦听。知道为什么这不起作用
Added Logs after enabling ssl debugging in tomcat
在tomcat中启用ssl调试后添加日志
http-nio-443-exec-5, fatal error: 10: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
http-nio-443-exec-5, WRITE: TLSv1.2 Alert, length = 2
http-nio-443-exec-5, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-nio-443-exec-5, called closeOutbound()
http-nio-443-exec-5, closeOutboundInternal()
[Raw write]: length = 7
回答by Rishikesh Darandale
As you are using java 8, thus defaultwill TLS 1.2
.
由于您使用的是 java 8,因此默认将TLS 1.2
.
By looking at your screenshot, client TLS is not enabled in your IE 11. By default IE 11has SSL 3.0, TLS 1.0, 1.1, 1.2
enabled.
通过查看您的屏幕截图,您的 IE 11 中未启用客户端 TLS。默认情况下,IE 11已SSL 3.0, TLS 1.0, 1.1, 1.2
启用。
If you see the protocolsmatrix, you will come to why the connection is not successful.
如果你看到协议矩阵,你就会明白为什么连接不成功。
Thus, please update your IE 11 SSL TLS settings or try to use another browser to verify.
因此,请更新您的 IE 11 SSL TLS 设置或尝试使用其他浏览器进行验证。
回答by Daniel C.
I had the same issue long time ago.
很久以前我有同样的问题。
Mi solution was (the steps that I follow here depends on the CA instructions, the CA site ussually have the complete instruccions of how generate the certificate correctly):
Mi 解决方案是(我在此处遵循的步骤取决于 CA 说明,CA 站点通常具有如何正确生成证书的完整说明):
- Create the certificate again but with the following commands (keysize 2048) (make sure that name and lastname are the same as your site name example: yourhost.com:
- 再次创建证书,但使用以下命令(密钥大小 2048)(确保名称和姓氏与您的站点名称示例相同:yourhost.com:
keytool -genkey -alias yourhost.com -keyalg RSA -keysize 2048 -keystore servername.jks
keytool -genkey -alias yourhost.com -keyalg RSA -keysize 2048 -keystore servername.jks
- Genearate de csr
- 生成企业社会责任
keytool -certreq -alias yourhost.com -file mycsr.txt -keystore servername.jks
keytool -certreq -alias yourhost.com -file mycsr.txt -keystore servername.jks
- Install the certificate
- 安装证书
keytool -import -trustcacerts -alias yourhost.com -file file-from-your-ca.p7b -keystore servername.jks
keytool -import -trustcacerts -alias yourhost.com -file file-from-your-ca.p7b -keystore servername.jks
On the server.xml connector put the following configuration (note: the sslProtocol possible values depends on the jvm that your are using, please see the possible values for java 8 java 8 ssl values)
在 server.xml 连接器上放置以下配置(注意:sslProtocol 可能的值取决于您使用的 jvm,请参阅 java 8 java 8 ssl values的可能值)
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="/home/myserver/ssl/servername.jks" keystorePass="yourpass" keystoreAlias="yourhost.com" sslProtocol="TLSv1.2" />
Restart tomcat
重启tomcat
There are more examples of how configure secure connector on this site: Secure Tomcat
在此站点上还有更多有关如何配置安全连接器的示例:Secure Tomcat
回答by Kambiz
Tomcat can use two different implementations of SSL:
Tomcat 可以使用两种不同的 SSL 实现:
the JSSE implementation provided as part of the Java runtime (since 1.4) the APR implementation, which uses the OpenSSL engine by default. The exact configuration details depend on which implementation is being used. If you configured Connector by specifying generic protocol="HTTP/1.1" then the implementation used by Tomcat is chosen automatically. If the installation uses APR - i.e. you have installed the Tomcat native library - then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.
JSSE 实现作为 Java 运行时(自 1.4 起)的一部分提供,APR 实现默认使用 OpenSSL 引擎。确切的配置细节取决于所使用的实现。如果您通过指定 generic protocol="HTTP/1.1" 来配置连接器,那么 Tomcat 使用的实现将被自动选择。如果安装使用 APR - 即您已经安装了 Tomcat 本地库 - 那么它将使用 APR SSL 实现,否则它将使用 Java JSSE 实现。
Please refer to https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.htmlfor all details for configuration. I simply follow the steps and it works for me.
有关配置的所有详细信息,请参阅https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html。我只是按照步骤操作,它对我有用。
Most importantly,Are you sure you have got issue in your tomcat. Your error may comes from your browser.
最重要的是,你确定你的 tomcat 有问题吗?您的错误可能来自您的浏览器。
- Have you tried other browsers other than IE?
- Which version of IE are you using?
- Windows 7 or Windows 8?
- 您是否尝试过 IE 以外的其他浏览器?
- 你用的是哪个版本的IE?
- Windows 7 还是 Windows 8?
If you face the issue only in IE, check also SSL 2.0 and SSL 3.0 under the Advanced Setting along with the recommended fix of turning on TLS 1.0, TLS 1.1, and TLS 1.2.
如果您仅在 IE 中遇到此问题,请同时检查高级设置下的 SSL 2.0 和 SSL 3.0,以及打开 TLS 1.0、TLS 1.1 和 TLS 1.2 的推荐修复。
回答by B--rian
I am currently facing a similar problem, and I got the strong suspicion that our problem has something to do with the Tomcat configuration within server.xml. Me too, I see the service listening on the port, and not much helpful messages in any log files.
我目前面临类似的问题,我强烈怀疑我们的问题与server.xml 中的 Tomcat 配置有关。我也是,我看到服务正在监听端口,但在任何日志文件中都没有太多有用的消息。
I was told by a colleague who got (a secure Tomcat with SSL) running to enter
一位同事告诉我(一个带有 SSL 的安全 Tomcat)运行进入
<Connector port="443" scheme="https" server="Secure Web Server"
minSpareThreads="25" allowTrace="false" keystoreType="JKS"
keystoreFile="C:\tomcat\conf\aSecureTomcat.jks" keystorePass="yourPassword"
connectionTimeout="20000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
secure="true" clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"/>
I have not figured out the minimal configuration yet, but the important part for you might be the last 5 lines of my code snippet. How does your Tomcat config look like?
我还没有弄清楚最低配置,但对您来说重要的部分可能是我的代码片段的最后 5 行。您的 Tomcat 配置如何?
回答by senadorbarrago
Just change your original server.xml: sslProtocol=TLSv1.2 Include the version no. Had the same error before.
只需更改您的原始 server.xml: sslProtocol=TLSv1.2 包括版本号。之前有同样的错误。
回答by vladimir83
Try forcing JSSE use by adding in your Connector:
尝试通过在连接器中添加来强制使用 JSSE:
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
For any reason it's detecting APR and trying to use OpenSSL which is not working. See this answer.
出于任何原因,它正在检测 APR 并尝试使用不起作用的 OpenSSL。看到这个答案。