Java Tomcat：使用强密码的 TLSv1.2 不起作用

Question

提问by DJViking

I installed Tomcat-7, configured support for TLSv1.2on port 8443.
My Connector configuration:
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"

我安装了 Tomcat-7，在端口8443上配置了对 TLSv1.2 的支持。
我的连接器配置：
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" sslProtocol= "TLSv1.2" sslEnabledProtocols="TLSv1.2"

I then configured a list of strong ciphers I wanted to use. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

然后我配置了一个我想要使用的强密码列表。TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_256C

As I have read, Tomcat can either use Java JSSE or OpenSSL
JSSE protocol="org.apache.coyote.http11.Http11NioProtocol"
OpenSSL protocol="org.apache.coyote.http11.Http11AprProtocol"
My tomcat connector is configured with JSSE protocol.

正如我所读到的，Tomcat 可以使用 Java JSSE 或 OpenSSL
JSSE protocol="org.apache.coyote.http11.Http11NioProtocol"
OpenSSL protocol="org.apache.coyote.http11.Http11AprProtocol"
我的 tomcat 连接器配置了 JSSE 协议。

It works if I add the following ciphers with SHA1. (No GCM with SHA1) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

如果我使用 SHA1 添加以下密码，它会起作用。（无 SHA1 的 GCM）TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA。

I have downloaded the Java cryptographic extensions policy files. Tried with both Java 7 and Java 8.

我已经下载了 Java 加密扩展策略文件。尝试使用 Java 7 和 Java 8。

Before I installed the Cryptographic Extensions I got the following error while starting up Tomcat

在安装 Cryptographic Extensions 之前，我在启动 Tomcat 时遇到以下错误

INFO: Initializing ProtocolHandler ["http-nio-8443"]
mai 20, 2014 3:57:43 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory     getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine :     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

According to Java 7 Documentation all these strong ciphers with GCM-SHA384 and CBC-SHA384 should be supported: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

根据 Java 7 文档，应该支持所有这些带有 GCM-SHA384 和 CBC-SHA384 的强密码：http: //docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

If I change the ciphers just a little bit:

如果我稍微改变密码：

INFO: Initializing ProtocolHandler ["http-nio-8443"]
mai 20, 2014 4:21:11 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA584,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA584,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA584,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA584

That would indicate that that my list of ciphers are supported by my Tomcat/Java.

这表明我的 Tomcat/Java 支持我的密码列表。

Could the problem be with the Browser? I have tried the latest Chromium and Firefox. After checking some commits I found out that Chromium does support SHA256, SHA384 and AES-GCM.

问题可能出在浏览器上吗？我尝试了最新的 Chromium 和 Firefox。在检查了一些提交后，我发现 Chromium 确实支持 SHA256、SHA384 和 AES-GCM。

Answer 1

采纳答案by DJViking

Found out that neither Chromium nor Firefox support these higher ciphers.
The strongest/highest cipher available is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
No support for SHA384 and no AES_256_GCM

发现 Chromium 和 Firefox 都不支持这些更高的密码。
可用的最强/最高密码是 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
不支持 SHA384 和 AES_256_GCM

https://www.ssllabs.com/ssltest/viewMyClient.html
Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_RC4_128_MD5 (0x4)

https://www.ssllabs.com/ssltest/viewMyClient.html
密码套件（以优选顺序）
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256（0xc02b）
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256（0xc02f）
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256（0x9e）
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA（0xc00a）
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA（0xc009）
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA（0xc013）
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA（0xc014 ）
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA（0xc007）
TLS_ECDHE_RSA_WITH_RC4_128_SHA（0xc011）
TLS_DHE_RSA_WITH_AES_128_CBC_SHA（0x33）
TLS_DHE_DSS_WITH_AES_128_CBC_SHA（0x32）
TLS_DHE_RSA_WITH_AES_256_CBC_SHA（0x39）
TLS_RSA_WITH_AES_128_GCM_SHA256（为0x9c）
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_RC4_128_SHA (0x5) (0x5)
_TLS_4_5RSA1MD

Answer 2

回答by Bruno

The standard algorithm name documentationyou're quoting is just the list of names, which are effectively reserved, but not necessarily implemented.

您引用的标准算法名称文档只是名称列表，它们被有效保留，但不一定实现。

The SunJSSE provider(the default JSSE provider in the Oracle JRE) doesn't implement any GCM cipher suite in Java 7. They are in the updated table for the Java 8 implementation.

该SunJSSE提供商（默认JSSE提供者在Oracle JRE）没有实现任何GCM密码套件在Java 7中他们在更新后的表为Java 8实现。

You might also need sslProtocol="TLSv1.2".

您可能还需要sslProtocol="TLSv1.2".

Answer 3

回答by Brad Knowles

For Firefox 37.0.2, the list of supported ciphers is:

对于 Firefox 37.0.2，支持的密码列表是：

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

Answer 4

回答by SITARAMIREDDY SIMHADRI

I am a web developer and facing the similar issue running the application with Tomcat 7 and Java7 versions and found the fix.

我是一名 Web 开发人员，在使用 Tomcat 7 和 Java7 版本运行应用程序时遇到了类似的问题，并找到了修复程序。

by adding the below property in the server.xml file of tomcat in

通过在 tomcat 的 server.xml 文件中添加以下属性

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,     TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

Java Tomcat：使用强密码的 TLSv1.2 不起作用

提问by DJViking

采纳答案by DJViking

回答by Bruno

回答by Brad Knowles

回答by SITARAMIREDDY SIMHADRI

相关推荐

最近更新

标签

Java Tomcat：使用强密码的 TLSv1.2 不起作用

提问by DJViking

采纳答案by DJViking

回答by Bruno

回答by Brad Knowles

回答by SITARAMIREDDY SIMHADRI

相关推荐

Java 在 JTable 列中设置右对齐

Java 如何从 C# 代码中运行 jar 文件

Java Mockito 如何只模拟超类方法的调用

Java 此错误的原因：由于所需库的限制，无法访问类型测试？

相关推荐

最近更新

标签