Fatal编程技术网
  • java/
  • Java Tomcat7使用APR连接器启用tlsv1.1

Java Tomcat7使用APR连接器启用tlsv1.1

java tomcat ssl

Java Tomcat7使用APR连接器启用tlsv1.1,java,tomcat,ssl,Java,Tomcat,Ssl,这是我的环境: Ubuntu 12.04 Sun JRE 1.7.0_60 Tomcat 7.0.26 Openssl 1.0.1-4ubuntu5.15 libssl1.0.0 1.0.1-4ubuntu5.15 目前,我的tomcat服务器接受TLSv1连接,我正在尝试更新配置以支持TLSv1.1连接。以下是我当前的连接器配置是server.xml <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

这是我的环境: Ubuntu 12.04 Sun JRE 1.7.0_60 Tomcat 7.0.26 Openssl 1.0.1-4ubuntu5.15 libssl1.0.0 1.0.1-4ubuntu5.15

目前,我的tomcat服务器接受TLSv1连接,我正在尝试更新配置以支持TLSv1.1连接。以下是我当前的连接器配置是server.xml

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLSv1" acceptCount="100"
               disableUploadTimeout="true" enableLookups="false"
               SSLCertificateFile="/opt/certs/cert.pem"
               SSLCertificateKeyFile="/opt/certs/private-key.pem"
               SSLCACertificateFile="/opt/certs/cert.pem"
               server="Apache"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA" />
即使我将sslProtocols更改为TLSv1.1,TLSv1连接仍然可以工作。我查阅了tomcat文档,它在APR连接器中没有提到任何关于TLSv1.1的内容,是可以这样做还是我必须使用其他连接器?

根据tomcat APR,您可能还需要将
sslEnabledProtocols
值填充到
TLSv1.1
,这是针对BIO/NIO连接器的,我正在使用APR连接器。它不起作用。该配置是从https上的apr页面链接的:什么特别不起作用?sslEnabledProtocols是针对BIO/NIO连接器的,而我正在使用apr/Native连接器。我还尝试将此参数添加到server.xml中,使用TLSv1.1作为值,当我运行“openssl s_客户端-连接ip_地址:443-tls1_1-msg”时,我得到的错误消息与我在原始问题中输入的错误消息相同。 
openssl s_client -connect ip_address:443 -tls1_1 -msg

CONNECTED(00000003)
>>> TLS 1.1  [length 00dc]
    01 00 00 d8 03 02 53 aa 16 c1 84 4a 2d a1 8b 54
    e9 10 85 dd 30 66 c6 d8 41 0c 57 38 fa 59 95 6c
    82 e7 dc 6f ac bb 00 00 66 c0 14 c0 0a c0 22 c0
    21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00
    84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0
    03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00
    9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00
    41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00
    12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01
    00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00
    32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00
    0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00
    04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00
    10 00 11 00 23 00 00 00 0f 00 01 01
>>> TLS 1.0 Alert [length 0002], fatal protocol_version
    02 46
139739825112736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1403655873
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---