Fatal编程技术网
  • ssl/
  • Tomcat 8.5.34使用OpenSSlimpement时接受的密码/协议

Tomcat 8.5.34使用OpenSSlimpement时接受的密码/协议

ssl tomcat

Tomcat 8.5.34使用OpenSSlimpement时接受的密码/协议,ssl,tomcat,tomcat7,protocols,server.xml,Ssl,Tomcat,Tomcat7,Protocols,Server.xml,我使用的是tomcat版本8.5.34,它被放在NGINX后面。因为我想重用连接(防止重复握手),所以我正在研究OpenSSLimpmentation的Usage。 My server.xml看起来像: <Connector SSLEnabled="true" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" s

我使用的是tomcat版本8.5.34,它被放在NGINX后面。因为我想重用连接(防止重复握手),所以我正在研究OpenSSLimpmentation的Usage。 My server.xml看起来像:

    <Connector SSLEnabled="true"
               port="8443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               scheme="https"
               secure="true"

                sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               executor="tomcatThreadPool" >

      <SSLHostConfig>
        sslProtocols = "TLSv1.2"
        protocols = "TLSv1.2"
        sslEnabledProtocols="TLSv1.2"
        ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        SSLVerifyClient="optional"/>
      <Certificate
              certificateKeyFile="/Users/vdBerg/Developer/apache/<mydomain>.key"
              certificateFile="/Users/vdBerg/Developer/apache/<mydomain>.crt"
              type="RSA" />
      </SSLHostConfig>
    </Connector>


sslProtocols=“TLSv1.2”
协议=“TLSv1.2”
sslEnabledProtocols=“TLSv1.2”
ciphers=“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”
SSLVerifyClient=“可选”/>
正如您在配置中所看到的,我尝试了几个选项,仅支持TLSv1.2。 但不知何故,这些设置并没有被tomcat接受

当我对主机:端口运行sslscan时,我仍然看到它支持其他协议:

sslscan <mydomain>:8443

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits



sslscan:8443
首选TLSv1.2 256位ECDHE-RSA-AES256-GCM-SHA384曲线P-256 DHE 256
接受TLSv1.2 256位ECDHE-RSA-AES256-SHA384曲线P-256 DHE 256
接受TLSv1.2 256位ECDHE-RSA-AES256-SHA曲线P-256 DHE 256
接受TLSv1.2 256位DHE-RSA-AES256-GCM-SHA384 DHE 2048位
接受TLSv1.2 256位DHE-RSA-AES256-SHA256 DHE 2048位
接受TLSv1.2 256位DHE-RSA-AES256-SHA DHE 2048位
接受TLSv1.2 256位DHE-RSA-CAMELLIA256-SHA DHE 2048位
接受TLSv1.2 128位ECDHE-RSA-AES128-GCM-SHA256曲线P-256 DHE 256
接受TLSv1.2 128位ECDHE-RSA-AES128-SHA256曲线P-256 DHE 256
接受TLSv1.2 128位ECDHE-RSA-AES128-SHA曲线P-256 DHE 256
接受TLSv1.2 128位DHE-RSA-AES128-GCM-SHA256 DHE 2048位
接受TLSv1.2 128位DHE-RSA-AES128-SHA256 DHE 2048位
接受TLSv1.2 128位DHE-RSA-AES128-SHA DHE 2048位
接受TLSv1.2 128位DHE-RSA-CAMELLIA128-SHA DHE 2048位
首选TLSv1.1 256位ECDHE-RSA-AES256-SHA曲线P-256 DHE 256
接受TLSv1.1 256位DHE-RSA-AES256-SHA DHE 2048位
接受TLSv1.1 256位DHE-RSA-CAMELLIA256-SHA DHE 2048位
接受TLSv1.1 128位ECDHE-RSA-AES128-SHA曲线P-256 DHE 256
接受TLSv1.1 128位DHE-RSA-AES128-SHA DHE 2048位
接受TLSv1.1 128位DHE-RSA-CAMELLIA128-SHA DHE 2048位
首选TLSv1.0 256位ECDHE-RSA-AES256-SHA曲线P-256 DHE 256
接受TLSv1.0 256位DHE-RSA-AES256-SHA DHE 2048位
接受TLSv1.0 256位DHE-RSA-CAMELLIA256-SHA DHE 2048位
接受TLSv1.0 128位ECDHE-RSA-AES128-SHA曲线P-256 DHE 256
接受TLSv1.0 128位DHE-RSA-AES128-SHA DHE 2048位
接受TLSv1.0 128位DHE-RSA-CAMELLIA128-SHA DHE 2048位
谁能告诉我怎么解决这个问题

提前谢谢

好了,它现在开始工作了,我只是结构不对: 而不是

<SSLHostConfig>
        sslProtocols = "TLSv1.2"
        protocols = "TLSv1.2"
        sslEnabledProtocols="TLSv1.2"
        ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        SSLVerifyClient="optional"/>
      <Certificate
              certificateKeyFile="/Users/vdBerg/Developer/apache/<mydomain>.key"
              certificateFile="/Users/vdBerg/Developer/apache/<mydomain>.crt"
              type="RSA" />
      </SSLHostConfig>


sslProtocols=“TLSv1.2”
协议=“TLSv1.2”
sslEnabledProtocols=“TLSv1.2”
ciphers=“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”
SSLVerifyClient=“可选”/>
我必须使用:

      <SSLHostConfig
              protocols = "+SSLv2Hello+TLSv1.2-TLSv1-TLSv1.1"
      >
        <Certificate
                certificateKeyFile="/Users/vdBerg/Developer/apache/mydomain.key"
                certificateFile="/Users/vdBerg/Developer/apache/mydomain.crt"
                type="RSA" />
      </SSLHostConfig>
“…并放在NGINX后面”-您确定您没有在这里测试NGINX配置吗?您可以尝试显式排除版本1.0和1.1:
sslProtocols=“TLSv1.2-TLSv1-TLSv1.1”
在我的本地环境中,我没有使用NGINX(这是服务器设置)。我也试过你的建议罗密欧,这似乎不起作用。请不要混合APR和NIO连接器。(仔细阅读)。我无法在您的配置中看到“honorCipherOrder”,也无法在catalina.out日志中看到。