Tomcat 8.5.34使用OpenSSlimpement时接受的密码/协议
我使用的是tomcat版本8.5.34,它被放在NGINX后面。因为我想重用连接(防止重复握手),所以我正在研究OpenSSLimpmentation的Usage。 My server.xml看起来像:Tomcat 8.5.34使用OpenSSlimpement时接受的密码/协议,ssl,tomcat,tomcat7,protocols,server.xml,Ssl,Tomcat,Tomcat7,Protocols,Server.xml,我使用的是tomcat版本8.5.34,它被放在NGINX后面。因为我想重用连接(防止重复握手),所以我正在研究OpenSSLimpmentation的Usage。 My server.xml看起来像: <Connector SSLEnabled="true" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" s
<Connector SSLEnabled="true"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
executor="tomcatThreadPool" >
<SSLHostConfig>
sslProtocols = "TLSv1.2"
protocols = "TLSv1.2"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
SSLVerifyClient="optional"/>
<Certificate
certificateKeyFile="/Users/vdBerg/Developer/apache/<mydomain>.key"
certificateFile="/Users/vdBerg/Developer/apache/<mydomain>.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
sslProtocols=“TLSv1.2”
协议=“TLSv1.2”
sslEnabledProtocols=“TLSv1.2”
ciphers=“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”
SSLVerifyClient=“可选”/>
正如您在配置中所看到的,我尝试了几个选项,仅支持TLSv1.2。
但不知何故,这些设置并没有被tomcat接受
当我对主机:端口运行sslscan时,我仍然看到它支持其他协议:
sslscan <mydomain>:8443
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
sslscan:8443
首选TLSv1.2 256位ECDHE-RSA-AES256-GCM-SHA384曲线P-256 DHE 256
接受TLSv1.2 256位ECDHE-RSA-AES256-SHA384曲线P-256 DHE 256
接受TLSv1.2 256位ECDHE-RSA-AES256-SHA曲线P-256 DHE 256
接受TLSv1.2 256位DHE-RSA-AES256-GCM-SHA384 DHE 2048位
接受TLSv1.2 256位DHE-RSA-AES256-SHA256 DHE 2048位
接受TLSv1.2 256位DHE-RSA-AES256-SHA DHE 2048位
接受TLSv1.2 256位DHE-RSA-CAMELLIA256-SHA DHE 2048位
接受TLSv1.2 128位ECDHE-RSA-AES128-GCM-SHA256曲线P-256 DHE 256
接受TLSv1.2 128位ECDHE-RSA-AES128-SHA256曲线P-256 DHE 256
接受TLSv1.2 128位ECDHE-RSA-AES128-SHA曲线P-256 DHE 256
接受TLSv1.2 128位DHE-RSA-AES128-GCM-SHA256 DHE 2048位
接受TLSv1.2 128位DHE-RSA-AES128-SHA256 DHE 2048位
接受TLSv1.2 128位DHE-RSA-AES128-SHA DHE 2048位
接受TLSv1.2 128位DHE-RSA-CAMELLIA128-SHA DHE 2048位
首选TLSv1.1 256位ECDHE-RSA-AES256-SHA曲线P-256 DHE 256
接受TLSv1.1 256位DHE-RSA-AES256-SHA DHE 2048位
接受TLSv1.1 256位DHE-RSA-CAMELLIA256-SHA DHE 2048位
接受TLSv1.1 128位ECDHE-RSA-AES128-SHA曲线P-256 DHE 256
接受TLSv1.1 128位DHE-RSA-AES128-SHA DHE 2048位
接受TLSv1.1 128位DHE-RSA-CAMELLIA128-SHA DHE 2048位
首选TLSv1.0 256位ECDHE-RSA-AES256-SHA曲线P-256 DHE 256
接受TLSv1.0 256位DHE-RSA-AES256-SHA DHE 2048位
接受TLSv1.0 256位DHE-RSA-CAMELLIA256-SHA DHE 2048位
接受TLSv1.0 128位ECDHE-RSA-AES128-SHA曲线P-256 DHE 256
接受TLSv1.0 128位DHE-RSA-AES128-SHA DHE 2048位
接受TLSv1.0 128位DHE-RSA-CAMELLIA128-SHA DHE 2048位
谁能告诉我怎么解决这个问题
提前谢谢
好了,它现在开始工作了,我只是结构不对:
而不是
<SSLHostConfig>
sslProtocols = "TLSv1.2"
protocols = "TLSv1.2"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
SSLVerifyClient="optional"/>
<Certificate
certificateKeyFile="/Users/vdBerg/Developer/apache/<mydomain>.key"
certificateFile="/Users/vdBerg/Developer/apache/<mydomain>.crt"
type="RSA" />
</SSLHostConfig>
sslProtocols=“TLSv1.2”
协议=“TLSv1.2”
sslEnabledProtocols=“TLSv1.2”
ciphers=“TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”
SSLVerifyClient=“可选”/>
我必须使用:
<SSLHostConfig
protocols = "+SSLv2Hello+TLSv1.2-TLSv1-TLSv1.1"
>
<Certificate
certificateKeyFile="/Users/vdBerg/Developer/apache/mydomain.key"
certificateFile="/Users/vdBerg/Developer/apache/mydomain.crt"
type="RSA" />
</SSLHostConfig>
“…并放在NGINX后面”-您确定您没有在这里测试NGINX配置吗?您可以尝试显式排除版本1.0和1.1:sslProtocols=“TLSv1.2-TLSv1-TLSv1.1”
在我的本地环境中,我没有使用NGINX(这是服务器设置)。我也试过你的建议罗密欧,这似乎不起作用。请不要混合APR和NIO连接器。(仔细阅读)。我无法在您的配置中看到“honorCipherOrder”,也无法在catalina.out日志中看到。