Warning: file_get_contents(/data/phpspider/zhask/data//catemap/6/apache/8.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Web services Tomcat支持TLSV1.2吗?_Web Services_Apache_Security_Tomcat_Ssl - Fatal编程技术网
Fatal编程技术网

Web services Tomcat支持TLSV1.2吗?

web-services apache security tomcat ssl

Web services Tomcat支持TLSV1.2吗?,web-services,apache,security,tomcat,ssl,Web Services,Apache,Security,Tomcat,Ssl,我想知道ApacheTomcat是否支持TLSV1.2协议。我没有找到任何关于这个的文档!谢谢 在JSSE实现中,Oracle JDK版本7支持TLS版本1.2。由于Tomcat使用JSSE作为底层SSL库,所以JDK版本1.7以后应该支持它。还要检查Tomcat中启用的SSL密码套件 如果您使用Apache作为代理,请查看Apache和底层OpenSSL文档 一些链接: (Java SE 7安全增强) 我还希望将sslProtocol升级到TLSv1.1,正如下面有关Java6和Java7的

我想知道ApacheTomcat是否支持TLSV1.2协议。我没有找到任何关于这个的文档!谢谢

在JSSE实现中,Oracle JDK版本7支持TLS版本1.2。由于Tomcat使用JSSE作为底层SSL库,所以JDK版本1.7以后应该支持它。还要检查Tomcat中启用的SSL密码套件

如果您使用Apache作为代理,请查看Apache和底层OpenSSL文档

一些链接:

(Java SE 7安全增强)

我还希望将sslProtocol升级到TLSv1.1,正如下面有关Java6和Java7的链接所述

爪哇6 爪哇7

Java6中支持的SSLContext是SSL、TLSv1,而Java7中支持SSL、TLSv1、TLSv1.1和TLSv1.2

因此,要在tomcat中启用TLSv1.1或TLSv1.2,只需升级到Java7并在tomcat的server.xml中更改连接器中的sslProtocol。

正如其他人所提到的,tomcat通过JDK 7+中的JSSE支持TLSv1.2

与Tomcat Native(APR)一起使用时,Tomcat不支持TLSv1.1或TLSv1.2。看

更新:看起来TLSv1.2最终将在Tomcat Native 1.1.32和Tomcat 8.0.15/7.0.57中得到支持。

我有一个类似的用例,即使Tomcat 7能够严格地只使用TLSv1.2,而不是退回到早期的SSL协议,如TLSv1.1或SSLv3。以下步骤将回答如何使Tomcat支持TLSv1.2

我使用的是:C:\apache-tomcat-7.0.64-64位和C:\Java64\jdk1.8.0\u 60

遵循以下说明:。Tomcat设置SSL支持相对简单

从许多参考资料中,我测试了许多组合,最后我找到了1,它将强制Tomcat7只接受TLSv1.2。需要触摸的2个地方:

1) 在C:\apache-tomcat-7.0.64-64位\conf\server.xml中

<Connector port="8443" 
 protocol="org.apache.coyote.http11.Http11Protocol"
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="ssl/.keystore" keystorePass="changeit"
 clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />
JAVA_OPTS限制是必需的,否则Tomcat(由Java8提供支持)将退回支持早期的SSL协议

启动Tomcat C:\apache-Tomcat-7.0.64-64位\bin\startup.bat

我们可以看到JAVA_选项出现在Tomcat启动日志中

Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.client.protocols=TLSv1.2
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dsun.security.ssl.allowUnsafeRenegotiation=false
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dhttps.protocols=TLSv1.2
然后,我们可以使用openssl命令来验证我们的设置。首先使用TLSv1.1协议连接localhost:8443。Tomcat拒绝使用服务器证书进行回复

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_1
Loading 'screen' into random state - done
CONNECTED(000001C0)
5372:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
使用TLSv1.2协议连接localhost:8443,Tomcat使用证书回复ServerHello:

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
(ignored)
-----END CERTIFICATE-----
subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2367 bytes and written 443 bytes
这证明Tomcat现在只严格响应TLSv1.2请求。

非常感谢!我最终使用JSSE配置在Tomcat上获得了TLS v1.2。您能告诉我您为此做了哪些更改吗?我尝试在连接器中指定sslProtocol=“TLSv1.1”,但没有成功。别忘了Tomcat可以通过OpenSSL JSSE提供程序使用OpenSSL,或者通过将APR连接器与OpenSSL一起使用。使用OpenSSL时,您可以使用它支持的任何协议。或者,您可以使用另一个加密提供程序,例如BouncyCastle。@ashish指定
sslProtocol=TLSv1.1
不起作用,因为您需要使用
sslEnabledProtocols
。Tomcat根本不支持TLS。支持它的不是Java(通过JSSE)就是OpenSSL。它们支持哪个版本的TLS取决于它们是哪个版本。你的问题形式不正确。 
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
(ignored)
-----END CERTIFICATE-----
subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2367 bytes and written 443 bytes