Tomcat 8.5-HTTP2是否需要证书/SSL [英] Tomcat 8.5 - Is Certificate/SSL required for HTTP2
问题描述
我找到了 Http2Protocol 文档,它不支持HTTPS吗?
I found Http2Protocol doc, that it doesn't supports HTTPS?
某些协议(例如HTTP/2)仅支持通过非安全连接进行HTTP升级.
Some protocols (e.g. HTTP/2) only support HTTP upgrade over non-secure connections.
是拼写错误,还是在使用Tomcat HTTP2时我必须必须使用HTTP而不是HTTPS?还是我丢失了某些内容?
Is it a typo, or I must use HTTP and not HTTPS when using Tomcat HTTP2 or am I missing something?
因为我在
中添加了 UpgradeProtocol
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
对于HTTP连接器:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"/>
并使用-Xbootclasspath/p:/path/to/alpn-boot.jar
但是找不到匹配的规则:
But it doesn't find matching rule:
org.apache.tomcat.util.digester.Digester.endElement No rules found matching 'Server/Service/UpgradeProtocol'.
我还尝试添加到连接器 openssl实施但结果相同
I also tried to add to connector openssl implementation but same results
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
因为Java 8的TLS实现不支持ALPN(这是基于TLS的HTTP/2所必需的),所以您必须使用基于OpenSSL的TLS实现来启用HTTP/2支持.请参阅连接器的sslImplementationName属性
Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector
我必须对HTTP2使用证书/SSL吗?
Must I use Certificate/SSL for HTTP2?
推荐答案
加密是 de实际上是强制性的以使用http/2:
Encryption is de facto mandatory to use http/2:
尽管标准本身不需要使用加密,但是所有 主要客户端实现(Firefox,Chrome,Safari,Opera,IE, Edge)表示,他们将仅支持基于TLS的HTTP/2 ...
Although the standard itself does not require usage of encryption, all major client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS ...
因此,您需要具有完整配置的SSLHostConfig
和Certificate
才能通过TLS运行HTTP/2.
So you'll need a fully configured SSLHostConfig
with Certificate
in order to run HTTP/2 over TLS.
这样的连接器可能对您有用:
A connector like this may work for you:
<Connector SSLEnabled="true" maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig certificateVerification="none"
sslProtocol="TLS">
<Certificate certificateKeyAlias="myKeyAlias"
certificateKeystoreFile="/path/to/my/keystore.jks"
certificateKeystorePassword="myPassword"
certificateKeystoreType="JKS">
</Certificate>
</SSLHostConfig>
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
如果要使用NIO2,请将protocol
更改为org.apache.coyote.http11.Http11Nio2Protocol
.
If you want to use NIO2, change protocol
to org.apache.coyote.http11.Http11Nio2Protocol
.
如果要在不使用OpenSSL的情况下使用SSL,而要使用Java实现JSSE,请更改sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
(如果由JRE提供).
If you want to use SSL without OpenSSL but use the java implementation JSSE instead, change sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
(if provided by your JRE).
尽管浏览器不会在未加密的连接上升级到http/2,但从技术上讲,可以在不使用SSL的Apache Tomcat上配置http/2连接器并使用它,例如使用CURL-手动执行http/2升级:
Despite the fact that browsers won't upgrade to http/2 on unencrypted connections, it's technically possible to configure a http/2 connector on Apache Tomcat without SSL and use it e.g. with CURL - manually enforcing the http/2 upgrade:
<Connector SSLEnabled="false" maxThreads="150" port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol" secure="false">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
CURL调试输出:
$ curl http://localhost:8444 -v --http2
...
* Connected to localhost (::1) port 8444 (#0)
> GET / HTTP/1.1
> Host: localhost:8444
> User-Agent: curl/7.60.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
>
< HTTP/1.1 101
< Connection: Upgrade
< Upgrade: h2c
< Date: Mon, 28 Oct 2019 12:06:18 GMT
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Connection state changed (MAX_CONCURRENT_STREAMS == 200)!
< HTTP/2 200
< content-type: text/html;charset=UTF-8
< date: Mon, 28 Oct 2019 12:06:18 GMT
<
这篇关于Tomcat 8.5-HTTP2是否需要证书/SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!