Tomcat:使用强密码的 TLSv1.2 不起作用 [英] Tomcat: TLSv1.2 with strong ciphers not working

问题描述

我安装了 Tomcat-7，在端口 8443 上配置了对 TLSv1.2 的支持.
我的连接器配置:
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"

I installed Tomcat-7, configured support for TLSv1.2 on port 8443.
My Connector configuration:
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"

然后我配置了一个我想使用的强密码列表.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

I then configured a list of strong ciphers I wanted to use. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

据我所知，Tomcat 可以使用 Java JSSE 或 OpenSSL
JSSE 协议="org.apache.coyote.http11.Http11NioProtocol"
OpenSSL 协议="org.apache.coyote.http11.Http11AprProtocol"
我的tomcat连接器配置了JSSE协议.

As I have read, Tomcat can either use Java JSSE or OpenSSL
JSSE protocol="org.apache.coyote.http11.Http11NioProtocol"
OpenSSL protocol="org.apache.coyote.http11.Http11AprProtocol"
My tomcat connector is configured with JSSE protocol.

如果我使用 SHA1 添加以下密码，它会起作用.(没有带有 SHA1 的 GCM)TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

It works if I add the following ciphers with SHA1. (No GCM with SHA1) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

我已经下载了 Java 加密扩展策略文件.Java 7 和 Java 8 都试过了.

I have downloaded the Java cryptographic extensions policy files. Tried with both Java 7 and Java 8.

在我安装 Cryptographic Extensions 之前，我在启动 Tomcat 时遇到以下错误

Before I installed the Cryptographic Extensions I got the following error while starting up Tomcat

INFO: Initializing ProtocolHandler ["http-nio-8443"]
mai 20, 2014 3:57:43 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory     getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine :     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

根据 Java 7 文档，应该支持所有这些带有 GCM-SHA384 和 CBC-SHA384 的强密码:http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

According to Java 7 Documentation all these strong ciphers with GCM-SHA384 and CBC-SHA384 should be supported: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

如果我稍微改变一下密码:

If I change the ciphers just a little bit:

INFO: Initializing ProtocolHandler ["http-nio-8443"]
mai 20, 2014 4:21:11 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA584,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA584,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA584,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA584

这表明我的 Tomcat/Java 支持我的密码列表.

That would indicate that that my list of ciphers are supported by my Tomcat/Java.

问题可能出在浏览器上吗?我尝试了最新的 Chromium 和 Firefox.在检查了一些提交后，我发现 Chromium 确实支持 SHA256、SHA384 和 AES-GCM.

Could the problem be with the Browser? I have tried the latest Chromium and Firefox. After checking some commits I found out that Chromium does support SHA256, SHA384 and AES-GCM.

推荐答案

发现 Chromium 和 Firefox 都不支持这些更高的密码.
可用的最强/最高密码是 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
不支持 SHA384 和 AES_256_GCM

Found out that neither Chromium nor Firefox support these higher ciphers.
The strongest/highest cipher available is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
No support for SHA384 and no AES_256_GCM

https://www.ssllabs.com/ssltest/viewMyClient.html
密码套件(按优先顺序排列)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_RC4_128_MD5 (0x4)

https://www.ssllabs.com/ssltest/viewMyClient.html
Cipher Suites (in order of preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_RC4_128_MD5 (0x4)

这篇关于Tomcat:使用强密码的 TLSv1.2 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！