tomcat 7 + ssl 不工作 - ERR_SSL_VERSION_OR_CIPHER_MISMATCH [英] tomcat 7 + ssl not working - ERR_SSL_VERSION_OR_CIPHER_MISMATCH
问题描述
Ubuntu 14、tomcat 7、Java 7
Ubuntu 14, tomcat 7, java 7
our.crt、our.key 和 gd_bundle-g2-g1.crt 由 Godaddy 提供.捆绑包中有 3 个证书(通过查看文件可以看到).
our.crt, our.key and gd_bundle-g2-g1.crt supplied by godaddy. The bundle has 3 certs in it (as seen by vi'ing the file).
注意,我们的 key 和 crt 在 node.js 上使用没有问题.
Note, our key and crt were used on node.js without issue.
我们因此从现有的 crt 创建了一个密钥库:
we created a keystore from the existing crt thusly:
cd /etc/ssl
openssl pkcs12 -export -in our.crt -inkey our.key -out our.p12 -name tomcat -CAfile gd_bundle-g2-g1.crt -caname root -chain
server.xml 是这样的:
The server.xml is this:
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true"
keystoreType="PKCS12"
keystoreFile="/etc/ssl/our.p12" keystorePass=""
clientAuth="false" sslProtocol="TLS" />
- Tomcat 启动时没有任何错误.
- Web 应用程序在端口 80 上运行良好.
- 服务器没有运行固件.
我们设置了从 443 到 8443 的本地重定向:
We setup a local redirect from 443 to 8443:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
然后尝试https://www.ourserver.com/ourapp
Chrome 提供:ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Chrome gives: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
在本地机器上运行的 curl 示例:
curl examples running on local machine:
curl -Iv https://www.ourserver.com:8443
* Rebuilt URL to: https://www.ourserver.com:8443/
* Hostname was NOT found in DNS cache
* Trying 1xxxxxxxx...
* Connected to www.ourserver.com (1xxxx) port 8443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
有什么想法吗?
更新 1
我尝试在新服务器上设置新的 tomcat 7,并安装了新的证书副本,但遇到了同样的错误.
I tried setting up a new tomcat 7 on a new server, and installed a fresh copy of the certs, and got the same error.
推荐答案
尝试将 ciphers
属性添加到连接器标签中,例如
Try adding ciphers
attribute into your connector tag like
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
如果这没有帮助,请尝试将您的协议属性从 protocol="HTTP/1.1"
更改为 protocol="org.apache.coyote.http11.Http11Protocol"
If this not help then try changing your protocol attribute from protocol="HTTP/1.1"
to protocol="org.apache.coyote.http11.Http11Protocol"
更多参考见
这篇关于tomcat 7 + ssl 不工作 - ERR_SSL_VERSION_OR_CIPHER_MISMATCH的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!