Tomcat 7 的 Diffie-Hellman 公钥错误 [英] Diffie-Hellman public key error with Tomcat 7
问题描述
我成功设置了两台带有 Tomcat 和 SSL 证书的 Ubuntu 机器.我对 Centos 6 执行了完全相同的程序,但是当我尝试连接到服务器时(使用 Opera),我得到了这个:
I successfully set up two Ubuntu machines with Tomcat and SSL certificates. I followed exactly the same procedure with Centos 6, but I'm getting this when I'm trying to connect to the Server (using Opera):
服务器有一个弱的、短暂的 Diffie-Hellman 公钥
Server has a weak, ephemeral Diffie-Hellman public key
连接器如下,catalina.log中没有错误:
The connector is the following, and there are no errors in catalina.log:
<Connector port="some port number"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path to jks"
keystoreType="JKS"
keystorePass="mypass1"
keyPass="mypass2" />
使用 Firefox,我收到了不受信任的通信错误.
With Firefox, I get the untrusted communication error.
推荐答案
对我来说,在 conf/server.xml 中将允许的密码列表添加到 Tomcat 配置以禁用弱 Diffie-Hellman 密码后,它就起作用了:
For me it worked after adding a list of allowed ciphers to the Tomcat configuration in conf/server.xml to disable the weak Diffie-Hellman ciphers:
<Connector
...
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
...
这篇关于Tomcat 7 的 Diffie-Hellman 公钥错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!