Tomcat 7 的 Diffie-Hellman 公钥错误 [英] Diffie-Hellman public key error with Tomcat 7

问题描述

我成功设置了两台带有 Tomcat 和 SSL 证书的 Ubuntu 机器.我对 Centos 6 执行了完全相同的程序，但是当我尝试连接到服务器时(使用 Opera)，我得到了这个:

I successfully set up two Ubuntu machines with Tomcat and SSL certificates. I followed exactly the same procedure with Centos 6, but I'm getting this when I'm trying to connect to the Server (using Opera):

服务器有一个弱的、短暂的 Diffie-Hellman 公钥

Server has a weak, ephemeral Diffie-Hellman public key

连接器如下，catalina.log中没有错误:

The connector is the following, and there are no errors in catalina.log:

<Connector port="some port number"  
           protocol="org.apache.coyote.http11.Http11Protocol" 
           SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="path to jks"
           keystoreType="JKS"
           keystorePass="mypass1"
           keyPass="mypass2"  /> 

使用 Firefox，我收到了不受信任的通信错误.

With Firefox, I get the untrusted communication error.

推荐答案

对我来说，在 conf/server.xml 中将允许的密码列表添加到 Tomcat 配置以禁用弱 Diffie-Hellman 密码后，它就起作用了:

For me it worked after adding a list of allowed ciphers to the Tomcat configuration in conf/server.xml to disable the weak Diffie-Hellman ciphers:

    <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...

这篇关于Tomcat 7 的 Diffie-Hellman 公钥错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！