Diffie-Hellman公钥错误与Tomcat 7 [英] Diffie-Hellman public key error with Tomcat 7
问题描述
我已成功设置两个带有Tomcat和SSL证书的Ubuntu计算机。
我使用与Centos 6完全相同的过程,但我得到这个时,我试图连接到服务器(使用Opera):
I successfully set up two Ubuntu machines with Tomcat and SSL certificates. I followed exactly the same procedure with Centos 6, but I'm getting this when I'm trying to connect to the Server (using Opera):
服务器有一个弱的,临时的Diffie-Hellman公共密钥
Server has a weak, ephemeral Diffie-Hellman public key
连接器如下,在catalina.log中没有错误:
The connector is the following, and there are no errors in catalina.log:
<Connector port="some port number"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path to jks"
keystoreType="JKS"
keystorePass="mypass1"
keyPass="mypass2" />
对于Firefox,我得到不可信的通信错误。
With Firefox, I get the untrusted communication error.
推荐答案
对我来说,在conf / server.xml中的Tomcat配置中添加一个允许的密码列表,以禁用弱Diffie-Hellman密码:
For me it worked after adding a list of allowed ciphers to the Tomcat configuration in conf/server.xml to disable the weak Diffie-Hellman ciphers:
<Connector
...
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
...
这篇关于Diffie-Hellman公钥错误与Tomcat 7的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!