Tomcat: 无法创建 HTTPS 站点
Tomcat: Unable to make HTTPS site
我正在尝试将 Intranet 门户设为安全 (https)。我已经添加了证书、密钥库和端口重定向。这是 tomcat server.xml 配置项。
Tomcat Server.xml条目
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/certificates.jks" keystorePass="testpassword"
clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
面临的问题:
Google Chrome 浏览器
This site can’t provide a secure connection
XXXXXXXX.XXXXXX.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
我不知道根本原因。
我怀疑问题是您从一些旧来源获得了您的配置,并且由于多年来发现对 SSL/TLS 的各种攻击,它不再被认为是安全的。参见 POODLE and WeakDH for some examples. (Particularly TLS_ECDHE_RSA_WITH_RC4_128_SHA in your list is not considered safe now but probably there are much more.) Please try stronger configuration from the OWASP wiki Tomcat page or from the WeakDH sysadmin reference page
我正在尝试将 Intranet 门户设为安全 (https)。我已经添加了证书、密钥库和端口重定向。这是 tomcat server.xml 配置项。
Tomcat Server.xml条目
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/certificates.jks" keystorePass="testpassword"
clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" />
面临的问题:
Google Chrome 浏览器
This site can’t provide a secure connection
XXXXXXXX.XXXXXX.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
我不知道根本原因。
我怀疑问题是您从一些旧来源获得了您的配置,并且由于多年来发现对 SSL/TLS 的各种攻击,它不再被认为是安全的。参见 POODLE and WeakDH for some examples. (Particularly TLS_ECDHE_RSA_WITH_RC4_128_SHA in your list is not considered safe now but probably there are much more.) Please try stronger configuration from the OWASP wiki Tomcat page or from the WeakDH sysadmin reference page