ERR_SSL_VERSION_OR_CIPHER_MISMATCH

时间:2015-05-21 23:33:40

标签: tomcat encryption cryptography public-key-encryption

由于ERR_SSL_VERSION_OR_CIPHER_MISMATCH,对Java 1.6.0_21上运行Tomcat 6.0.32的内部网站的HTTPS访问最近停止了。这些网站使用自签名证书:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: aaa
Creation date: Oct 1, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=aa, OU=bb, O=cc, L=dd, ST=Ontario, C=CA
Issuer: CN=aa, OU=bb, O=cc, L=dd, ST=Ontario, C=CA
Serial number: 524b2c29
Valid from: Tue Oct 01 16:10:17 EDT 2013 until: Sun Jun 26 16:10:17 EDT 2016
Certificate fingerprints:
         MD5:  93:C4:69:A9:E2:0B:5A:3E:CE:08:E1:3C:1A:06:22:6A
         SHA1: 12:EA:64:29:F6:82:65:2C:0A:28:24:DA:35:B6:F1:29:1E:43:87:D9
         Signature algorithm name: SHA1withDSA
         Version: 3


*******************************************
*******************************************

我在这些服务器上进行了nmap扫描,发现Tomcat提供了以下密码套件:

    PORT     STATE SERVICE
    8443/tcp open  https-alt
    | ssl-cert: Subject: commonName=<some_CN>    
    | Issuer: commonName=<some_CN>
    | Public Key type: dsa
    | Public Key bits: 1024
    | Not valid before: 2013-10-01T19:10:17+00:00
    | Not valid after:  2016-06-26T19:10:17+00:00
    | MD5:   93c4 69a9 e20b 5a3e ce08 e13c 1a06 226a
    |_SHA-1: 12ea 6429 f682 652c 0a28 24da 35b6 f129 1e43 87d9
    | ssl-enum-ciphers: 
    |   SSLv3: 
    |     ciphers: 
    |       TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - weak
    |       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
    |       TLS_DHE_DSS_WITH_DES_CBC_SHA - weak
    |     compressors: 
    |       NULL
    |   TLSv1.0: 
    |     ciphers: 
    |       TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - weak
    |       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
    |       TLS_DHE_DSS_WITH_DES_CBC_SHA - weak
    |     compressors: 
    |       NULL
    |_  least strength: weak

Qualys SSL客户端测试显示我的IE11浏览器支持26个密码套件。其中之一是:

TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy(see footnote)  128 

footnote: Cannot be used for Forward Secrecy because they require DSA keys, which are effectively limited to 1024 bits.

这个密码套件是否与Tomcat上的“TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong”匹配?我认为Forward Secrecy脚注无关紧要(这不是强制性的)。

对于协议,我的IE配置支持SSL3.0以及TLS1.0,1.1,1.2。

似乎没有理由要ERR_SSL_VERSION_OR_CIPHER_MISMATCH。 有什么想法吗?

1 个答案:

答案 0 :(得分:2)

是的,因为您当前正在使用DSA公钥,因此需要(生成新的密钥对/证书),该公钥由以下行显示:

| Public Key type: dsa

RSA密码套件不能使用它们,因为它使用RSA加密会话密钥。 RSA和DSA密钥不兼容。

相关问题
最新问题