我正在尝试在Tomcat中启用SSL。 但是当我启动Tomcat并转到https://localhost:8443时,我看到了
An error occurred during a connection to localhost:8443.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
为此,我使用CA.sh生成私钥和签名证书,如下所示:
progerlaptop:/usr/share/ssl/misc # ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
................................++++++
.............................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase: pass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Chernihiv
Locality Name (eg, city) []:Chernihiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University
Organizational Unit Name (eg, section) []:student
Common Name (eg, YOUR name) []:localhost
Email Address []:proger@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c6:55:7e:58:1b:4d:9c:7e
Validity
Not Before: Nov 25 13:17:31 2010 GMT
Not After : Nov 24 13:17:31 2013 GMT
Subject:
countryName = UK
stateOrProvinceName = Chernihiv
organizationName = University
organizationalUnitName = student
commonName = localhost
emailAddress = proger@localhost
X509v3 extensions:
X509v3 Subject Key Identifier:
C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66
X509v3 Authority Key Identifier:
keyid:C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 24 13:17:31 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
progerlaptop:/usr/share/ssl/misc # ./CA.sh -newreq
Generating a 1024 bit RSA private key
............++++++
.........................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: pass
Verifying - Enter PEM pass phrase: pass
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Chernihiv
Locality Name (eg, city) []:Chernihiv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University
Organizational Unit Name (eg, section) []:student
Common Name (eg, YOUR name) []:localhost
Email Address []:proger@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
progerlaptop:/usr/share/ssl/misc # CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: pass
...
Sign the certificate? [y/n]:y
...
Signed certificate is in newcert.pem
将密钥和证书复制到我的Tomcat目录中。
cp newcert.pem newkey.pem /path/to/tomcat-6.0.29/ssl/
在我的server.xml中添加了连接器:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEngine="on".
SSLCertificateFile="${catalina.base}/ssl/newcert.pem"
SSLCertificateKeyFile="${catalina.base}/ssl/newkey.pem".
SSLPassword="pass"/>
然后我开始catalina.sh跑。
当我去https://localhost:8443/时,我看到了这个令人讨厌的错误。
我什么时候做错了?
提前谢谢
答案 0 :(得分:4)
答案 1 :(得分:0)
看起来你正在使用APR / OpenSSL for https,在这种情况下SSLEngine =“on”是正确的。
你安装了libtcnative吗?
假设tomcat 6:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
快速步骤:
tar zxf tomcat-native-1.1.20-src.tar.gz
cd tomcat-native-1.1.20-src/jni/native/
./configure --with-apr=/usr/bin/apr-1-config --with-ssl=yes
make && make install
cd /usr/java/default/jre/lib/amd64/
ln -s /usr/local/apr/lib/libtcnative-1.so
当你启动tomcat时,你必须在你的catalina.out中看到这一行:
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
另一种方法是使用JSSE并将证书/密钥添加到java密钥库(.keystore文件)。我发现java密钥库在使用中很痛苦,所以我通常会使用APR。
答案 2 :(得分:0)
我遇到了同样的问题。我通过将protocol="org.apache.coyote.http11.Http11NioProtocol"添加到连接器
答案 3 :(得分:0)
我希望你的机器上有密钥库文件
确保在server.xml文件中并参考此link,它可能对您有所帮助
<Connector port=”8443” maxHttpHeaderSize=”8192″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”false” disableUploadTimeout=”true”
acceptCount=”100″ scheme=”https” secure=”true”
**keystoreFile=”/../../../Tomcat/mycert.jks”**
clientAuth=”false” sslProtocol=”TLS>
答案 4 :(得分:0)
我设法通过更改端口值来解决此问题。值443是保留的,所以我放了1443,重新启动Tomcat并且它工作了。
我的Connector是:
<Connector port="1443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="D:/path_to_ca.jks"
keystorePass="somePass" />
现在网址为:
https://localhost:1443/index.jsp
干杯!