我已使用OpenSSL创建证书
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
keytool -import -trustcacerts -alias server.key -file server.crt -keystore
并将keystore.jks放入${catalina.home}/lib/
server.xml
<Connector port="9002"
maxHttpHeaderSize="8192"
maxPostSize="4194304"
maxThreads="150"
protocol="org.apache.coyote.http11.Http11Protocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol = "TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="${catalina.home}/lib/keystore.jks"
keystorePass="123456"
在Chrome上,它显示以下错误:
This site can’t provide a secure connection 13.236.191.242 uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.
curl -Iv https://11.231.191.212:9001/
Trying 11.231.191.212...
TCP_NODELAY set
Connected to 11.231.191.212 (11.231.191.212) port 9001 (#0)
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 1/3)
schannel: checking server certificate revocation
schannel: using IP address, SNI is not supported by OS.
schannel: sending initial handshake data: sending 156 bytes...
schannel: sent initial handshake data: sent 156 bytes
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 2/3)
schannel: failed to receive handshake, need more data
答案 0 :(得分:1)
问题是我正在使用OpenSSL创建自签名证书,但是从Java Keystore生成证书时,它可以正常工作。
keytool.exe -genkey -alias tomcat -keyalg RSA -keystore c:\tomcatkeys
OpenSSL和密钥库以不同的文件格式生成证书,您会从下面的链接中看到不同之处。 https://security.stackexchange.com/questions/98282/difference-between-openssl-and-keytool