我想将Tomcat7.0.70设置为仅支持TLS1.2,密码为“ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA”“ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”。
它在一开始就起作用:客户端可以与TLS1.2连接,并将列表中的密码加密到服务器。但是在某个点上服务器失败了,它找不到密码并抛出错误“处理异常:javax.net.ssl.SSLHandshakeException:没有通用的密码套件”。该服务器所有会话失败后,需要重新启动
我该怎么办?
听说是服务器tomcat配置:
<Connector port="8743" maxHttpHeaderSize="8192"
maxThreads="300" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
clientAuth="false" sslEnabledProtocols="TLSv1.2" algorithm="ibmX509"
keystoreFile="test.kdb"
keystorePass="pass123" keyAlias="testserver" protocol="org.apache.coyote.http11.Http11Protocol"
/>
IBM Java版本:
java version "1.7.0"
Java(TM) SE Runtime Environment (build pap6470_27sr3fp50-20160720_02(SR3fp50))
IBM J9 VM (build 2.7, JRE 1.7.0 AIX ppc64-64 Compressed References 20160630_309914 (JIT enabled, AOT enabled)
J9VM - R27_Java727_SR3_20160630_1516_B309914
JIT - tr.r13.java_20160629_120282
GC - R27_Java727_SR3_20160630_1516_B309914_CMPRSS
J9CL - 20160630_309914)
JCL - 20160719_01 based on Oracle jdk7u111-b13
catalina.out握手通行证:
Is initial handshake: true
http-bio-8643-Acceptor-0, setSoTimeout(60000) called
http-bio-8643-exec-4, READ: TLSv1.2 Handshake, length = 155
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1536702997 bytes = { 94, 89, 202, 236, 227, 183, 25, 109, 253, 230, 136, 11, 11, 207, 239, 167, 50, 71, 16, 79, 227, 157, 111, 0, 142, 123, 218, 192 }
Session ID: {}
Cipher Suites: [SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA
Unsupported extension type_23, data:
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
%% Initialized: [Session-28, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias tscocms
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
ECDHCrypt: ECDH KeyPairGenerator from provider from init IBMJCE version 1.7
%% Negotiating: [Session-28, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
JsseJCE: Using MessageDigest SHA-384 from provider IBMJCE version 1.7
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1536702997 bytes = { 112, 126, 136, 95, 1, 82, 16, 96, 193, 108, 96, 167, 223, 41, 77, 44, 174, 150, 183, 148, 138, 74, 4, 122, 147, 200, 248, 87 }
Session ID: {92, 152, 58, 21, 79, 152, 52, 1, 57, 15, 18, 124, 118, 31, 40, 56, 187, 69, 34, 10, 82, 137, 103, 223, 41, 16, 43, 103, 198, 89, 110, 1}
Cipher Suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension ec_point_formats, formats: [uncompressed]
***
Cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*** Certificate chain
catalina.out握手失败:
Is initial handshake: true
http-bio-8643-Acceptor-0, setSoTimeout(60000) called
http-bio-8643-exec-4, READ: TLSv1.2 Handshake, length = 157
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1536704686 bytes = { 146, 106, 126, 204, 231, 40, 0, 170, 158, 141, 60, 154, 6, 227, 214, 131, 0, 148, 49, 22, 56, 85, 197, 9, 239, 193, 154, 47 }
Session ID: {}
Cipher Suites: [SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA
Unsupported extension type_23, data:
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
***
%% Initialized: [Session-37, SSL_NULL_WITH_NULL_NULL]
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias tscocms
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseServerAlias tscocms
ssl: ServerHandshaker.setupPrivateKeyAndChain, return true
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
%% Invalidated: [Session-37, SSL_NULL_WITH_NULL_NULL]
http-bio-8643-exec-4, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
http-bio-8643-exec-4, WRITE: TLSv1.2 Alert, length = 2
http-bio-8643-exec-4, called closeSocket()
http-bio-8643-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio-8643-exec-4, IOException in getSession(): javax.net.ssl.SSLHandshakeException: no cipher suites in common
http-bio-8643-exec-4, called close()
http-bio-8643-exec-4, called closeInternal(true)