我试图通过Tomacat(8.x)为HTTPS / TLS启用,而不是OpenSSL替代,因为cert / key配置更简单(与带有密钥库的普通JSSE相比)。
遵循offical documentation并启用连接器部分,如下所示:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeyFile="conf/MyKey.key"
certificateFile="conf/MyCertificate.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
注意,我仍在使用Http11NioProtocol而不是APR Http11AprProtocol连接器。
但是,此配置启动失败,因为这种配置组合似乎需要要构建和配置的Tomcat本机库:
14-Jun-2019 10:38:46.363 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.create(J)J
at org.apache.tomcat.jni.Pool.create(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:70)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:61)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:53)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:41)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:104)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1082)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:267)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
我确实构建并安装了Tomcat native + APR库,并在Tomcat env类路径中对其进行了配置,从而解决了该问题,但这并不重要。重点是,仅当我使用未使用的Http11AprProtocol时,是否才需要APR /本地库?我想念什么?任何指针/帮助将不胜感激。谢谢!
答案 0 :(得分:0)
我犯的错误是我在连接器配置中显式配置了sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"。这就是导致对本机库的依赖以及启动时错误的原因。
不指定sslImplementationName会将其保留为默认值org.apache.tomcat.util.net.jsse.JSSEImplementation,并且可以与OpenSSL样式证书和密钥配置一起正常使用。最终配置:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig protocols="TLSv1.2">
<Certificate
certificateKeyFile="conf/MyKey.key"
certificateFile="conf/MyCertificate.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
因此,主要问题的答案是:是的,可以将纯Java / JSSE样式配置与OpenSSL样式SSLHostConfig一起使用。
(但是,带有本机库的APR / OpenSSL隐式功能相对来说性能更高)。