我的目标是设置 Tomcat 10 的 SSL 配置。这就是我的设置的样子。
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
minSpareThreads="25"
SSLEnabled="true"
sslEnabledProtocols="TLSv1.2"
scheme="https"
secure="true"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="400"
URIEncoding="UTF-8"
clientAuth="false"
defaultSSLHostConfigName="abx.io"
SSLCertificateFile="conf/cert_abx/cert.pem"
SSLCertificateKeyFile="conf/cert_abx/privkey.pem"
connectionTimeout="20000">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig
hostName="abx.io"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE>
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA">
<Certificate
certificateFile="conf/cert_abx/cert.pem"
certificateKeyFile="conf/cert_abx/privkey.pem"
certificateChainFile="conf/cert_abx/chain.pem"/>
</SSLHostConfig>
</Connector>
但是,我收到错误
ERR_SSL_VERSION_OR_CIPHER_MISMATCH, The client and server don't support a common SSL protocol version or cipher suite.
此外,我尝试将协议更改为org.apache.coyote.http11.Http11AprProtocol
,但这似乎不适用于当前的tomcat-10服务器。
配置中的某些属性在 Tomcat 10
中不再使用例如:“sslEnabledProtocols”在 Tomcat 9 中被废弃,并从 Tomcat 10 中删除,而应使用“protocols”属性。
尝试使用以下配置并再次检查。
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
minSpareThreads="25"
SSLEnabled="true"
scheme="https"
secure="true"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="400"
URIEncoding="UTF-8"
clientAuth="false"
defaultSSLHostConfigName="abx.io"
connectionTimeout="20000">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig hostName="abx.io" protocols="TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA">
<Certificate
certificateFile="conf/cert_abx/cert.pem"
certificateKeyFile="conf/cert_abx/privkey.pem"
certificateChainFile="conf/cert_abx/chain.pem"/>
</SSLHostConfig>
</Connector>