问题描述

由于。当我尝试打开我已经设置的网站（并且工作正常）时，这会导致以下错误：

The latest versions of Chrome and Firefox have disabled SSLv3.0 by default, due to the POODLE vulnerability. This leads to the following error when I attempt to open a site I have set up (and which was working fine):

使用Chrome：

A secure connection cannot be established because this site uses an unsupported protocol.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

使用Firefox：

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

我研究过这个问题，，和。我理解这个问题，但我找不到配置Tomcat 7的文档，只使用现在安全的TLS密码和协议。我不确定是否需要创建新的cert / keypair，更改我的server.xml，或安装新版本的Tomcat，或者是什么。我甚至不确定这些浏览器现在认为哪些版本的密码/协议是可接受的。任何人都可以指向我的文档或示例设置吗？

I have researched this issue with Chrome, Firefox, Tomcat and more Tomcat docs. I understand the problem, but I can't find the documentation to configure Tomcat 7 to use only the TLS ciphers and protocols that are now safe. I'm not sure if I need to create a new cert/keypair, change my server.xml, or install a new version of Tomcat, or what. I'm not even sure what versions of cipher/protocol are now considered "acceptable" by these browsers. Can anyone point me to the docs or an example setup for this?

我在Ubuntu 14.04上使用OpenJDK 1.7和Tomcat 7。

I'm using OpenJDK 1.7 on Ubuntu 14.04 with Tomcat 7.

这是我的证书文件（编辑）：

Here's my cert file (redacted):

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: something
Creation date: May 4, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=something, OU=something, O=something, L=something, ST=something, C=something
Issuer: CN=something, OU=something, O=something, L=something, ST=something, C=something
Serial number: ...
Valid from: Sat May 04 17:28:21 MST 2013 until: Tue May 02 17:28:21 MST 2023
Certificate fingerprints:
     MD5:  ...
     SHA1: ...
     SHA256: ...
     Signature algorithm name: SHA1withDSA
     Version: 3

这是我的 server.xml HTTPS支持的条目t：

Here's my server.xml entry for HTTPS support:

<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="/path/mykeystore"
           keystorePass="password"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLS" />

推荐答案

你需要加宽 sslEnabledProtocols 包含TLSv1& ff，具体取决于您的Java版本。

You need to widen sslEnabledProtocols to include TLSv1 &ff, depending on your Java version.

您使用。

You specify ciphers with the ciphers element of the connector.

与证书无关。

这篇关于如何修复“ssl_error_no_cypher_overlap”在Tomcat 7服务器上？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！