今天打算给tomcat 配置 ssl,发现直接将本站的 .crt 和 .key 直接配置在 tomcat 上浏览器会产生握手失败的问题,无论是那个 tls 版本都不能握手成功,找不到两端对应的的 cipher 算法,使用 openssl s_client -connect firegod.cn:8443 返回的错误如下:
140736929969088:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1362:SSL alert number 40
tomcat server.xml 配置如下,关闭了有漏洞的SSLv3版本:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
SSLCertificateFile="/opt/nginx/ssl/firegod.cer"
SSLCertificateKeyFile="/opt/nginx/ssl/firegod.key"
SSLCertificateChainFile="/opt/nginx/ssl/intermediate.cer" />
最后在stackoverflow上找到了正确的配置方法,是需要转换一下才行的:
Step one: Convert x509 Cert and Key to a pkcs12 file
openssl pkcs12 -export -in server.crt -inkey server.key \ -out server.p12 -name [some-alias] \ -CAfile ca.crt -caname root
Note: Make sure you put a password on the p12 file – otherwise you’ll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)
Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)
Step two: Convert the pkcs12 file to a java keystore
keytool -importkeystore \ -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \ -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \ -alias [some-alias]
Finished
OPTIONAL Step Zero, create self-signed certificate
openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Cheers!