Tomcat8:SSL 会话 ID 不可用
Tomcat 8: SSL session ID not available
我在尝试从 Tomcat7 迁移到 Tomcat8 时遇到问题。事情似乎工作正常,但当我访问我的应用程序时,它记录了这个异常:
09-Nov-2016 13:23:09.192 WARNING [https-openssl-nio-9443-exec-3] org.apache.coyote.AbstractProcessor.populateSslRequestAttributes Exception getting SSL attributes
java.lang.IllegalStateException: SSL session ID not available
at org.apache.tomcat.util.net.openssl.OpenSSLEngine$OpenSSLSession.getId(OpenSSLEngine.java:1048)
at org.apache.tomcat.util.net.jsse.JSSESupport.getSessionId(JSSESupport.java:156)
at org.apache.coyote.AbstractProcessor.populateSslRequestAttributes(AbstractProcessor.java:619)
at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:359)
at org.apache.coyote.Request.action(Request.java:392)
at org.apache.catalina.connector.Request.getAttribute(Request.java:900)
at org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:282)
at org.apache.cxf.transport.http.AbstractHTTPDestination.propogateSecureSession(AbstractHTTPDestination.java:411)
at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:395)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:589)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
我的连接器是这样定义的:
<Connector port="9443" URIEncoding="utf-8" protocol="HTTP/1.1"
scheme="https" secure="true" SSLEnabled="true"
maxPostSize="-1"
useAprConnector ="false"
sslProtocol="TLSv1.2" clientAuth="want"
disableSessionTickets="true"
keystoreFile="${catalina.home}/conf/keystore.jks"
keystorePass="..."
truststoreFile="${catalina.home}/conf/truststore.jks"
truststorePass="..."
/>
在 Tomcat7 上一切正常,在 tomcat8 上安全连接也很好。
你好像在打Bug 59811 - TLS Session ID not available if session tickets are used。
我怀疑这是因为切换到 Tomcat 8.5.x 如果可用,则将 OpenSSL 用于 TLS。
您有两个选择:
- 添加显式 SSLHostConfig 元素并包含
disableSessionTickets="true" 以禁用会话票证
- 在连接器上设置
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" 以将 JSSE 用于 TLS 而不是 OpenSSL
第二个选项最接近 Tomcat 7.
我在尝试从 Tomcat7 迁移到 Tomcat8 时遇到问题。事情似乎工作正常,但当我访问我的应用程序时,它记录了这个异常:
09-Nov-2016 13:23:09.192 WARNING [https-openssl-nio-9443-exec-3] org.apache.coyote.AbstractProcessor.populateSslRequestAttributes Exception getting SSL attributes
java.lang.IllegalStateException: SSL session ID not available
at org.apache.tomcat.util.net.openssl.OpenSSLEngine$OpenSSLSession.getId(OpenSSLEngine.java:1048)
at org.apache.tomcat.util.net.jsse.JSSESupport.getSessionId(JSSESupport.java:156)
at org.apache.coyote.AbstractProcessor.populateSslRequestAttributes(AbstractProcessor.java:619)
at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:359)
at org.apache.coyote.Request.action(Request.java:392)
at org.apache.catalina.connector.Request.getAttribute(Request.java:900)
at org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:282)
at org.apache.cxf.transport.http.AbstractHTTPDestination.propogateSecureSession(AbstractHTTPDestination.java:411)
at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:395)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:589)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)
我的连接器是这样定义的:
<Connector port="9443" URIEncoding="utf-8" protocol="HTTP/1.1"
scheme="https" secure="true" SSLEnabled="true"
maxPostSize="-1"
useAprConnector ="false"
sslProtocol="TLSv1.2" clientAuth="want"
disableSessionTickets="true"
keystoreFile="${catalina.home}/conf/keystore.jks"
keystorePass="..."
truststoreFile="${catalina.home}/conf/truststore.jks"
truststorePass="..."
/>
在 Tomcat7 上一切正常,在 tomcat8 上安全连接也很好。
你好像在打Bug 59811 - TLS Session ID not available if session tickets are used。
我怀疑这是因为切换到 Tomcat 8.5.x 如果可用,则将 OpenSSL 用于 TLS。
您有两个选择:
- 添加显式 SSLHostConfig 元素并包含
disableSessionTickets="true"以禁用会话票证 - 在连接器上设置
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"以将 JSSE 用于 TLS 而不是 OpenSSL
第二个选项最接近 Tomcat 7.