无法使用 HTTPS 连接到服务器上的 Spring 项目 运行(SSL 错误)
Failure to connect to Spring project running on server with HTTPS (SSL error)
我已经设置了一个 Spring Framework 5 项目,目前运行良好。需要为某些功能启用 HTTPS,因此遵循教程。当前使用以下命令在服务器上生成证书和密钥:
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 365000
然后我将这个密钥库导入到我的资源文件夹中并使用了以下属性:
server.ssl.key-store= classpath:keystore.p12
server.ssl.key-store-password= myPassword
server.ssl.key-store-type= PKCS12
server.ssl.key-alias= tomcat
server.port= 8444
我还使用以下配置设置了从 HTTP 到 HTTPS 的重定向:
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(redirectConnector());
return tomcat;
}
private Connector redirectConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setPort(8182);
connector.setSecure(false);
connector.setRedirectPort(8444);
return connector;
}
当从我的 IDE 本地 运行 或通过 运行 编译的 .jar 时,它工作正常。但是,当我尝试在我的服务器上 运行 它(以前工作正常的本地 运行ning Synology NAS)时,我在尝试到达地址(https://192.168.10.10:8444
)时遇到错误并出现以下错误在 Firefox 上:SSL_ERROR_NO_CYPHER_OVERLAP
在 chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH
上。我一直在寻找答案,但我没有找到任何改变这个问题结果的解决方案。
服务器上可用的 JDK 个密码:
Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_NULL_SHA256
我的 openSSL s_client 连接输出:
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1601 bytes and written 505 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 5B9B776C430F2AEF917BAE78C14F78CDC6DB2F0ED7284E66EFAF9688319F46B2
Session-ID-ctx:
Master-Key: FBA675AEDE7EB03926991415E6760249DE82E4967EC7A724D04C1D8FEFC2C3CC37DFC84ACD29607CAF88775EBBD6E519
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1536915308
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
一个典型的错误可能是您的 *.p12 文件不会被打包到部署的工件中。
你检查过你的罐子里有它吗?
老问题,但我遇到了同样的问题。 Synology 站使用旧 JDK (1.8.0_161)。更新到最新的 1.8 (1.8.0_202-b08) 后一切正常。
我已经设置了一个 Spring Framework 5 项目,目前运行良好。需要为某些功能启用 HTTPS,因此遵循教程。当前使用以下命令在服务器上生成证书和密钥:
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 365000
然后我将这个密钥库导入到我的资源文件夹中并使用了以下属性:
server.ssl.key-store= classpath:keystore.p12
server.ssl.key-store-password= myPassword
server.ssl.key-store-type= PKCS12
server.ssl.key-alias= tomcat
server.port= 8444
我还使用以下配置设置了从 HTTP 到 HTTPS 的重定向:
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(redirectConnector());
return tomcat;
}
private Connector redirectConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setPort(8182);
connector.setSecure(false);
connector.setRedirectPort(8444);
return connector;
}
当从我的 IDE 本地 运行 或通过 运行 编译的 .jar 时,它工作正常。但是,当我尝试在我的服务器上 运行 它(以前工作正常的本地 运行ning Synology NAS)时,我在尝试到达地址(https://192.168.10.10:8444
)时遇到错误并出现以下错误在 Firefox 上:SSL_ERROR_NO_CYPHER_OVERLAP
在 chrome ERR_SSL_VERSION_OR_CIPHER_MISMATCH
上。我一直在寻找答案,但我没有找到任何改变这个问题结果的解决方案。
服务器上可用的 JDK 个密码:
Default Cipher
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384
* TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_NULL_SHA256
我的 openSSL s_client 连接输出:
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1601 bytes and written 505 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 5B9B776C430F2AEF917BAE78C14F78CDC6DB2F0ED7284E66EFAF9688319F46B2
Session-ID-ctx:
Master-Key: FBA675AEDE7EB03926991415E6760249DE82E4967EC7A724D04C1D8FEFC2C3CC37DFC84ACD29607CAF88775EBBD6E519
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1536915308
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
一个典型的错误可能是您的 *.p12 文件不会被打包到部署的工件中。
你检查过你的罐子里有它吗?
老问题,但我遇到了同样的问题。 Synology 站使用旧 JDK (1.8.0_161)。更新到最新的 1.8 (1.8.0_202-b08) 后一切正常。