在 apache-tomcat 中禁用了 tls1 但仍然可以与 openssl s_client 连接,为什么?
disabled tls1 in apache-tomcat but can still connect with openssl s_client, why?
所以我在 tomcat 配置中禁用了 tls v1:
使用以下 jsse 连接器:
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.2,TLSv1.3" sslProtocol="TLSv1.2">
<Certificate certificateKeystoreFile="/root/.keystore" certificateKeystorePassword="changeit"
type="RSA" />
</SSLHostConfig>
</Connector>
但是当我测试检查我的 tlsv1 连接是否被拒绝时,我仍然能够连接到下面,有人可以解释为什么客户端仍然能够连接 [CONNECTED(00000003)] 吗?
# openssl s_client -connect ip:8080 -tls1
CONNECTED(00000003)
140199874680720:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1600203654
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
如有任何反馈,我们将不胜感激!
这是一个失败的 s_client 连接:
140199874680720:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:
所以我在 tomcat 配置中禁用了 tls v1:
使用以下 jsse 连接器:
<Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.2,TLSv1.3" sslProtocol="TLSv1.2">
<Certificate certificateKeystoreFile="/root/.keystore" certificateKeystorePassword="changeit"
type="RSA" />
</SSLHostConfig>
</Connector>
但是当我测试检查我的 tlsv1 连接是否被拒绝时,我仍然能够连接到下面,有人可以解释为什么客户端仍然能够连接 [CONNECTED(00000003)] 吗?
# openssl s_client -connect ip:8080 -tls1
CONNECTED(00000003)
140199874680720:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1600203654
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
如有任何反馈,我们将不胜感激!
这是一个失败的 s_client 连接:
140199874680720:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: