问题描述
我的同事和我有使用Firefox 3.0.6访问我们正在开发一个Java 1.6.0 ___ 11 web应用程序的一个问题。一切正常的任意位置从1-30分钟到会话...但最终,连接失败并出现以下错误:
My co-workers and I are having a problem using Firefox 3.0.6 to access a Java 1.6.0___11 web application we're developing. Everything works fine anywhere from 1-30 minutes into the session...but eventually, the connection fails and the following error appears:
安全连接失败
来10.x.x.x连接过程中出现错误。
无法与同行进行安全通信:没有共同的加密算法(S)
(错误code:ssl_error_no_cypher_overlap)
IE浏览器工作正常。火狐抛出在Windows和Fedora两个错误,所以这个问题似乎没有被捆绑到的OS。在Java EE应用程序在Tomcat 6.0.16服务器上运行。所有的页面都通过与mod_nss一个Apache 2.2.8 HTTP服务器使用TLS加密1.0
IE works fine. Firefox throws the error in both Windows and Fedora, so the problem doesn't appear to be tied to an OS. The Java EE application runs on a Tomcat 6.0.16 server. All pages are encrypted using TLS 1.0 through an Apache 2.2.8 HTTP server with mod_nss.
我们的Apache服务器配置为拒绝SSL 3.0连接。一个假设我们是火狐可能试图建立一个SSL 3.0连接...但是为什么呢?
Our Apache server is configured to reject SSL 3.0 connections. One hypothesis we have is that Firefox might be trying to establish a SSL 3.0 connection...but why?
根据一些谷歌搜索,我们尝试了下面的事情,但没有成功:
Based some Googling, we tried the following things, but without success:
-
使用Firefox 2.x的(有些人报其中2.x工作实例,但3.X没有):
using Firefox 2.x (some people reported instances where 2.x worked but 3.x didn't):
启用SSL2
禁用SSL3
禁用OCSP(工具>选项>高级>加密>确认)
disabling OCSP (Tool > Options > Advanced > Encryption > Validation)
确保客户端计算机的防病毒/防火墙是不会阻止或扫描端口443(HTTPS端口)
ensuring that the anti-virus/firewall of the client computer isn't blocking or scanning port 443 (https port)
任何想法?
推荐答案
我有同样的问题,而在www.tpsynergy.com更新我们的服务器的证书。导入新的服务器证书并重新启动Tomcat的之后,我们得到的错误是ERR_SSL_VERSION_OR_CIPHER_MISMATCH。大量的调查研究后,我用这个链接https://www.sslshopper.com/certificate-key-matcher.html比较CSR(证书签名请求实际证书)。他们俩不匹配。所以,我创建了一个新的CSR并获得新证书,并安装相同的。它的工作。
I had the same issue while renewing the certificate for our server at www.tpsynergy.com . After importing the new server certificate and restarting the tomcat, the error we were getting was ERR_SSL_VERSION_OR_CIPHER_MISMATCH. After lot of research, I used this link https://www.sslshopper.com/certificate-key-matcher.html to compare the csr (certificate signing request to the actual certificate). They both did not match. So I created a new csr and obtained a new certificate and installed the same. It worked.
因此,对于该过程的全部步骤
So the full steps for the process are
- 从那里的证书将被安装在同一服务器上,创建CSR
密钥工具-keysize 2048 -genkey -alias tomcat的-keyalg RSA -keystore tpsynergy.keystore
(根据需要更改域名)
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tpsynergy.keystore(change the domain name as needed)
在创建这个,它会要求名和姓。不要给你的名字,但使用的域名。比如我把它作为www.tpsynergy.com
While creating this, it will ask for first name and last name. Do not give your name, but use the domain name. For example I gave it as www.tpsynergy.com
2.keytool -certreq -keyalg RSA -alias tomcat的-file csr.csr -keystore tpsynergy.keystore
2.keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tpsynergy.keystore
这将创造在同一文件夹中的文件csr.csr。这个内容复制到GoDaddy的网站,并创建新的证书。
This will create a csr.csr file in the same folder. copy the contents of this to the godaddy site and create the new certificate.
下载的证书zip文件将有三个文件
gd_bundle-G2-g1.crt
gdig2.crt
youractualcert.crt
The downloaded certificate zip file will have three filesgd_bundle-g2-g1.crtgdig2.crtyouractualcert.crt
您将需要下载从GoDaddy的存储库中的根证书gdroot-g2.crt。
You will need to download the root cert gdroot-g2.crt from godaddy repository.
所有这些文件复制到从创建CSR文件,并在同一目录中的密钥存储文件的位置。
Copy all these files to the same directory from where you created the CSR file and where the keystore file is located.
现在运行下面的命令一个接一个的证书导入到密钥库
Now run the below commands one by one to import the certs into the keystore
的keytool -import -alias -trustcacerts根-file gd_bundle-G2-g1.crt -keystore tpsynergy.keystore
keytool -import -trustcacerts -alias root -file gd_bundle-g2-g1.crt -keystore tpsynergy.keystore
的keytool -import -alias -trustcacerts -file root2 gdroot-g2.crt -keystore tpsynergy.keystore
keytool -import -trustcacerts -alias root2 -file gdroot-g2.crt -keystore tpsynergy.keystore
的keytool -import -alias -trustcacerts中间-file gdig2.crt -keystore tpsynergy.keystore
keytool -import -trustcacerts -alias intermediate -file gdig2.crt -keystore tpsynergy.keystore
的keytool -import -alias -trustcacerts tomcat的-file yourdomainfile.crt -keystore tpsynergy.keystore
keytool -import -trustcacerts -alias tomcat -file yourdomainfile.crt -keystore tpsynergy.keystore
在确保conf文件夹的server.xml文件具有此项
Ensure that server.xml file in conf folder has this entry
重新启动Tomcat
Restart the tomcat
这篇关于火狐" ssl_error_no_cypher_overlap"错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!