TLSv1

TLSv1

关注
发信
关注(28)粉丝(399)

java8+tomcate8仅支持TLSv1.2

1、编辑$tomcat_home/conf/server.xml

<Connector

           protocol="org.apache.coyote.http11.Http11NioProtocol"

           port="8443" maxThreads="200"

           scheme="https" secure="true" SSLEnabled="true" truststoreType="JKS"

           keystoreFile="/root/zuoys.keystore" keystorePass="123456"

           clientAuth="false"

           sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" />

如果向下兼容1.0、1.1,则:sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

2、通过openssl测试

测试1.2:

D:\OpenSSL-Win64\bin>openssl s_client -connect 192.168.163.131:8443 -tls1_2

CONNECTED(000000D8)

depth=0 C = cn, ST = \E5\8C\97\E4\BA\AC, L = \E5\8C\97\E4\BA\AC, O = \E9\93\B6\E7

verify error:num=18:self signed certificate

verify return:1

depth=0 C = cn, ST = \E5\8C\97\E4\BA\AC, L = \E5\8C\97\E4\BA\AC, O = \E9\93\B6\E7

verify return:1

---

Certificate chain

 0 s:/C=cn/ST=\xE5\x8C\x97\xE4\xBA\xAC/L=\xE5\x8C\x97\xE4\xBA\xAC/O=\xE9\x93\xB6\

   i:/C=cn/ST=\xE5\x8C\x97\xE4\xBA\xAC/L=\xE5\x8C\x97\xE4\xBA\xAC/O=\xE9\x93\xB6\

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDeTCCAmGgAwIBAgIEXhol8zANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJj

bjEPMA0GA1UECAwG5YyX5LqsMQ8wDQYDVQQHDAbljJfkuqwxHjAcBgNVBAoMFemT

tuebiOmAmuaUr+S7mOWFrOWPuDEMMAoGA1UECxMDZWJjMQ4wDAYDVQQDEwV6dW95

czAeFw0xOTA4MDcxMDE5NTBaFw0xOTExMDUxMDE5NTBaMG0xCzAJBgNVBAYTAmNu

MQ8wDQYDVQQIDAbljJfkuqwxDzANBgNVBAcMBuWMl+S6rDEeMBwGA1UECgwV6ZO2

55uI6YCa5pSv5LuY5YWs5Y+4MQwwCgYDVQQLEwNlYmMxDjAMBgNVBAMTBXp1b3lz

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg1JSmQP/pbYZa8VH44Y+

mOl7Jhpnnhc1tySF8NXWMMkBkdmUOIPkKM5QpUMPS4MggQEc5OuV1gNZ0TVhIy1F

neABYto+PlcgUmKwTC65JEHbHWOElInhPxR/10Pec+Om39LnWnex/mw673p01Gnp

bGqTjEhm+ctWVvfEMhQEsBSqBednh63n6N41BS7AyMq3vm4LxOhjBaMf3dtpI6w8

i616o8mMTaIM4o1Frw5GILVm4vn6QZJB51kNthAyG8uoqrtzXZM02ha84m5U8AKI

8esIJIFDCK1nyQZ3/SI42hIm3714S4Ae3LApKfq6C9kP8at2ROKk+XkANZsjYHUr

1wIDAQABoyEwHzAdBgNVHQ4EFgQUGLXHe6DvI54spW7EmNCozFFRHnUwDQYJKoZI

hvcNAQELBQADggEBABa0pKmVcCao8J65lWai0zCdDLFM9yzcy+90Z+bbJLv21LSU

0vFYFJX/UyiwkwWNdavkDYCY/qXrJXwpbNCb9ZqgCEFO9t+0fjMltJfnHNNuQvsb

539Xi55fiuGYG1l2BKA+NHuKG99d8ZBKKGete6kJFknlfdk7dDfM1wJir6NDdu+X

TSA5fGXfZk0dF9WIbcZK7wVYJMOjaW+88fONgpQxShT9IUiGlrGT71gfjKDTL0R6

OvWbI9V8Qs0UxQIU8ayAi8dRsxAN4hNUyQ6523ZtJmFMm8pmiqFnQgcdK9p9+9Fc

a+fO/541JBRCKuaZ2a4ReBhSn7q7lOHCZE2zxQk=

-----END CERTIFICATE-----

subject=/C=cn/ST=\xE5\x8C\x97\xE4\xBA\xAC/L=\xE5\x8C\x97\xE4\xBA\xAC/O=\xE9\x93\x

issuer=/C=cn/ST=\xE5\x8C\x97\xE4\xBA\xAC/L=\xE5\x8C\x97\xE4\xBA\xAC/O=\xE9\x93\xB

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 1377 bytes and written 433 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: 5D4CCEDF2C45AF319A383F2C9077F995BC9BCBBD5F7375383319DE7BDE73EAF0

    Session-ID-ctx:

    Master-Key: CA26D76E01AAE4E3157546BE07610468B4E18D120A8B95DA5F9D91FE20AA6F5A1

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1565314785

    Timeout   : 7200 (sec)

    Verify return code: 18 (self signed certificate)

---

测试1.1:

D:\OpenSSL-Win64\bin>openssl s_client -connect 192.168.163.131:8443 -tls1_1

CONNECTED(000000D8)

7540:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 0 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.1

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1565314902

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

D:\OpenSSL-Win64\bin>

测试1.0:

D:\OpenSSL-Win64\bin>openssl s_client -connect 192.168.163.131:8443 -tls1

CONNECTED(000000D8)

5424:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 0 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1565314976

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

D:\OpenSSL-Win64\bin>

说明,tomcat仅支持TLSv1.2协议了。

05-21 10:30
Powered by LMLPHP ©2025 TLSv1 0.050305