4

我有一个 Tomcat 7 服务器,它运行一些我需要通过另一个 Tomcat 7 服务器的帖子访问的 servlet。

出于安全原因,该连接是 SSL 连接,我使用此代码进行连接:

/* Load the keyStore that includes self-signed cert as a "trusted" entry. */
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("myjks.jks"), "123456".toCharArray());
TrustManagerFactory tmf = 
    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory sslFactory = ctx.getSocketFactory();

HttpClientBuilder builder = HttpClientBuilder.create();
SSLConnectionSocketFactory sslConnectionFactory = 
    new SSLConnectionSocketFactory(ctx, 
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
builder.setSSLSocketFactory(sslConnectionFactory);

Registry<ConnectionSocketFactory> registry = 
    RegistryBuilder.<ConnectionSocketFactory>create()
        .register("https", sslConnectionFactory)
        .build();

HttpClientConnectionManager ccm = new BasicHttpClientConnectionManager(registry);

builder.setConnectionManager(ccm);
CloseableHttpClient client = builder.build();

HttpPost post = new HttpPost("https://myurl.com:9999/post");

/* post has parameters - omitted */

HttpResponse response = client.execute(post);
HttpEntity entity = response.getEntity();
String responseString = EntityUtils.toString(entity, "UTF-8");
int httpCode = response.getStatusLine().getStatusCode();
System.out.println(responseString);
System.out.println(httpCode);

有问题:每次我尝试连接时,我都会得到

收到致命警报:handshake_failure

现在,奇怪的是,通过普通 java 应用程序运行的完全相同的代码可以正常工作并输出

<response data>
200

服务器上的代码在带有 Java 6 的 Apache Tomcat 7.0.42 上运行,Java 应用程序在 Java 6 上运行。

这是 Tomcat-SSL 服务器连接器的配置方式:

<Connector port="${tomcat.ssl.port}" protocol="HTTP/1.1"
                    enableLookups="false"
                    SSLEnabled="true" scheme="https" sslProtocol="TLS" secure="true" clientAuth="false"
                    keystoreFile="${catalina.base}/conf/certstore/server.jks"
                    keystorePass="123456"
                    truststoreFile="${catalina.base}/conf/certstore/ca.jks"
                    truststorePass="123456"
                    URIEncoding="UTF-8"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,
                            SSL_RSA_WITH_RC4_128_SHA,
                            TLS_RSA_WITH_AES_128_CBC_SHA,
                            TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                            TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                            SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                            SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                            SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
                            TLS_RSA_WITH_AES_256_CBC_SHA,
                            TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                            TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
                    />

这些是受支持的密码:

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

为什么tomcat-to-tomcat连接会出现这些问题?我应该怎么做才能使此代码正常工作?

4

1 回答 1

1

可能是因为 Tomcat 使用的 JVM 和你手动执行这个命令的 JVM 不同。较新的 Java 版本对 SSL 连接更加严格。在可能引发此错误的较新版本中不允许使用某些协议。

于 2016-10-14T13:17:22.103 回答