WEB服务器HTTPS原理简单说明
最最核心的地方如下:
- 客户端公钥(证书中)加密,服务端私钥解密
- 服务端私钥加密,客户端公钥解密
那么客户端浏览器未连接服务器之前是没有公钥的,这个时候需要从服务器下载,也就是大家看到的服务器的证书,就是浏览器地址栏左侧或者右侧的小锁头图标(需要访问https的网站才会有)。那么也就是说服务器会同时有包含公钥的证书和私钥。
TOMCAT启用HTTPS
一般是在server.xml中打开如下注释<!-- <connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxthreads="150" sslenabled="true" scheme="https" secure="true" clientauth="false" sslprotocol="TLS"/>-->
下面是通过JKS作为证书和私钥的载体提供给TOMCAT 服务器,JKS文件中包含服务器公钥和私钥。例如
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:/server.jks" keystorePass="123123" >
这种一般比较好配置
还有一种是使用PEM和CRT文件,openssl生成来的,例如
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="D:/server.crt"
SSLCertificateKeyFile="D:/server.pem"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />
注意里面红色粗体部分,这里面是与之前使用JKS不一样的协议。Apache Portable Runtime (APR),旨在提高tomcat的可用扩展和内部服务沟通的性能,原文介绍如下
Tomcat can use the Apache Portable Runtime to provide superior scalability, performance, and better integration with native server technologies. The Apache Portable Runtime is a highly portable library that is at the heart of Apache HTTP Server 2.x. APR has many uses, including access to advanced IO functionality (such as sendfile, epoll and OpenSSL), OS level functionality (random number generation, system status, etc), and native process handling (shared memory, NT pipes and Unix sockets).
These features allows making Tomcat a general purpose webserver, will enable much better integration with other native web technologies, and overall make Java much more viable as a full fledged webserver platform rather than simply a backend focused technology.
如果直接修改配置文件保存,启动后会报错,虽然显示服务器是正常的,但https 8443端口确米有内容。也就是说HTTP成功,HTTPS失败(注意看日志!这里被忽悠了好久)
严重: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available
at org.apache.catalina.connector.Connector.initInternal(Connector.java:954)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
要用这个协议,你的装APR的运行环境。啊?很复杂,NO ,下载个压缩包,拷贝一个文件tcnative-1.dll过去就好了。下载页面
http://tomcat.apache.org/download-native.cgi 。这里以为64win来说明 Native 1.2.8 Windows Binaries zip
红色文件拷贝至C:\Program Files\Java\jre1.8.0_31\bin 目录,启动正常 ,HTTPS正常。
参照:http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-8.0-doc/apr.html
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
