Sorry if my question seems redundant. I found tons of Q&As on stackoverflow and a bunch of other resources about enabling TLSv1.1+ for Tomcat, for Java Clients, for OSes..., but still I can't enable it on my local env on Win10/Tomcat7/Java7. Probably, I'm just getting something wrong.
So, to be clear, I have a java web app deployed on tomcat. This web app makes requests to remote services via https. Previously these remote services supported TLSv1.0, and my app worked fine. Now these remote services support only TLSv1.1+, and I'm getting an error/actually a simple html page response saying:
To access this website, update your web browser or upgrade your operating system to support TLSv1.1 or TLSv1.2
I tried to enable TLSv1.1+ outbound communication support for my webapp in a number of ways, but still it doesn't work. So, I tried:
set CATALINA_OPTS=-Dhttps.protocols=TLSv1.1,TLSv1.2
set CATALINA_OPTS=-Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true
And the same stuff for JAVA_OPTS. I tried it both by adding to system enviroment variables and simply setting in cmd before starting tomcat.
Also, I set TLSv1.1 and TLSv1.2 support at Control Panel\Programs\Java Control Panel Advanced Tab.
Here are details about my env:
Windows version:
Microsoft Windows [Version 10.0.14393]
Tomcat startup log (first n lines):
c:\Program Files\apache-tomcat-7.0.72\bin>catalina.bat run
Using CATALINA_BASE: "C:\Program Files\apache-tomcat-7.0.72"
Using CATALINA_HOME: "C:\Program Files\apache-tomcat-7.0.72"
Using CATALINA_TMPDIR: "C:\Program Files\apache-tomcat-7.0.72\temp"
Using CATALINA_OPTS: "-Dhttps.protocols=TLSv1.1,TLSv1.2 -Xms1024m -Xmx2048m -XX:MaxPermSize=256m"
Using JRE_HOME: "C:\Program Files\Java\jdk1.7.0_80\jre"
Using CLASSPATH: "C:\Program Files\apache-tomcat-7.0.72\bin\bootstrap.jar;C:\Program Files\apache-tomcat-7.0.72\bin\tomcat-juli.jar"
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version: Apache Tomcat/7.0.72
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built: Sep 14 2016 12:12:26 UTC
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number: 7.0.72.0
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name: Windows 8.1
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version: 6.3
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture: amd64
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home: C:\Program Files\Java\jdk1.7.0_80\jre
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version: 1.7.0_80-b15
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
...
I can't get what I'm doing wrong.
UPDATED:
If I'm switching JRE_HOME for tomcat to JAVA 8, it works fine
For now I fixed it by adding this code to configure apache HttpClient:
SSLContext sslContext = null;
try {
sslContext = SSLContexts.custom().useTLS().build();
} catch (KeyManagementException | NoSuchAlgorithmException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.1", "TLSv1.2" }, null,
new AllowAllHostnameVerifier());
httpclient = HttpClients.custom().setSSLSocketFactory(f).build();
But, still can't it be done without code modifications? By configuring tomcat java or system somehow? Cause with JAVA 8 everything works without code modifications.
解决方案
to enable Tls in tomcat, add this parameter sslEnabledProtocols="TLSv1.X" in Connector section of server.xml file of tomcat at tomcat/conf/ folder. for eg: to configure TLSv1.1 follow the below configuration.
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="ssl/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.1" />
restart the server
589
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
