java8+tomcate8仅支持TLSv1.2

1、编辑$tomcat_home/conf/server.xml

<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true" truststoreType="JKS"
           keystoreFile="/root/zuoys.keystore" keystorePass="123456"
           clientAuth="false" 
           sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" />

如果向下兼容1.0、1.1,则:sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

2、通过openssl测试

测试1.2:

D:OpenSSL-Win64in>openssl s_client -connect 192.168.163.131:8443 -tls1_2
CONNECTED(000000D8)
depth=0 C = cn, ST = E58C97E4BAAC, L = E58C97E4BAAC, O = E993B6E7
verify error:num=18:self signed certificate
verify return:1
depth=0 C = cn, ST = E58C97E4BAAC, L = E58C97E4BAAC, O = E993B6E7
verify return:1
---
Certificate chain
 0 s:/C=cn/ST=xE5x8Cx97xE4xBAxAC/L=xE5x8Cx97xE4xBAxAC/O=xE9x93xB6
   i:/C=cn/ST=xE5x8Cx97xE4xBAxAC/L=xE5x8Cx97xE4xBAxAC/O=xE9x93xB6
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIEXhol8zANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJj
bjEPMA0GA1UECAwG5YyX5LqsMQ8wDQYDVQQHDAbljJfkuqwxHjAcBgNVBAoMFemT
tuebiOmAmuaUr+S7mOWFrOWPuDEMMAoGA1UECxMDZWJjMQ4wDAYDVQQDEwV6dW95
czAeFw0xOTA4MDcxMDE5NTBaFw0xOTExMDUxMDE5NTBaMG0xCzAJBgNVBAYTAmNu
MQ8wDQYDVQQIDAbljJfkuqwxDzANBgNVBAcMBuWMl+S6rDEeMBwGA1UECgwV6ZO2
55uI6YCa5pSv5LuY5YWs5Y+4MQwwCgYDVQQLEwNlYmMxDjAMBgNVBAMTBXp1b3lz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg1JSmQP/pbYZa8VH44Y+
mOl7Jhpnnhc1tySF8NXWMMkBkdmUOIPkKM5QpUMPS4MggQEc5OuV1gNZ0TVhIy1F
neABYto+PlcgUmKwTC65JEHbHWOElInhPxR/10Pec+Om39LnWnex/mw673p01Gnp
bGqTjEhm+ctWVvfEMhQEsBSqBednh63n6N41BS7AyMq3vm4LxOhjBaMf3dtpI6w8
i616o8mMTaIM4o1Frw5GILVm4vn6QZJB51kNthAyG8uoqrtzXZM02ha84m5U8AKI
8esIJIFDCK1nyQZ3/SI42hIm3714S4Ae3LApKfq6C9kP8at2ROKk+XkANZsjYHUr
1wIDAQABoyEwHzAdBgNVHQ4EFgQUGLXHe6DvI54spW7EmNCozFFRHnUwDQYJKoZI
hvcNAQELBQADggEBABa0pKmVcCao8J65lWai0zCdDLFM9yzcy+90Z+bbJLv21LSU
0vFYFJX/UyiwkwWNdavkDYCY/qXrJXwpbNCb9ZqgCEFO9t+0fjMltJfnHNNuQvsb
539Xi55fiuGYG1l2BKA+NHuKG99d8ZBKKGete6kJFknlfdk7dDfM1wJir6NDdu+X
TSA5fGXfZk0dF9WIbcZK7wVYJMOjaW+88fONgpQxShT9IUiGlrGT71gfjKDTL0R6
OvWbI9V8Qs0UxQIU8ayAi8dRsxAN4hNUyQ6523ZtJmFMm8pmiqFnQgcdK9p9+9Fc
a+fO/541JBRCKuaZ2a4ReBhSn7q7lOHCZE2zxQk=
-----END CERTIFICATE-----
subject=/C=cn/ST=xE5x8Cx97xE4xBAxAC/L=xE5x8Cx97xE4xBAxAC/O=xE9x93x
issuer=/C=cn/ST=xE5x8Cx97xE4xBAxAC/L=xE5x8Cx97xE4xBAxAC/O=xE9x93xB
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1377 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5D4CCEDF2C45AF319A383F2C9077F995BC9BCBBD5F7375383319DE7BDE73EAF0
    Session-ID-ctx:
    Master-Key: CA26D76E01AAE4E3157546BE07610468B4E18D120A8B95DA5F9D91FE20AA6F5A1
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565314785
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

测试1.1:

D:OpenSSL-Win64in>openssl s_client -connect 192.168.163.131:8443 -tls1_1
CONNECTED(000000D8)
7540:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.ssls3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565314902
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

D:OpenSSL-Win64in>

测试1.0:

D:OpenSSL-Win64in>openssl s_client -connect 192.168.163.131:8443 -tls1
CONNECTED(000000D8)
5424:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.ssls3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1565314976
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

D:OpenSSL-Win64in>

说明,tomcat仅支持TLSv1.2协议了。

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/yaoyuan2/p/11325240.html