问题:
具有HTTP/2和TLSv1.3的Tomcat
宋劲
TL;DR:我们如何配置运行在带有Java 8的Windows上的Tomcat来支持TLSv1.3和HTTP/2?
我们的一个应用程序在带有Java 8的Windows上的Tomcat 9.0上运行。使用HTTP/1.1和TLSv1.2时,安装程序运行良好,但我们现在希望使用HTTP/2和TLSv1.3。我们能够让HTTP/2或TLSv1.3工作,但不能两者同时工作。
通过将Tomcat配置为使用Azul的祖鲁Java 8版本,我们可以使TLSv1.3正常工作。通过这种配置,Tomcat通过JSSE使用TLS。然而,当我们尝试添加对HTTP/2的支持时,我们遇到了问题。根据Tomcat的文件,
由于Java 8的TLS实现不支持ALPN(通过TLS的HTTP/2需要ALPN),因此必须使用基于OpenSSL的TLS实现来支持HTTP/2。
注意:我们不确定我们使用的Java8的祖鲁版本是否缺少ALPN。
当我们切换到基于OpenSSL的TLS时,我们能够使HTTP/2工作,但我们无法找出如何使TLSv1.3工作。我们安装了OpenSSL和APR二进制文件,但当我们尝试仅配置TLSv1.3(而不是TLSv1.2 TLSv1.3)运行时,我们在Tomcat日志中看到以下错误:
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: None of the [protocols] specified are supported by the SSL engine : [[TLSv1.3]]
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:91)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:55)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:41)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
下面是我们为服务器尝试的不同变体。xml。
工作HTTP/2配置(无TLSv1.3):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig truststoreFile="conf/truststore.jks"
protocols="TLSv1.2+TLSv1.3"
truststorePassword="changeit"
truststoreType="JKS"
certificateVerification="optional">
<Certificate certificateKeystoreFile="conf/keystore.jks" type="RSA"/>
</SSLHostConfig>
</Connector>
工作TLSv1.3配置(无HTTP/2):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig truststoreFile="conf/truststore.jks"
protocols="TLSv1.3"
truststorePassword="changeit"
truststoreType="JKS"
certificateVerification="optional">
<Certificate certificateKeystoreFile="conf/keystore.jks" type="RSA"/>
</SSLHostConfig>
</Connector>
不工作HTTP/2和TLSv1.3配置:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig truststoreFile="conf/truststore.jks"
protocols="TLSv1.3"
truststorePassword="changeit"
truststoreType="JKS"
certificateVerification="optional">
<Certificate certificateKeystoreFile="conf/keystore.jks" type="RSA"/>
</SSLHostConfig>
</Connector>
当我们翻阅Tomcat代码时,我们看到:
if (SSL.version() >= 0x1010100f) {
SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2 |
SSL_PROTOCOL_TLSV1_3);
} else {
SSL_PROTOCOL_ALL = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
}
当我们检查我们的OpenSSL版本(用于框中唯一配置的OpenSSL)时,我们会看到:
C:\>openssl version
OpenSSL 1.1.1g 21 Apr 2020
基于此,我们不明白为什么我们的OpenSSL配置不支持TLSv1.3。
编辑:我们尝试了另一种配置来使用APR(即没有JSSE),但也不起作用。下面是详细信息。
通过APR配置无法使用HTTP/2和TLSv1.3:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" scheme="https" secure="true" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig protocols="TLSv1.3">
<Certificate certificateKeyFile="conf/privkey"
certificateFile="conf/ssl.cer"
certificateChainFile="conf/certchain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
产生的错误日志(与之前略有不同的堆栈跟踪):
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: None of the [protocols] specified are supported by the SSL engine : [[TLSv1.3]]
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:91)
at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:405)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:376)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
使用APR配置启动Tomcat日志
01-Aug-2020 04:34:59.459 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/9.0.7
01-Aug-2020 04:34:59.484 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Apr 3 2018 19:53:05 UTC
01-Aug-2020 04:34:59.484 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: 9.0.7.0
01-Aug-2020 04:34:59.484 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Windows Server 2016
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 10.0
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: C:\Program Files\Java\JDK_Zulu8_262\jre
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_262-b19
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Azul Systems, Inc.
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: C:\Program Files\Apache Software Foundation\Tomcat 9.0
01-Aug-2020 04:34:59.487 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: C:\Program Files\Apache Software Foundation\Tomcat 9.0
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 9.0
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 9.0
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 9.0\temp
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\logging.properties
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: exit
01-Aug-2020 04:34:59.488 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: abort
01-Aug-2020 04:34:59.489 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms128m
01-Aug-2020 04:34:59.489 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx256m
01-Aug-2020 04:34:59.489 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.24] using APR version [1.7.0].
01-Aug-2020 04:34:59.489 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
01-Aug-2020 04:34:59.489 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
01-Aug-2020 04:34:59.517 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1g 21 Apr 2020]
01-Aug-2020 04:35:00.410 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
01-Aug-2020 04:35:00.523 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
01-Aug-2020 04:35:00.536 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-8443"] connector has been configured to support negotiation to [h2] via ALPN
01-Aug-2020 04:35:00.536 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-8443"]
01-Aug-2020 04:35:00.633 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: None of the [protocols] specified are supported by the SSL engine : [[TLSv1.3]]
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:91)
at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:405)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:376)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
01-Aug-2020 04:35:00.635 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
01-Aug-2020 04:35:00.638 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
01-Aug-2020 04:35:00.638 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 3485 ms
01-Aug-2020 04:35:00.706 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
01-Aug-2020 04:35:00.706 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/9.0.7
共有1个答案
子车凯泽
您的Tomcat(9.0.7)版本非常旧,在您发布此问题前2年多发布。当前版本是9.0.37。
看起来TLSv1.3支持直到9.0.13才添加到Tomcat,在ASF Bugzilla问题62748下提交。
如果JVM支持TLSv1.3(用于JSSE),或者您的OpenSSL版本支持TLSv1.3(通过APR连接器)(或者两者都支持),那么升级Tomcat应该允许您使用TLSv1.3。
类似资料:
-
在上一章节,我们讨论了怎么去解析连接和信息从HTML文档中。可是,网站内容越来越复杂通过使用某些技术,比如说:AJAX。你可能发现网页看起来不一样,当它在浏览器的时候。你想要的信息没有在HTML网页当中。 在这篇文章中,我们不会写过于复杂的爬虫脚本,但是,某些网页的片段使用了AJAX技术,或者需要URL之外更多的HTTP参数, AJAX AJAX是异步JavaScript和XML的缩写。AJAX是
-
这与以下问题类似: 问题A 在中,我有: 然后,在类中,我有:
-
V2Ray 3.17 中加入了基于 HTTP/2 的传输方式。它完整按照 HTTP/2 标准实现,可以通过其它的 HTTP 服务器(如 Nginx)进行中转。 由 HTTP/2 的建议,客户端和服务器必须同时开启 TLS 才可以正常使用这个传输方式。 V2Ray 4.20 中对服务端的TLS配置的强制条件移除,为了在特殊用途的分流部署环境中,由外部网关组件完成TLS层对话,V2Ray作为后端应用,
-
API被设置为记录通过来的任何内容,这在运行来自任何地方的请求时都很好,但我的angular应用程序除外。到目前为止我所做的: 传递原始查询而不是. 在没有正文的情况下传递请求。 传递RequestOptions中的所有值。 将参数作为字符串传递。 将正文作为参数传递。 将正文传递为 有人知道为什么数据永远不会被发送吗?
-
An HTTP/2 connection is an application-layer protocol running on top of a TCP connection ([TCP]). The client is the TCP connection initiator. HTTP/2 是一个运行在 TCP 之上的应用层协议。客户端是 TCP 连接的发起者。 HTTP/2 uses th
-
问题内容: 我正在尝试创建一个标准来从3个表(关联,更新和详细信息)中检索一些对象。详细信息引用了关联和更新,而更新引用了详细信息列表。我的目标是在给定关联ID的情况下,在指定字段中检索至少包含明细且值为空的更新列表。在JPQL中很容易做到,但是客户说必须用标准编码。 我的JPQL是: 我尝试了以下操作,但是它只是返回了数据库中的所有更新: 谁能帮我?我搜索了但找不到3个实体的任何示例。 问题答案