在对我的Tomcat servlet进行故障诊断时,我决定通过编辑/var/apache-tomcat-8.5.5/bin/setenv.sh来启用networkingdebugging,并更改了行export JAVA_OPTS="-Xms512m -Xmx1536m -XX:MaxPermSize=256m" export JAVA_OPTS="-Xms512m -Xmx1536m -XX:MaxPermSize=256m -Djavax.net.debug=all" 。 只要我保存文件,并重新启动Tomcat(通过catalina.sh启动/停止),我发现我不能再通过HTTPS连接到Tomcatpipe理器应用程序( https://10.9.9.236:8443/manager/html/ ) 。 Chrome说:
“无法到达此站点”(ERR_CONNECTION_CLOSED)
我完全停止和取消部署我的Web应用程序后,我再现了这种行为。 (现在只安装默认的Tomcatpipe理器应用程序。)所以我知道只有一个Java选项导致HTTPS失败。
为什么要启用debugging打破HTTPS?
以下是catalina.out日志文件中可能的线索:
https-jsse-nio-8443-exec-4, fatal error: 80: problem unwrapping net record java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available https-jsse-nio-8443-exec-4, SEND TLSv1.2 ALERT: fatal, description = internal_error https-jsse-nio-8443-exec-4, WRITE: TLSv1.2 Alert, length = 2 28-Sep-2016 14:01:00.576 SEVERE [https-jsse-nio-8443-exec-4] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:449) at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:227) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1387) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available at sun.security.util.ECUtil.getECParameters(ECUtil.java:100) at sun.security.util.ECUtil.getECParameterSpec(ECUtil.java:149) at sun.security.ssl.JsseJce.getECParameterSpec(JsseJce.java:385) at sun.security.ssl.SupportedEllipticCurvesExtension.toString(SupportedEllipticCurvesExtension.java:127) at sun.security.ssl.HelloExtensions.print(HelloExtensions.java:150) at sun.security.ssl.HandshakeMessage$ClientHello.print(HandshakeMessage.java:323) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:340) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:397) at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:457) ... 7 more Caused by: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:695) at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146) at sun.security.util.ECUtil.getECParameters(ECUtil.java:98) ... 21 more
当我擦除日志并恢复到默认的JAVA_OPTS时,不会发生exception。
环境:
CentOS Linux release 7.2.1511 (Core) uname -r: 3.10.0-327.10.1.el7.x86_64 Using CATALINA_BASE: /var/apache-tomcat-8.5.5 Using CATALINA_HOME: /var/apache-tomcat-8.5.5 Using CATALINA_TMPDIR: /var/apache-tomcat-8.5.5/temp Using JRE_HOME: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre Using CLASSPATH: /var/apache-tomcat-8.5.5/bin/bootstrap.jar:/var/apache-tomcat-8.5.5/bin/tomcat-juli.jar Using CATALINA_PID: /var/apache-tomcat-8.5.5/tomcat.pid
我应该补充一点,即使HTTPS访问servlet失败了,我仍然可以通过HTTP访问它,例如http://10.9.9.236:8080/manager/html/ 。
问题是OpenJDK 8在尝试debuggingSSL连接时不支持椭圆曲线密码(例如javax.net.debug=all )。
尝试更新java-1.8.0-openjdk包来修复这个bug。
查看更多: java-1.8.0-openjdk错误修复更新