我有一个Tomcat8实例运行在Apache服务器后面,负责SSL卸载。 部署在Tomcat上的Java webapp需要连接到仅支持TLSv1.2的外部服务。
我添加了-Dhttps.protocols = TLSv1.2到Tomcat的setenv.sh。 但是我仍然看到Tomcat试图与TLSv1协商[2]作为支持最高的TLS版本,同时连接到外部服务。 所以,我最终得到错误[1],而连接。
我如何得到这个工作? 我需要更改Apache Web服务器上的任何configuration吗?
PS:在我只有Tomcat8的本地机器上添加上面的标志(TLS升级到v1.2)。
[1]
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:641) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1066) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1044) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1035) [2]
%% No cached client session *** ClientHello, TLSv1 .... .... ajp-nio-8009-exec-10, READ: TLSv1.2 Alert, length = 2 ajp-nio-8009-exec-10, RECV TLSv1 ALERT: fatal, protocol_version ajp-nio-8009-exec-10, called closeSocket() ajp-nio-8009-exec-10, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version ajp-nio-8009-exec-10, IOException in getSession(): javax.net.ssl.SSLException: Received fatal alert: protocol_version