团队,
在为 apache 2.2.4 配置 ssl.conf 时,我想使用如下所示的一些配置
SSLEngine on
SSLCertificateFile /opt/alfresco/deploy/ssl/crt/testdns.com.crt
SSLCertificateKeyFile /opt/alfresco/deploy/ssl/private/testdns.com.key
SSLCertificateChainFile /opt/alfresco/deploy/ssl/crt/intermediate.crt
SSLVerifyClient none
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
SSLProtocol -ALL +TLSv1
SetEnv nokeepalive ssl-unclean-shutdown
SSLProtocol +TLSv1 +TLSV1.2
当我仅使用 +TLSv1 时,它会给我一些 API 调用的错误,如下所示
javax.net.ssl.SSLException: Received fatal alert: protocol_version
如果我同时使用 SSLProtocol +TLSv1 +TLSv2 两种协议,它会显示浏览器不安全图标,我该如何防止它?
Case is like below
If I use only +TLSv1 - My API calls are working fine
If I use only +TLSv2 - browser shows secure icon but API call fails and give above error.
有什么解决办法吗,请告诉我。
答案1
我使用与您的原始帖子相同的 SSL 选项配置了一个 Web 服务器。唯一的区别是我使用的是 CertBot 提供的免费 SSL 证书,该证书是受信任的。我在 Chrome 和 Edge 上得到了相同的结果。 这是 apache 信息和虚拟主机配置。
[root@ip-172-26-6-250 conf.d]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@ip-172-26-6-250 conf.d]# httpd -V
Server version: Apache/2.4.6 (CentOS)
Server built: Aug 8 2019 11:41:18
Server's Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
这是虚拟主机配置。
[root@ip-172-26-6-250 conf.d]# cat /etc/httpd/conf.d/heysus_xyz.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/"
ServerName heysus.xyz
</VirtualHost>
##Test Config
<VirtualHost *:443>
DocumentRoot "/var/www/html/"
ServerName heysus.xyz
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/heysus.xyz/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/heysus.xyz/privkey.pem"
SSLVerifyClient none
SSLVerifyDepth 1
SSLOptions +StdEnvVars +StrictRequire
SSLProtocol -ALL +TLSv1
SetEnv nokeepalive ssl-unclean-shutdown
SSLProtocol +TLSv1 +TLSV1.2
</VirtualHost>
##Working config
#<VirtualHost *:443>
# DocumentRoot "/var/www/html/"
# ServerName heysus.xyz
# SSLEngine on
# SSLCertificateFile "/etc/letsencrypt/live/heysus.xyz/fullchain.pem"
# SSLCertificateKeyFile "/etc/letsencrypt/live/heysus.xyz/privkey.pem"
#</VirtualHost>
我认为问题可能出在你的证书上。确保证书安装正确。
我用于测试的服务器将上线几天,以便您查看。