Tomcat 不支持 ECDHE-ECDSA* 密码。配置和版本信息如下。
- 操作系统是 CentOS 6.5 x64
- Tomcat 版本为 7.0.56 Tomcat 本机版本为 1.1.30(使用 APR 版本 1.3.9 加载基于 APR 的 Apache Tomcat 本机库 1.1.30。)
- Java是Oracle jdk1.8.0_20
Tomcat server.conf 中的 SSL 配置:
SSLHonorCipherOrder="true" SSLDisableCompression="true"
SSLCipherSuite="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA38:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5"
但sslscan脚本显示 ECDHE-ECDSA* 密码为“失败”
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
SSL实验室该网站也显示 ECDHE-ECDSA* 密码。
我知道这里提到的错误记录https://issues.apache.org/bugzilla/show_bug.cgi?id=55915它是封闭式修复的(并且已验证)
具有上面配置的 SSLCipherSuite 的 sslscan 脚本仅返回以下被接受的密码。
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits DES-CBC3-SHA
Accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits DES-CBC3-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
任何帮助都将受到赞赏。