我在 Apache 服务器后面运行一个 Tomcat8 实例,该服务器负责 SSL 卸载。部署在 Tomcat 上的 Java webapp 需要连接到仅支持 TLSv1.2 的外部服务。
我在 Tomcat 的 setenv.sh 中添加了 -Dhttps.protocols=TLSv1.2。但是我仍然看到 Tomcat 在连接到外部服务时尝试与 TLSv1 进行协商[2],因为这是支持的最高 TLS 版本。因此,我最终在连接时收到错误[1]。
我该如何让它工作?我需要更改 Apache Web 服务器上的任何配置吗?
PS:在我本地只有 Tomcat8 的机器上添加上述标志是有效的(TLS 升级到 v1.2)。
[1]
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:641)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1066)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1044)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1035)
[2]
%% No cached client session
*** ClientHello, TLSv1
....
....
ajp-nio-8009-exec-10, READ: TLSv1.2 Alert, length = 2
ajp-nio-8009-exec-10, RECV TLSv1 ALERT: fatal, protocol_version
ajp-nio-8009-exec-10, called closeSocket()
ajp-nio-8009-exec-10, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
ajp-nio-8009-exec-10, IOException in getSession(): javax.net.ssl.SSLException: Received fatal alert: protocol_version