After configuring tomcat ssl today, I found that the page could not be accessed. Chrome prompts the following:
access error.png
The problem is that the same configuration on other servers is perfectly fine.
Baidu did not find a solution, and did not know much about the principle of tomcat configuration ssl. Later, Google found a solution, specifying the encryption protocol set in the connector configuration of ssl:
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA"
The specific connector configuration is as follows:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" URIEncoding="UTF-8"
keystoreFile="conf/chinanetcenter.tomcat" keystorePass="2013111"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA"
compression="on" compressionMinSize="50" noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain"/>
Once configured, you can access the page.
The specific reasons are insufficient, and we will have the opportunity to deeply understand the tomcat mechanism and discuss it later.
Here is some information found in the search for the question:
There are two implementations of tomcat's ssl, one is using apr, the other is JSSE. tomcat will automatically choose which implementation to use. If apr is installed on the server, it seems to automatically choose to use apr ( I speculate that the above error may be related to apr, because only that server has apr installed, it will not work ). You can let tomcat choose the JSSE implementation by specifying the protocol.
There are two implementations of SSL in tomcat, JSSE and APR
(1) JDK implements JSSE from version 1.4, and APR uses the OpenSSL engine, so if you want to use APR, you must configure the OpenSSL engine.
(2) JSSE is divided into BIO implementation and NIO implementation. The protocol value of BIO implementation is org.apache.coyote.http11.Http11Protocol, and the protocol value of NIO implementation is org.apache.coyote.http11.Http11NioProtocol.
According to my experiments, the BIO implementation must be used in tomcat6. Using the NIO implementation will go wrong.
If you want to use the APR method, you must install the Tomcat native library.
(3) The default connector in most tomcat is the BIO connector.
After testing, tomcat6 is a BIO connector and does not support NIO, so the protocol value of the connect connector should be written as org.apache.coyote.http11.Http11Protocol