Google Chrome prompts that the client and server do not support the general SSL protocol version or cipher suite (effective for personal testing)

When visiting some websites recently, the problem "This website cannot provide case connection, the client and server do not support general SSL protocol version or cipher suite" appears as shown in the figure below.

1. Positioning problem

Click the lock on the URL in the browser, and the following will appear:

Then click the website security link , and the following will appear:

Through comparison, you can see that the domain name uses TLS 1.0, so there will be problems, because most browsers such as Google have already started TLS1.0 is completely banned . So we need to upgrade our server to support TLS1.2 or above.

2. Upgrade TLS1.2

1. Principle

previous architecture

Before Tomcat listened to port 8443 of https, the configuration in tomcat/conf/server.xml is as follows:

<Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8" 
               connectionTimeout="20000"  
			compression="on"
           compressionMinSize="512"
           compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/csv,application/javascript,application/json,application/xml"
                />
<Connector  protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false"     sslProtocol="TLS"  disableUploadTimeout="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
    keystoreFile="../ssl3/sggk.jks" keystorePass="sggk123"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
  />

Although it is seen that the tomcat configuration supports TLSv1.2, the configuration is invalid because the lower version does not support it well.

Adjust the structure

So we need to listen to HTTPS:8443 port through nginx reverse proxy , and then forward to tomcat's HTTP:8080

2. Configure nginx

The configuration reference is as follows

worker_processes  1;
events {
    
    
    worker_connections  1024;
}
http {
    
    
    include       mime.types;
    default_type  application/octet-stream;
	underscores_in_headers on;#表示如果header name中包含下划线，则不忽略
  	#access_log  logs/access.log  main;
 	sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    #服务器的集群  
    upstream  www_test {
    
      #服务器集群名字   
		#ip_hash;
        server    127.0.0.1:8080  ;#服务器配置   weight是权重的意思，权重越大，分配的概率越大。  
        #server    127.0.0.1:9092  weight=1;  
    }  
	

    server {
    
    
    	listen       443 ssl;
        server_name  www.test.cn;

	    ssl_certificate      D:/Tomcat 7.0/ssl/www.test.cn.pem;
	    ssl_certificate_key  D:/Tomcat 7.0/ssl/www.test.cn.key;
	
	    ssl_session_cache    shared:SSL:1m;
	    ssl_session_timeout  5m;
		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers  on;
        # 配置静态资源      
		location /pm/v4/{
    
    
			alias   "D:/Tomcat 7.0/webapps/pm/v4/";
		}
		location /pm/jslib/{
    
    
			alias   "D:/Tomcat 7.0/webapps/pm/jslib/";
		}
		location /pm/css/{
    
    
			alias   "D:/Tomcat 7.0/webapps/pm/css/";
		}
		location /pm/images/{
    
    
			alias   "D:/Tomcat 7.0/webapps/pm/images/";
		}
		location /pm/temp/{
    
    
			alias   "D:/Tomcat 7.0/webapps/pm/temp/";
		}
		location /pm/main4.0/{
    
    
			alias   "D:/Tomcat 7.0/webapps/pm/main4.0/";
		}
		
		location /pm{
    
    
			add_header Cache-Control 'no-store';
			client_max_body_size 300m;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header Host $http_host;
			proxy_redirect off;
			proxy_connect_timeout      1;
			proxy_send_timeout         240;
			proxy_read_timeout         240;
			proxy_pass http://www_test/pm;
		}
        
    }
	
}

Pay attention to the two ssl certificate file paths
ssl_certificate D:/Tomcat 7.0/ssl/www.test.cn.pem;
ssl_certificate_key D:/Tomcat 7.0/ssl/www.test.cn.key;
the certificate needs to be provided by the customer or go to Alibaba Cloud by yourself Or Tencent Cloud application, which belongs to nginx special certificate, which is different from Tomcat's.
You can refer to: nginx configures the free SSL certificate applied by Alibaba Cloud/Tencent Cloud (nginx configures https)

3. Configure tomcat

Remove the https configuration and only keep http

<Connector port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8" 
               connectionTimeout="20000"  
			compression="on"
           compressionMinSize="512"
           compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/csv,application/javascript,application/json,application/xml"
                />
				

Three, just visit nginx

https://www.test.cn:8443/pm