那些遇到过的问题

Tomcat 8:SSL会话ID不可用

Ugh*_*ini 2 ssl-certificate tomcat8

我在尝试从Tomcat7迁移到Tomcat8时遇到问题。看起来一切正常,但是当我访问我的应用程序时,它会记录以下异常:

09-Nov-2016 13:23:09.192 WARNING [https-openssl-nio-9443-exec-3] org.apache.coyote.AbstractProcessor.populateSslRequestAttributes Exception getting SSL attributes
 java.lang.IllegalStateException: SSL session ID not available
    at org.apache.tomcat.util.net.openssl.OpenSSLEngine$OpenSSLSession.getId(OpenSSLEngine.java:1048)
    at org.apache.tomcat.util.net.jsse.JSSESupport.getSessionId(JSSESupport.java:156)
    at org.apache.coyote.AbstractProcessor.populateSslRequestAttributes(AbstractProcessor.java:619)
    at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:359)
    at org.apache.coyote.Request.action(Request.java:392)
    at org.apache.catalina.connector.Request.getAttribute(Request.java:900)
    at org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:282)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.propogateSecureSession(AbstractHTTPDestination.java:411)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:395)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:589)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
Run Code Online (Sandbox Code Playgroud)

我的连接器是这样定义的:

<Connector port="9443"  URIEncoding="utf-8" protocol="HTTP/1.1"     
    scheme="https"  secure="true" SSLEnabled="true"     
    maxPostSize="-1"
    useAprConnector ="false"
    sslProtocol="TLSv1.2" clientAuth="want"         
    disableSessionTickets="true"
    keystoreFile="${catalina.home}/conf/keystore.jks" 
    keystorePass="..." 
    truststoreFile="${catalina.home}/conf/truststore.jks" 
    truststorePass="..." 
/>
Run Code Online (Sandbox Code Playgroud)

在Tomcat7上一切正常,在tomcat8中,安全连接也很好。

Mar*_*mas 5

看来您正在遇到Bug 59811-如果使用会话票证,则TLS会话ID不可用

我怀疑这是因为在切换到Tomcat 8.5.x时,OpenSSL用于TLS(如果可用)。

您有两种选择:

  • 添加一个显式SSLHostConfig元素,并包含disableSessionTickets="true"以禁用会话票证
  • sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"在连接器上进行设置,以将JSSE用于TLS而不是OpenSSL

第二个选项最接近于Tomcat 7。

归档时间:

查看次数:

3700 次

最近记录:

9 年 前
相关归档
使用自签名证书时是否可以防止中间人攻击? 7
IE9如何跟踪"Internet Explorer阻止此网站显示带有安全证书错误的内容". 6
更新WAMP/Apache以使用新的cacert.pem 6
NET::ERR_CERT_REVOKED 在 Chrome 中,当证书实际上没有被撤销时 6
56 CONNECT之后从代理接收到HTTP代码403吗? 6
为什么Tomcat 8.5重新加载上下文 5
java restAssured 等同于 cURL 证书选项 5
安装pod时SSL证书安装失败? 4
Go - ReverseProxy到Apache代理错误:x509:由未知权限签名的证书 3
Python Websocket安全[SSL:CERTIFICATE_VERIFY_FAILED](_ssl.c:777) 0
难疑归档
循环内的JavaScript闭包 - 简单实用的例子 2689
按字符串属性值对对象数组进行排序 2535
使用__init __()方法理解Python super() 2366
正确使用IDisposable接口 1586
我怎样才能存储特定文件? 1422
如何设置HTML <select>元素的默认值? 1343
是否有"以前的兄弟"CSS选择器? 1253
同步检查Node.js中是否存在文件/目录 1113
致命错误:Python.h:没有这样的文件或目录 1042
将标签重新定义为4个空格 1041