查了下原本建好的設定
<Connector protocol="HTTP/1.1" port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="{路徑}/ngss_cer/key.jks"
keyAlias="xxx"
keystorePass="xxxxxx"
truststoreFile="{路徑}/key.jks"
truststorePass="docsntnu" URIEncoding="UTF-8" />
參考了ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY及SSL/TLS, ciphers, perfect forward secrecy and Tomcat,看起來只要加上ciphers我設定。更正設定如下:
<Connector protocol="HTTP/1.1" port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
keystoreFile="{路徑}/ngss_cer/key.jks"
keyAlias="xxx"
keystorePass="xxxxxx"
truststoreFile="{路徑}/key.jks"
truststorePass="docsntnu" URIEncoding="UTF-8" />
重啟Tomcat後就ok了。
參考網址:
Disabling SSLv3 and SSLv2 in Tomcat and JBoss Web
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
SSL/TLS, ciphers, perfect forward secrecy and Tomcat
服務器有弱短暫的Diffie-Hellman公開 (Server has a weak ephemeral Diffie-Hellman public)
沒有留言:
張貼留言