1. Accueil
  2. Question et réponse
  3. (Code d'erreur: ssl_error_rx_record_too_long) Tomcat + OpenSSL

(Code d'erreur: ssl_error_rx_record_too_long) Tomcat + OpenSSL

2010-11-25 4 views
8

J'essaie d'activer SSL dans mon Tomcat. Mais quand je commence Tomcat et aller à https://localhost:8443 Je vois(Code d'erreur: ssl_error_rx_record_too_long) Tomcat + OpenSSL

An error occurred during a connection to localhost:8443. 

SSL received a record that exceeded the maximum permissible length. 

(Error code: ssl_error_rx_record_too_long)

Pour faire que je CA.sh pour générer la clé privée et le certificat signé comme celui-ci:

progerlaptop:/usr/share/ssl/misC# ./CA.sh -newca 
CA certificate filename (or enter to create) 

Making CA certificate ... 
Generating a 1024 bit RSA private key 
................................++++++ 
.............................................++++++ 
writing new private key to './demoCA/private/./cakey.pem' 
Enter PEM pass phrase: pass 
Verifying - Enter PEM pass phrase: pass 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:UK 
State or Province Name (full name) [Some-State]:Chernihiv 
Locality Name (eg, city) []:Chernihiv 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University 
Organizational Unit Name (eg, section) []:student 
Common Name (eg, YOUR name) []:localhost 
Email Address []:[email protected] 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Using configuration from /etc/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/./cakey.pem: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
     Serial Number: 
      c6:55:7e:58:1b:4d:9c:7e 
     Validity 
      Not Before: Nov 25 13:17:31 2010 GMT 
      Not After : Nov 24 13:17:31 2013 GMT 
     Subject: 
      countryName    = UK 
      stateOrProvinceName  = Chernihiv 
      organizationName   = University 
      organizationalUnitName = student 
      commonName    = localhost 
      emailAddress    = [email protected] 
     X509v3 extensions: 
      X509v3 Subject Key Identifier: 
       C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66 
      X509v3 Authority Key Identifier: 
       keyid:C7:98:1E:68:A7:3A:C4:B2:46:C8:88:99:C8:D5:CA:66:D3:94:23:66 

      X509v3 Basic Constraints: 
       CA:TRUE 
Certificate is to be certified until Nov 24 13:17:31 2013 GMT (1095 days) 

Write out database with 1 new entries 
Data Base Updated 
progerlaptop:/usr/share/ssl/misC# ./CA.sh -newreq 
Generating a 1024 bit RSA private key 
............++++++ 
.........................++++++ 
writing new private key to 'newkey.pem' 
Enter PEM pass phrase: pass 
Verifying - Enter PEM pass phrase: pass 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [AU]:UK 
State or Province Name (full name) [Some-State]:Chernihiv 
Locality Name (eg, city) []:Chernihiv 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University 
Organizational Unit Name (eg, section) []:student 
Common Name (eg, YOUR name) []:localhost 
Email Address []:[email protected] 

Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []: 
Request is in newreq.pem, private key is in newkey.pem 

progerlaptop:/usr/share/ssl/misC# CA.sh -sign 
Using configuration from /etc/ssl/openssl.cnf 
Enter pass phrase for ./demoCA/private/cakey.pem: pass 
... 
Sign the certificate? [y/n]:y 
... 
Signed certificate is in newcert.pem

Copié clé et cert pour mon répertoire Tomcat.

cp newcert.pem newkey.pem /path/to/tomcat-6.0.29/ssl/

Ajouté connecteur à mon server.xml:

<Connector port="8443" maxHttpHeaderSize="8192" 
     maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 
     enableLookups="false" disableUploadTimeout="true" 
     acceptCount="100" scheme="https" secure="true" 
     SSLEngine="on". 
     SSLCertificateFile="${catalina.base}/ssl/newcert.pem" 
     SSLCertificateKeyFile="${catalina.base}/ssl/newkey.pem". 
     SSLPassword="pass"/>

Puis je commence à courir catalina.sh. Et quand je vais au https://localhost:8443/ je vois cette vilaine erreur. Quand je fais, je fais mal?
Merci d'avance

Source

2010-11-25 Ivan Mushketyk

Répondre

4

Tomcat 6 et supérieur? Vous devez définir SSLEnabled = "true", comme déjà répondu here ou here.

Source

2013-02-12 10:02:25 Pavel

0

Il semble que vous utilisiez APR/OpenSSL pour https, auquel cas SSLEngine = "on" est correct.

Avez-vous installé libtcnative?

En supposant tomcat 6: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Étapes rapides:

tar zxf tomcat-native-1.1.20-src.tar.gz 
cd tomcat-native-1.1.20-src/jni/native/ 
./configure --with-apr=/usr/bin/apr-1-config --with-ssl=yes 
make && make install 
cd /usr/java/default/jre/lib/amd64/ 
ln -s /usr/local/apr/lib/libtcnative-1.so

Lorsque vous démarrez tomcat vous devez voir cette ligne dans votre catalina.out:

INFO: Loaded APR based Apache Tomcat Native library 1.1.20.

L'alternative est de utilisez JSSE et ajoutez vos certificats/clés à un keystore java (fichier .keystore). Je trouve le keystore java une douleur dans le cul à utiliser donc je vais habituellement avec APR.

Source

2011-01-17 02:23:09

0

J'avais le même problème. Je l'ai fixé en ajoutant protocol="org.apache.coyote.http11.Http11NioProtocol" au connecteur

Source

2011-10-04 15:12:19 Damian

0

J'espère que vous devriez avoir le fichier keystore dans votre machine

Assurez-vous que dans le fichier server.xml et se réfèrent également ce link il pourrait être utile pour vous de résoudre

 <Connector port=”8443” maxHttpHeaderSize=”8192″ 
     maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ 
     enableLookups=”false” disableUploadTimeout=”true” 
     acceptCount=”100″ scheme=”https” secure=”true” 
     **keystoreFile=”/../../../Tomcat/mycert.jks”** 
     clientAuth=”false” sslProtocol=”TLS>

Source

2012-09-15 06:42:11 gks

0

J'ai réussi à résoudre ce problème en changeant une valeur du port. La valeur 443 était réservée, donc j'ai mis 1443, redémarrer Tomcat et ça a marché.

Mon Connector est:

<Connector port="1443" protocol="HTTP/1.1" SSLEnabled="true" 
      maxThreads="150" scheme="https" secure="true" 
      clientAuth="false" sslProtocol="TLS" keystoreFile="D:/path_to_ca.jks" 
    keystorePass="somePass" />

Maintenant, l'URL est:

https://localhost:1443/index.jsp

Cheers!

Source

2017-04-18 16:47:29 akelec

Questions connexes

 Questions connexes