无法在Firefox 50上通过SSL连接到Jetty 9服务器
[英]Can't connect to Jetty 9 server via SSL with Firefox 50
问题描述
I am configuring a Jetty 9.3.x server with Java 8 and with my SSL cert from GoDaddy. 
我正在使用Java 8和GoDaddy的SSL证书配置Jetty 9.3.x服务器。 After working through the documentation, I have got SSL working on my server and can connect via SSL in internet explorer and chrome. 阅读完文档后,我在服务器上使用了SSL,并且可以通过Internet Explorer和chrome中的SSL连接。 However, with firefox, I can't connect to the server. 但是,使用Firefox,我无法连接到服务器。
I get the error SSL_ERROR_NO_CYPHER_OVERLAP 我收到错误SSL_ERROR_NO_CYPHER_OVERLAP
I have tried tweaking various settings, but nothing has been working for me. 我曾尝试调整各种设置,但没有任何工作对我有用。
After reading https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites 阅读https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites之后
I decided to enable the debugging they talk about and got the following supported ciphers: 我决定启用他们讨论的调试功能,并获得以下支持的密码:
02:17:06,989 [main] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Selected Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
02:17:06,989 [main] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Selected Ciphers [TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] of [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Additionally, when connecting with Chrome (works) 此外,在使用Chrome连接时(有效)
02:41:43,503 [qtp451111351-19] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 13196d35[SSLEngine[hostname=24.205.233.242 port=54796] SSL_NULL_WITH_NULL_NULL]
02:41:43,518 [qtp451111351-19] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 1e9077dd[SSLEngine[hostname=24.205.233.242 port=54797] SSL_NULL_WITH_NULL_NULL]
02:41:43,525 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 3924a409[SSLEngine[hostname=24.205.233.242 port=54793] SSL_NULL_WITH_NULL_NULL]
02:41:43,525 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 31f0632a[SSLEngine[hostname=24.205.233.242 port=54795] SSL_NULL_WITH_NULL_NULL]
02:41:43,526 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,526 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,527 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,527 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,519 [qtp451111351-18] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 2520f47c[SSLEngine[hostname=24.205.233.242 port=54794] SSL_NULL_WITH_NULL_NULL]
02:41:43,528 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,528 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,519 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,528 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,529 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,530 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 3924a409[SSLEngine[hostname=24.205.233.242 port=54793] SSL_NULL_WITH_NULL_NULL]
02:41:43,529 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,531 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,530 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,531 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 2520f47c[SSLEngine[hostname=24.205.233.242 port=54794] SSL_NULL_WITH_NULL_NULL]
02:41:43,531 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,531 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 1e9077dd[SSLEngine[hostname=24.205.233.242 port=54797] SSL_NULL_WITH_NULL_NULL]
02:41:43,530 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,531 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 13196d35[SSLEngine[hostname=24.205.233.242 port=54796] SSL_NULL_WITH_NULL_NULL]
02:41:43,530 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,532 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 31f0632a[SSLEngine[hostname=24.205.233.242 port=54795] SSL_NULL_WITH_NULL_NULL]
When connecting with FireFox I only get the following output in the logs: 与FireFox连接时,我只会在日志中获得以下输出:
02:40:55,459 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 2223aad3[SSLEngine[hostname=24.205.233.242 port=54783] SSL_NULL_WITH_NULL_NULL]
02:40:55,465 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:40:55,465 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
Which seems like a good set of ciphers to me, can anyone help identify my issue and help me enable a cipher that firefox will accept? 在我看来,这是一套很好的密码,任何人都可以帮助确定我的问题并帮助我启用Firefox可以接受的密码吗?
2 个解决方案
解决方案1
1 已采纳 2017-02-28 23:41:47
The issue here turned out to be the version of Java I was using. 原来这里的问题是我使用的Java版本。 While it was 1.8, it was update 91, and later versions had the correct combination of ciphers. 虽然它是1.8,但它是更新91,而更高版本具有正确的密码组合。
解决方案2
0 2018-04-17 18:15:20
I had exact same error but it was not the version of java that caused the issue. 我有完全相同的错误,但不是导致该问题的Java版本。
The issue was that the ca certificate was saying for abc.com and server certificate was for xyz.com, so it looked like: 问题是,ca证书表示abc.com,服务器证书表示xyz.com,因此它看起来像:
keytool -genkeypair -alias ca -keyalg RSA -validity 45 -keysize 2048 -keystore ca.jks -dname "CN=abc.com" -storepass password
...
keytool -genkeypair -keyalg RSA -keysize 2048 -validity 45 -alias server -dname "CN=xyz.com" -keystore server.jks -storepass password.
I add this in case other people have the same error and changing the version of java doesnt help. 如果其他人有相同的错误并且更改Java版本没有帮助,则添加此代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.