在对我的 Tomcat servlet 问题进行故障排除时,我决定通过/var/apache-tomcat-8.5.5/bin/setenv.sh将行编辑并更改export JAVA_OPTS="-Xms512m -Xmx1536m -XX:MaxPermSize=256m"为export JAVA_OPTS="-Xms512m -Xmx1536m -XX:MaxPermSize=256m -Djavax.net.debug=all". 保存文件并重新启动 Tomcat(通过 catalina.sh start/stop)后,我发现我无法再通过 HTTPS连接到 Tomcat 管理器应用程序( https://10.9.9.236:8443/manager/html/ ) . 铬 说:
“无法访问此站点”(ERR_CONNECTION_CLOSED)
在完全停止和取消部署我的 web 应用程序后,我重现了这种行为。(现在只安装了默认的 Tomcat 管理器应用程序。)所以我知道只有一个 Java 选项会导致 HTTPS 失败。
为什么启用调试会破坏 HTTPS?
这是来自 catalina.out 日志文件的可能线索:
https-jsse-nio-8443-exec-4, fatal error: 80: problem unwrapping net record
java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
https-jsse-nio-8443-exec-4, SEND TLSv1.2 ALERT: fatal, description = internal_error
https-jsse-nio-8443-exec-4, WRITE: TLSv1.2 Alert, length = 2
28-Sep-2016 14:01:00.576 SEVERE [https-jsse-nio-8443-exec-4] org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:449)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:227)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1387)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
at sun.security.util.ECUtil.getECParameters(ECUtil.java:100)
at sun.security.util.ECUtil.getECParameterSpec(ECUtil.java:149)
at sun.security.ssl.JsseJce.getECParameterSpec(JsseJce.java:385)
at sun.security.ssl.SupportedEllipticCurvesExtension.toString(SupportedEllipticCurvesExtension.java:127)
at sun.security.ssl.HelloExtensions.print(HelloExtensions.java:150)
at sun.security.ssl.HandshakeMessage$ClientHello.print(HandshakeMessage.java:323)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:340)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:397)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:457)
... 7 more
Caused by: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
at java.security.Security.getImpl(Security.java:695)
at java.security.AlgorithmParameters.getInstance(AlgorithmParameters.java:146)
at sun.security.util.ECUtil.getECParameters(ECUtil.java:98)
... 21 more
当我擦除日志并恢复为默认 JAVA_OPTS 时,不会发生异常。
环境:
CentOS Linux release 7.2.1511 (Core)
uname -r: 3.10.0-327.10.1.el7.x86_64
Using CATALINA_BASE: /var/apache-tomcat-8.5.5
Using CATALINA_HOME: /var/apache-tomcat-8.5.5
Using CATALINA_TMPDIR: /var/apache-tomcat-8.5.5/temp
Using JRE_HOME: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre
Using CLASSPATH: /var/apache-tomcat-8.5.5/bin/bootstrap.jar:/var/apache-tomcat-8.5.5/bin/tomcat-juli.jar
Using CATALINA_PID: /var/apache-tomcat-8.5.5/tomcat.pid
我应该补充一点,即使对 servlet 的 HTTPS 访问被破坏,我仍然可以通过 HTTP 访问它,例如http://10.9.9.236:8080/manager/html/。
问题是 OpenJDK 8 在尝试调试 SSL 连接(例如
javax.net.debug=all)时不支持椭圆曲线密码。尝试更新java-1.8.0-openjdk包来修复这个错误。
查看更多:java-1.8.0-openjdk 错误修复更新