ssl - Diffie-Hellman public key error with Tomcat 7

Question

Welcome To Ask or Share your Answers For Others

ssl - Diffie-Hellman public key error with Tomcat 7

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

ssl - Diffie-Hellman public key error with Tomcat 7

I successfully set up two Ubuntu machines with Tomcat and SSL certificates. I followed exactly the same procedure with Centos 6, but I'm getting this when I'm trying to connect to the Server (using Opera):

Server has a weak, ephemeral Diffie-Hellman public key

The connector is the following, and there are no errors in catalina.log:

<Connector port="some port number"  
           protocol="org.apache.coyote.http11.Http11Protocol" 
           SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="path to jks"
           keystoreType="JKS"
           keystorePass="mypass1"
           keyPass="mypass2"  />

With Firefox, I get the untrusted communication error.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T17:58:57+0000

For me it worked after adding a list of allowed ciphers to the Tomcat configuration in conf/server.xml to disable the weak Diffie-Hellman ciphers:

    <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...

Categories

ssl - Diffie-Hellman public key error with Tomcat 7

ssl - Diffie-Hellman public key error with Tomcat 7

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags