Tomcat tcnative-1.dll导致 https不能访问

dou020431 2007-01-26 04:57:26

Tomcat + ssl + tcnative-1.dll 使用时，tcnative-1.dll会导致 https不能访问，但用http却能访问。
请问如何解决呀？？？？

...全文

858 4 打赏收藏转发到动态举报

写回复

用AI写文章

4 条回复

切换为时间正序

请发表友善的回复…

发表回复

dou020431 2007-02-05

打赏
举报

■生成CA证书
★ openssl genrsa -out ca/ca-key.pem 1024

★ openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
-------------------------------------------------------------++++--------
D:\OpenSSL\bin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA Center China Co.LD

Organizational Unit Name (eg, section) []:CA Center
Common Name (eg, YOUR name) []:www.CA.org
Email Address []:CA@CA.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:cacenter
An optional company name []:CA
-------------------------------------------------------------++++--------

★ openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 365
-------------------------------------------------------------++++--------
D:\OpenSSL\bin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey
ca/ca-key.pem -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=China/L=Shanghai/O=CA Center China Co.LD/OU=CA Center/CN=www.CA
.org/emailAddress=CA@CA.org
Getting Private key
-------------------------------------------------------------++++--------

■产生server端的密钥和证书

★ openssl genrsa -out server/server.key 1024

★ openssl req -new -out server/server.csr -key server/server.key
D:\OpenSSL\bin>openssl req -new -out server/server.csr -key server/server.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.server.com
Organizational Unit Name (eg, section) []:Server
Common Name (eg, YOUR name) []:serverIp（此处须与服务器的地址一致）
Email Address []:admin@server.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:changeit
An optional company name []:Server
★ openssl x509 -req -in server/server.csr -out server/server.crt -signkey server/server.key -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -days 365
D:\OpenSSL\bin>openssl x509 -req -in server/server.csr -out server/server.crt -s
ignkey server/server.key -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=China/L=Shanghai/O=www.server.com/OU=Server/CN
=serverIp/emailAddress=server@server.com
Getting Private key

■ 产生Client端的证书

★ openssl genrsa -out client/client-key.pem 1024
-------------------------------------------------------------++++--------
D:\OpenSSL\bin>openssl genrsa -out client/client-key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........++++++
................................................................................
..........++++++
e is 65537 (0x10001)
-------------------------------------------------------------++++--------

★ openssl req -new -out client/client-req.csr -key client/client-key.pem
-------------------------------------------------------------++++--------
D:\OpenSSL\bin>openssl req -new -out client/client-req.csr -key client/client-ke
y.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Client Co.Ld
Organizational Unit Name (eg, section) []:Client
Common Name (eg, YOUR name) []:www.client.com
Email Address []:Client@client.com.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:Client
-------------------------------------------------------------++++--------

★ openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 365
-------------------------------------------------------------++++--------
D:\OpenSSL\bin>openssl x509 -req -in client/client-req.csr -out client/client-ce
rt.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -C
Acreateserial -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=China/L=Shanghai/O=client Co.Ld/OU=Client/CN=www.client.com/emailAddress=client@client.com
Getting Private key
Getting CA Private Key
-------------------------------------------------------------++++--------

★ openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
-------------------------------------------------------------++++--------
D:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey
client/client-key.pem -out client/client.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
-------------------------------------------------------------++++--------

TOMCAT 配置：
server.xml
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
SSLEngine="on"
SSLCertificateFile="C:/server.crt"
SSLCertificateKeyFile="C:/server.key">
</Connector>
web.xml
<security-constraint >
<user-data-constraint >
<transport-guarantee >CONFIDENTIAL </transport-guarantee >
</user-data-constraint >
</security-constraint >
client端安装好ca-cert.cer证书以及client.p12证书后,访问https://serverIp:8443/即可
--
tomcat 6.0。
OpenSSL 0.9.8
基本搞定。

dou020431 2007-02-01

打赏
举报

还有一种SSL设置如下，网上查询到的，希望大家看到有用。（网址被我弄丢了，忘记在哪里找到的了。。-_-!!）

Install OpenSSL and change to bin directory in commandline:

c:\usr\local\OpenSSL\bin>openssl req -new -out server.csr

c:\usr\local\OpenSSL\bin>openssl rsa -in privkey.pem -out server.key

Then create a self-signed certificate:

c:\usr\local\OpenSSL\bin>openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Copy openssl.exe and tcnative-1.dll from http://tomcat.heanet.ie/native/ to TOMCAT_HOME\bin.

Finally edit the server.xml in Tomcat and make changes to SSL connector configuration:

<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
SSLEngine="on"
SSLCertificateFile="/usr/local/Tomcat5.5/conf/server.crt"
SSLCertificateKeyFile="/usr/local/Tomcat5.5/conf/server.key"
/>

Connector

Uncomment the default SSL connector:

<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"/>

Add the keystore password and file location to the connector configuration.

<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"
keystorePass="mypassword" keystoreFile="C:/java/tomcat/.keystore"/>

Make sure that all the redirectPort values point to the Connector's port value, in casu 8443.

<Connector port="80"
maxThreads="100" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="200"
debug="0" connectionTimeout="20000"
disableUploadTimeout="true" />

In web.xml you should add the security constraint confidential.

<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

dou020431 2007-01-31

打赏
举报

等了半天没有解决方法，自己查了一下，折腾了一段时间，有点反应了。
1.使用不对称加密技术实现会话双方之间信息的安全传递:
***CA*****
1) 生成CA密钥: openssl genrsa -out ca/ca-key.pem 1024
2) 生成待签名的证书: openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
3) 用CA私钥自签名: openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 365
*****SERCER******
1) 生成server密钥对： keytool -genkey -alias tomcat_server -validity 365 -keyalg RSA -keysize 1024 -keypass changeit -storepass changeit -dname "cn=localhost, ou=III, o=III, l=Shanghai, st=China, c=CN" -keystore server/server_keystore (cn为服务器的名字一定要与WEB服务器中设置的一样。)
2) 生成待签名证书：keytool -certreq -alias tomcat_server -sigalg MD5withRSA -file server/server.csr -keypass changeit -keystore server/server_keystore -storepass changeit
3) 拷贝...\PEM\ca-cert.srl文件到ca目录
4) 用CA私钥签名: openssl x509 -req -in server/server.csr -out server/server-cert.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -days 365
5) 导入CA根证书: keytool -import -v -trustcacerts -storepass changeit -alias my_ca_root -file ca/ca-cert.pem -keystore server/cacerts
6) 拷贝cacerts文件到..\j2sdk1.*.*\jre\lib\security目录,覆盖cacerts
7) 导入服务器证书: keytool -import -v -trustcacerts -storepass changeit -alias tomcat_server -file server/server-cert.pem -keystore server/server_keystore
****client *****
1)生成Client密钥对: openssl genrsa -out client/client-key.pem 1024
2)生成待签名的证书: openssl req -new -out client/client-req.csr -key client/client-key.pem
3)用CA私钥签名: openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 365
4)生成Client端可以导入的个人证书: openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
----------------
2。按照自己的做法:
1）将目录ca中的ca-cert.pem改名为ca-cert.cer;server_keystore改名为.server_keystore
2）将ca-cert.cer，ca-key.pem,.server_keystore,client.p12拷贝到C盘跟目录
3) 双击ca-cert.cer，安装证书。（配置时，选择"信任的root"一项）;
4) 双击client.p12，添加证书。（配置时，选择"可信任的用户"一项）;
3。配置tomcat:
1) server.xml
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
SSLEngine="on"
SSLCertificateFile="C:/ca-cert.cer"
SSLCertificateKeyFile="C:/ca-key.pem" >
<Factory className="org.apache.coyote.tomcat5.CoyoteConnector"
sslProtocol="TLS"
keystoreFile="C:/.server_keystore" keystorePass="changeit"/>
</Connector>
2)web.xml 添加
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
4.浏览器基本就可以访问 https://localhost:8443/
我这里基本没什么问题了。一些细节要自己看一下。
-----
Tomcat 版本是 5.5
jdk 1.5.09
在Tomcat 6.0这种配置server.xml的方法行不通，还没想出怎么解决。希望有人解决过。

xiangbo520 2007-01-28