大于8k左右的数据请求(PUT/POST)无法与server通信
[b]Chrome: Error (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.[/b]
public class ShortBufferException extends GeneralSecurityException
This exception is thrown when an output buffer provided by the user is too short to hold the operation result.
Tomcat 8.0
disable TLS1.2
HTTPS connector parameter sslProtocol defines which SSL/TLS protocols
are enabled by default, e.g. for Oracle JDK 7:
1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work
So, in order to restrict available protocols only to TLSv1.1, you need
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.
Note that even if some protocol is not enabled by default, you may
enable it by specifying sslEnabledProtocols parameter. E.g.
sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"
is somewhat confusing, but perfectly legal.
参考:
[url]https://bugs.openjdk.java.net/browse/JDK-8036970[/url]
[url]https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/[/url]
[url]http://docs.oracle.com/javase/8/docs/api/javax/crypto/ShortBufferException.html[/url]
[url]http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext[/url]
[url]http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7031830[/url]
[url]http://mail-archives.apache.org/mod_mbox/tomcat-users/201303.mbox/%3C13A085B2E018374C813676301AED0EE412D87457C3@BLR0EXC00.us.sonicwall.com%3E[/url]
[url]https://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx[/url]
[b]Chrome: Error (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.[/b]
public class ShortBufferException extends GeneralSecurityException
This exception is thrown when an output buffer provided by the user is too short to hold the operation result.
Tomcat 8.0
disable TLS1.2
<Connector SSLEnabled="true"
clientAuth="false"
connectionLinger="0"
...
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLS1.2,SSLv2Hello" /><Connector SSLEnabled="true"
clientAuth="false"
connectionLinger="0"
...
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,SSLv2Hello" />HTTPS connector parameter sslProtocol defines which SSL/TLS protocols
are enabled by default, e.g. for Oracle JDK 7:
1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work
So, in order to restrict available protocols only to TLSv1.1, you need
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.
Note that even if some protocol is not enabled by default, you may
enable it by specifying sslEnabledProtocols parameter. E.g.
sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"
is somewhat confusing, but perfectly legal.
参考:
[url]https://bugs.openjdk.java.net/browse/JDK-8036970[/url]
[url]https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/[/url]
[url]http://docs.oracle.com/javase/8/docs/api/javax/crypto/ShortBufferException.html[/url]
[url]http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext[/url]
[url]http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7031830[/url]
[url]http://mail-archives.apache.org/mod_mbox/tomcat-users/201303.mbox/%3C13A085B2E018374C813676301AED0EE412D87457C3@BLR0EXC00.us.sonicwall.com%3E[/url]
[url]https://technet.microsoft.com/en-us/library/cc783349(v=ws.10).aspx[/url]
扫一扫
8950
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
