Certificate downloaded from cloudexpress:11443 is invalid

时间:2022-03-12 02:47:55

问题描述:

CertificateManagement : Server is not trusted.Received fatal alert: handshake_failure. Now installing certificates
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

当升级BMC CLM至4.6后,调用部分webservice会出现这个问题,该问题的主要原因是:Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication,Java 6 uses an SSLv2Hello pseudo message to encapsulate the Client Hello message. By default,
Java 7 rejects handshake requests that use the SSLv2Hello pseudo message. This is what is causing the SSL/TLS handshake to fail.

所以解决办法有两种:1修改tomcat7配置文件,允许SSLv2Hello,2修改tomcat6配置文件,禁用SSLv2Hello

解决方案1

1 修改tomcat7配置文件server.xml,修改为如下内容

<!-- 修改前 -->
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

<!--修改后 -->
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />

如果这些配置都在catalina.properties文件配置的话,那就需要改这个文件,不用改上面的了。

下面只是修改完成后的示例

# Connector HTTPS (SSL) enabled protocols
# Default=TLSv1,TLSv1.,TLSv1.
#
bna.connector.sslEnabledProtocols=TLSv1,TLSv1.,TLSv1.,SSLv2Hello

解决方案2

1 禁用SSLv2Hello握手协议

修改java启动选项参数。打开tomcat,在java tab页下最后一行添加如下参数:

java -Dhttps.protocols="SSLv2Hello"

如果还是不行,建议升级到同一版本吧

注意:修改前请停掉tomcat服务,修改完再启动

参考

Tomcat 7 getting SSLv2Hello is disabled error when trying to make client server ssl authntication