Tomcat禁用 TLS 1.0 并替换为 TLS 1.2 或更高版本。
添加配置项:protocols="TLSv1.2"
<Connector executor="tomcatThreadPool" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="30000" keepAliveTimeout="60000" maxKeepAliveRequests="150" URIEncoding="UTF-8" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="102400" maxPostSize="4194304" acceptorThreadCount="16" acceptCount="500" compression="on" compressionMinSize="2048" useSendfile="false" noCompressionUserAgents="gozilla,traviata" compressibleMimeType="text/html,text/xml,text/javascript,text/css,text/plain" SSLEnabled="true"> <SSLHostConfig> protocols="TLSv1.2" <Certificate certificateKeystoreFile="ssl/123.jks" certificateKeystorePassword="123456" type="RSA" /> </SSLHostConfig> </Connector>
其它版本:
tomcat使用TLS1.2:添加配置sslEnabledProtocols="TLSv1.2"
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="conf/domains.jks" keystorePass="xxxxxxxx" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>
java中禁用TLS1.0:
jdk安装目录下jre/lib/security/java.security
中修改以下配置(添加TLSv1
禁用):
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC