Tomcat日志中SSL握手失败的解决方法
确保<Connector>元素的SSL相关属性配置正确,重点核查:
certificateKeystoreFile:指向正确的密钥库文件路径(如conf/keystore.jks);certificateKeystorePassword:与创建密钥库时使用的密码一致;protocol:推荐使用org.apache.coyote.http11.Http11NioProtocol(支持NIO,性能更好);TLSv1.2、TLSv1.3)和强密码套件(如TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),避免使用SSLv3、TLSv1.0等不安全协议。<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
sslProtocol="TLS"
sslHostConfig>
<Certificate certificateKeystoreFile="conf/keystore.jks"
certificateKeystorePassword="your_password"
type="RSA"/>
<Cipher>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256</Cipher>
<Protocols>TLSv1.2,TLSv1.3</Protocols>
</Connector>
keytool确认密钥库是否存在及密码是否正确:keytool -list -v -keystore conf/keystore.jks
Not After日期),且域名与证书中的Common Name (CN)或Subject Alternative Name (SAN)一致(如example.com)。若为自签名证书,需将证书导入客户端信任库(如浏览器或Java的cacerts);若为CA证书,确保证书链完整(包含中间证书)。java -version和tomcat/bin/version.sh查看版本信息。通过命令行工具快速检查SSL配置是否正确:
openssl s_client -connect localhost:8443 -showcerts
观察输出中的“Verify return code”(应为0,表示证书有效);若出现“unable to get local issuer certificate”,说明证书链不完整,需补充中间证书。
查看logs/catalina.out或logs/localhost.log,根据错误信息针对性解决:
java.io.IOException: Keystore was tampered with or password was incorrect,说明密钥库密码错误;javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate),说明协议或密码套件不匹配;java.security.cert.CertificateExpiredException,说明证书过期。<Connector>中通过ciphers属性排除弱密码套件(如NULL、EXPORT、MD5);systemctl restart tomcat或bin/shutdown.sh && bin/startup.sh使配置生效;
