Tomcat-to-tomcat 连接产生 SSLHandshakeException，而 JavaApp-to-Tomcat 工作正常

Question

我有一个 Tomcat 7 服务器，它运行一些我需要通过另一个 Tomcat 7 服务器的 post 访问的 servlet。

出于安全考虑，连接是SSL连接，我使用这段代码进行连接：

/* Load the keyStore that includes self-signed cert as a "trusted" entry. */
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("myjks.jks"), "123456".toCharArray());
TrustManagerFactory tmf = 
    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory sslFactory = ctx.getSocketFactory();

HttpClientBuilder builder = HttpClientBuilder.create();
SSLConnectionSocketFactory sslConnectionFactory = 
    new SSLConnectionSocketFactory(ctx, 
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
builder.setSSLSocketFactory(sslConnectionFactory);

Registry<ConnectionSocketFactory> registry = 
    RegistryBuilder.<ConnectionSocketFactory>create()
        .register("https", sslConnectionFactory)
        .build();

HttpClientConnectionManager ccm = new BasicHttpClientConnectionManager(registry);

builder.setConnectionManager(ccm);
CloseableHttpClient client = builder.build();

HttpPost post = new HttpPost("https://myurl.com:9999/post");

/* post has parameters - omitted */

HttpResponse response = client.execute(post);
HttpEntity entity = response.getEntity();
String responseString = EntityUtils.toString(entity, "UTF-8");
int httpCode = response.getStatusLine().getStatusCode();
System.out.println(responseString);
System.out.println(httpCode);

有问题：每次我尝试连接我都会得到

收到致命警报：handshake_failure

现在，奇怪的是，完全相同的代码通过一个普通的 java 应用程序运行就可以正常工作并输出

<response data>
200

服务器上的代码在带有 Java 6 的 Apache Tomcat 7.0.42 上运行，Java 应用程序在 Java 6 上运行。

这是 Tomcat-SSL 服务器连接器的配置方式：

<Connector port="${tomcat.ssl.port}" protocol="HTTP/1.1"
                    enableLookups="false"
                    SSLEnabled="true" scheme="https" sslProtocol="TLS" secure="true" clientAuth="false"
                    keystoreFile="${catalina.base}/conf/certstore/server.jks"
                    keystorePass="123456"
                    truststoreFile="${catalina.base}/conf/certstore/ca.jks"
                    truststorePass="123456"
                    URIEncoding="UTF-8"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,
                            SSL_RSA_WITH_RC4_128_SHA,
                            TLS_RSA_WITH_AES_128_CBC_SHA,
                            TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                            TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                            SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                            SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                            SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
                            TLS_RSA_WITH_AES_256_CBC_SHA,
                            TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                            TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
                    />

这些是受支持的密码：

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

为什么tomcat-to-tomcat 连接会出现这些问题？我应该怎么做才能使这段代码正常工作？

Answer 1

可能是因为Tomcat使用的JVM和你手动执行这个命令的JVM不同。较新的 Java 版本对 SSL 连接更加严格。可能引发此错误的较新版本中不允许使用某些协议。