商业错误SSL版本或密码错配

Question

我用OpenSSL创建了一个证书

openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key
openssl req -new -key server.key -out server.csr
keytool -import -trustcacerts -alias server.key -file server.crt -keystore 

并将keystore.jks放入${catalina.home}/lib/中

server.xml

<Connector port="9002"
                          maxHttpHeaderSize="8192"
                          maxPostSize="4194304"
              maxThreads="150"
              protocol="org.apache.coyote.http11.Http11Protocol"
              executor="hybrisExecutor"
              enableLookups="false"
              acceptCount="100"
              connectionTimeout="20000"
              disableUploadTimeout="true"
              URIEncoding="UTF-8"
              SSLEnabled="true"
                                       scheme="https"
                                       secure="true"
                                       clientAuth="false"
                               sslProtocol = "TLS"
                               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

                               keystoreFile="${catalina.home}/lib/keystore.jks"
                               keystorePass="123456"

在Chrome上，它给出了以下错误：

此站点无法提供安全连接13.236.191.242使用不支持的协议。ERR_SSL_VERSION_OR_CIPHER_MISMATCH不支持的协议客户端和服务器不支持通用的SSL协议版本或密码套件。

curl -Iv https://11.231.191.212:9001/

Trying 11.231.191.212...
TCP_NODELAY set
Connected to 11.231.191.212 (11.231.191.212) port 9001 (#0)
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 1/3)
schannel: checking server certificate revocation
schannel: using IP address, SNI is not supported by OS.
schannel: sending initial handshake data: sending 156 bytes...
schannel: sent initial handshake data: sent 156 bytes
schannel: SSL/TLS connection with 11.231.191.212 port 9001 (step 2/3)
schannel: failed to receive handshake, need more data

Answer 1

问题是我用OpenSSL创建了一个自签名证书，但是当从java生成证书时，它就完美地工作了。

keytool.exe -genkey -alias tomcat -keyalg RSA -keystore c:\tomcatkeys

OpenSSL和keystore以不同的文件格式生成证书，您可以从下面的链接中看到区别。https://security.stackexchange.com/questions/98282/difference-between-openssl-and-keytool