<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>32.3. Spring boot with HTTP2 SSL</title><link rel="stylesheet" type="text/css" href="../docbook.css" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="home" href="../index.html" title="Netkiller Java 手札（版）" /><link rel="up" href="web.html" title="第 32 章 Springboot with Undertow / Jetty / http2" /><link rel="prev" href="jetty.html" title="32.2. Spring boot with Jetty" /><link rel="next" href="mongodb/index.html" title="第 33 章 Spring boot with MongoDB" /></head><body><a xmlns="" href="//www.netkiller.cn/">Home</a> | <a xmlns="" href="//netkiller.github.io/">简体中文</a> | <a xmlns="" href="http://netkiller.sourceforge.net/">繁体中文</a> | <a xmlns="" href="/journal/index.html">杂文</a>

| <a xmlns="" href="https://github.com/netkiller">Github</a> | <a xmlns="" href="https://zhuanlan.zhihu.com/netkiller">知乎专栏</a> | <a xmlns="" href="https://www.facebook.com/bg7nyt">Facebook</a> | <a xmlns="" href="http://cn.linkedin.com/in/netkiller/">Linkedin</a> | <a xmlns="" href="https://www.youtube.com/user/bg7nyt/videos">Youtube</a> | <a xmlns="" href="//www.netkiller.cn/home/donations.html">打赏(Donations)</a> | <a xmlns="" href="//www.netkiller.cn/home/about.html">About</a><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">32.3. Spring boot with HTTP2 SSL</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="jetty.html">上一页</a> </td><th width="60%" align="center">第 32 章 Springboot with Undertow / Jetty / http2</th><td width="20%" align="right"> <a accesskey="n" href="mongodb/index.html">下一页</a></td></tr></table><hr /></div><table xmlns=""><tr><td><iframe src="//ghbtns.com/github-btn.html?user=netkiller&amp;repo=netkiller.github.io&amp;type=watch&amp;count=true&amp;size=large" height="30" width="170" frameborder="0" scrolling="0" style="width:170px; height: 30px;" allowTransparency="true"></iframe></td><td><iframe src="//ghbtns.com/github-btn.html?user=netkiller&amp;repo=netkiller.github.io&amp;type=fork&amp;count=true&amp;size=large" height="30" width="170" frameborder="0" scrolling="0" style="width:170px; height: 30px;" allowTransparency="true"></iframe></td><td><iframe src="//ghbtns.com/github-btn.html?user=netkiller&amp;type=follow&amp;count=true&amp;size=large" height="30" width="240" frameborder="0" scrolling="0" style="width:240px; height: 30px;" allowTransparency="true"></iframe></td><td></td><td><a href="https://zhuanlan.zhihu.com/netkiller"><img src="/images/logo/zhihu-card-default.svg" height="25" /></a></td><td valign="middle"><a href="https://zhuanlan.zhihu.com/netkiller">知乎专栏</a></td><td></td><td></td><td></td><td></td></tr></table><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="springboot.https"></a>32.3. Spring boot with HTTP2 SSL</h3></div></div></div>

<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="id1067"></a>32.3.1. 生成自签名证书</h4></div></div></div>

<pre class="programlisting">

keytool -genkey -alias www.netkiller.cn -keyalg RSA -keystore /www/netkiller.cn/www.netkiller.cn.keystore

</pre>

<p>导入证书（Windows）</p>

<pre class="programlisting">

keytool -selfcert -alias www.netkiller.cn -keystore www.netkiller.cn.keystore

keytool -export -alias www.netkiller.cn -keystore www.netkiller.cn.keystore -storepass passw0rd -rfc -file www.netkiller.cn.cer

</pre>

<p>找到 Java 安装路径</p>

<pre class="screen">

[root@localhost ~]# alternatives --list

libnssckbi.so.x86_64 auto /usr/lib64/pkcs11/p11-kit-trust.so

python auto /usr/libexec/no-python

cifs-idmap-plugin auto /usr/lib64/cifs-utils/cifs_idmap_sss.so

ifup auto /usr/libexec/nm-ifup

ld auto /usr/bin/ld.bfd

python3 auto /usr/bin/python3.6

dockerd auto /usr/bin/dockerd-ce

java manual /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64/bin/java

jre_openjdk auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre

jre_14 auto /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64

jre_14_openjdk auto /usr/lib/jvm/jre-14-openjdk-14.0.2.12-1.rolling.el8.x86_64

javac auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/bin/javac

java_sdk_openjdk auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64

java_sdk_14 auto /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64

java_sdk_14_openjdk auto /usr/lib/jvm/java-14-openjdk-14.0.2.12-1.rolling.el8.x86_64

jre_1.8.0 auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre

jre_1.8.0_openjdk auto /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64

java_sdk_1.8.0 auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64

java_sdk_1.8.0_openjdk auto /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64

mvn auto /usr/share/maven/bin/mvn

</pre>

<p>导入证书（JVM）</p>

<pre class="programlisting">

keytool -importcert -alias www.netkiller.cn -file www.netkiller.cn.cer -keystore /srv/java/jre/lib/security/cacerts

</pre>

</div>

<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="id1068"></a>32.3.2. application.properties 配置文件</h4></div></div></div>

<p>配置Tomcat HTTPS 端口 8443（由于JVM不能fork和setuid，所以无法向nginx,apache

httpd 那样设置 80 端口，除非你使用root用户运行，但这样做是不安全的。）</p>

<pre class="programlisting">

server.port=8443

server.ssl.enabled=true

server.ssl.key-store=/www/netkiller.cn/www.netkiller.cn.keystore

server.ssl.key-store-password=passw0rd

server.ssl.key-store-type=JKS

server.ssl.key-alias=www.netkiller.cn

</pre>

<p>keystore 文件可以放到 classpath 中，首先将证书文件放到 src/main/resources

目录中，然后配置 application.properties 如下：</p>

<pre class="programlisting">

server.port=8443

server.ssl.enabled=true

server.ssl.key-store=classpath:www.netkiller.cn.keystore

server.ssl.key-store-password=passw0rd

server.ssl.key-store-type=JKS

server.ssl.key-alias=www.netkiller.cn

</pre>

</div>

<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="id1069"></a>32.3.3. 启动 Spring boot</h4></div></div></div>

<pre class="screen">

/srv/java/bin/java -server -Xms2048m -Xmx8192m -Djava.security.egd=file:/dev/./urandom -jar /www/netkiller.cn/www.netkiller.cn/www.netkiller.cn-0.0.1.war

</pre>

</div>

<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="id1070"></a>32.3.4. restTemplate 调用实例</h4></div></div></div>

<pre class="programlisting">

String url = "https://www.netkiller.cn:8443/public/test/version.json";

ResponseEntity&lt;RestResponse&lt;String&gt;&gt; result = restTemplate.exchange(url, HttpMethod.GET, null, new ParameterizedTypeReference&lt;RestResponse&lt;String&gt;&gt;() {});

</pre>

</div>

<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="id1071"></a>32.3.5. HTTP2</h4></div></div></div>

<p>启用 HTTP2 必须使用 Tomcat 9 以上， Springboot 2.1</p>

<p>创建证书</p>

<pre class="screen">

keytool -genkey -alias localhost -storetype PKCS12 -keyalg RSA -keysize 2048 -storepass passw0rd -keystore localhost.p12 -dname "CN=localhost, OU=netkiller, O=netkiller.cn, L=Guangdong, ST=Shenzhen, C=CN"

keytool -selfcert -alias localhost -storepass passw0rd -keystore localhost.p12

keytool -export -alias localhost -keystore localhost.p12 -storepass passw0rd -rfc -file localhost.cer

keytool -importcert -trustcacerts -alias localhost -file localhost.cer -storepass passw0rd -keystore /etc/pki/java/cacerts

</pre>

<p>如果你是自己安装的JDK，需要找到cacerts安装路径</p>

<pre class="screen">

keytool -importcert -trustcacerts -alias localhost -file localhost.cer -storepass passw0rd -keystore /srv/java/jre/lib/security/cacerts

</pre>

<p>MacOS 添加方法，当提示你输入密码的时候，输入：changeit</p>

<pre class="screen">

iMac:resources neo$ sudo keytool -importcert -trustcacerts -alias localhost -file localhost.cer -cacerts

Password:

输入密钥库口令:

所有者: CN=localhost, OU=netkiller, O=netkiller.cn, L=Guangdong, ST=Shenzhen, C=CN

发布者: CN=localhost, OU=netkiller, O=netkiller.cn, L=Guangdong, ST=Shenzhen, C=CN

序列号: ffd28d78add2b56c

生效时间: Mon Sep 07 16:55:39 CST 2020, 失效时间: Sun Dec 06 16:55:39 CST 2020

证书指纹:

SHA1: A0:DB:69:34:66:EA:16:A3:AF:65:31:F9:5D:6E:C0:70:CA:5F:0E:22

SHA256: 2C:04:B7:BB:28:25:B5:E6:7C:0F:73:4B:02:38:6E:04:80:42:E2:F7:61:5C:91:4D:A8:EA:5E:20:2E:82:4F:0C

签名算法名称: SHA256withRSA

主体公共密钥算法: 2048 位 RSA 密钥

版本: 3

扩展:

#1: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 4E 30 9A EC C1 9D FB C2 CC 55 B2 6D 0D F4 01 CE N0.......U.m....

0010: 13 C6 62 38 ..b8

]

]

是否信任此证书? [否]: Y

证书已添加到密钥库中

iMac:resources neo$ keytool -list -cacerts -alias localhost

输入密钥库口令:

localhost, 2020年9月8日, trustedCertEntry,

证书指纹 (SHA-256): 2C:04:B7:BB:28:25:B5:E6:7C:0F:73:4B:02:38:6E:04:80:42:E2:F7:61:5C:91:4D:A8:EA:5E:20:2E:82:4F:0C

</pre>

<p>配置启用 http2</p>

<pre class="screen">

server:

port: 8443

servlet:

context-path: /

ssl:

enabled: true

key-store: classpath:ssl/localhost.p12

key-store-type: PKCS12

key-store-password: 123456

http2:

enabled: true

</pre>

<p>我的配置</p>

<pre class="screen">

spring.application.name=web

server.port=8443

#server.servlet.context-path=/

server.ssl.enabled=true

server.ssl.key-store=classpath:localhost.p12

server.ssl.key-store-type=PKCS12

server.ssl.key-store-password=123456

server.http2.enabled=true

</pre>

<p>使用 curl 访问可以看到 HTTP/2 字样，表示成功</p>

<pre class="screen">

neo@MacBook-Pro ~ % curl -i -k https://localhost:8443/ping

HTTP/2 200

content-type: text/plain;charset=UTF-8

content-length: 4

date: Tue, 09 Apr 2019 08:41:29 GMT

Pong%

</pre>

</div>

</div><script xmlns="" type="text/javascript" id="clustrmaps" src="//cdn.clustrmaps.com/map_v2.js?u=r5HG&amp;d=9mi5r_kkDC8uxG8HuY3p4-2qgeeVypAK9vMD-2P6BYM"></script><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="jetty.html">上一页</a> </td><td width="20%" align="center"><a accesskey="u" href="web.html">上一级</a></td><td width="40%" align="right"> <a accesskey="n" href="mongodb/index.html">下一页</a></td></tr><tr><td width="40%" align="left" valign="top">32.2. Spring boot with Jetty </td><td width="20%" align="center"><a accesskey="h" href="../index.html">起始页</a></td><td width="40%" align="right" valign="top"> 第 33 章 Spring boot with MongoDB</td></tr></table></div><script xmlns="">

(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){

(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),

m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)

})(window,document,'script','//www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-11694057-1', 'auto');

ga('send', 'pageview');

</script><script xmlns="" async="async">

var _hmt = _hmt || [];

(function() {

var hm = document.createElement("script");

hm.src = "https://hm.baidu.com/hm.js?93967759a51cda79e49bf4e34d0b0f2c";

var s = document.getElementsByTagName("script")[0];

s.parentNode.insertBefore(hm, s);

})();

</script><script xmlns="" async="async">

(function(){

var bp = document.createElement('script');

var curProtocol = window.location.protocol.split(':')[0];

if (curProtocol === 'https') {

bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';

}

else {

bp.src = 'http://push.zhanzhang.baidu.com/push.js';

}

var s = document.getElementsByTagName("script")[0];

s.parentNode.insertBefore(bp, s);

})();

</script></body></html>