我有问题得到一个Windows Server 2012 R2 64位盒locking。 我使用了一个名为IISCrypto的工具来使FIPS 140兼容。
我已经手动检查registry项,所有弱密码看起来被禁用,但Retinanetworking扫描仪社区仍然报告IIS支持弱密码( Enabled=0 )。
当我运行SSLScan,我得到以下内容:
在port 443上testingSSL服务器127.0.0.1支持的服务器密码:
Failed SSLv2 168 bits DES-CBC3-MD5 Failed SSLv2 56 bits DES-CBC-MD5 Failed SSLv2 128 bits IDEA-CBC-MD5 Failed SSLv2 40 bits EXP-RC2-CBC-MD5 Failed SSLv2 128 bits RC2-CBC-MD5 Failed SSLv2 40 bits EXP-RC4-MD5 Failed SSLv2 128 bits RC4-MD5 Failed SSLv3 256 bits ADH-AES256-SHA Failed SSLv3 256 bits DHE-RSA-AES256-SHA Failed SSLv3 256 bits DHE-DSS-AES256-SHA Failed SSLv3 256 bits AES256-SHA Failed SSLv3 128 bits ADH-AES128-SHA Failed SSLv3 128 bits DHE-RSA-AES128-SHA Failed SSLv3 128 bits DHE-DSS-AES128-SHA Failed SSLv3 128 bits AES128-SHA Failed SSLv3 168 bits ADH-DES-CBC3-SHA Failed SSLv3 56 bits ADH-DES-CBC-SHA Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA Failed SSLv3 128 bits ADH-RC4-MD5 Failed SSLv3 40 bits EXP-ADH-RC4-MD5 Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Failed SSLv3 168 bits DES-CBC3-SHA Failed SSLv3 56 bits DES-CBC-SHA Failed SSLv3 40 bits EXP-DES-CBC-SHA Failed SSLv3 128 bits IDEA-CBC-SHA Failed SSLv3 40 bits EXP-RC2-CBC-MD5 Failed SSLv3 128 bits RC4-SHA Failed SSLv3 128 bits RC4-MD5 Failed SSLv3 40 bits EXP-RC4-MD5 Failed SSLv3 0 bits NULL-SHA Failed SSLv3 0 bits NULL-MD5 Failed TLSv1 256 bits ADH-AES256-SHA Failed TLSv1 256 bits DHE-RSA-AES256-SHA Failed TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Failed TLSv1 128 bits ADH-AES128-SHA Failed TLSv1 128 bits DHE-RSA-AES128-SHA Failed TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Failed TLSv1 168 bits ADH-DES-CBC3-SHA Failed TLSv1 56 bits ADH-DES-CBC-SHA Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA Failed TLSv1 128 bits ADH-RC4-MD5 Failed TLSv1 40 bits EXP-ADH-RC4-MD5 Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Failed TLSv1 56 bits DES-CBC-SHA Failed TLSv1 40 bits EXP-DES-CBC-SHA Failed TLSv1 128 bits IDEA-CBC-SHA Failed TLSv1 40 bits EXP-RC2-CBC-MD5 Failed TLSv1 128 bits RC4-SHA Failed TLSv1 128 bits RC4-MD5 Failed TLSv1 40 bits EXP-RC4-MD5 Failed TLSv1 0 bits NULL-SHA Failed TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA
我错过了什么? 谢谢
那么DES-CBC3-SHA 是不明确的,因为它没有列出密钥交换algorithm (很确定RSA暗示在那里),但这可能是Retina抱怨的。 即使它说的DES(这肯定不符合FIPS),我相对确定它实际上指的是3DES(三重DES),因为168位密钥,这是56×3。 这只是一个不好的标签。
如果视网膜是一个更好的工具,它会告诉你到底是什么抱怨。
使用像IISCrypto这样的工具的问题在于, 你不知道它在幕后做了些什么 。
另外,你确定你正在使用已经更新了TLS 1.1和1.2版本的SSLScan吗? 有些版本在TLS 1.0处停留。 在这种情况下,您可能需要使用SharpTLSScan等更新的工具: https ://www.myotherpcisacloud.com/post/sharptlsscan-v12
默认情况下,您应该至less在Server 2012 R2上启用一些TLS 1.1和1.2密码,这使我怀疑您的SSLScan版本是否过期,并且不会扫描较新的协议版本。
无论如何,你真的想启用TLS 1.1和1.2。 TLS 1.0正在很快接近其使用寿命的终点。