我configuration了schannel来禁止不安全的协议和密码按照标准的build议,但我Sslscan只报告AES和3DES作为可用的密码选项。 虽然RC4应该被启用,并且被设置为首选密码,但它不会作为一个选项出现。
schannelregistry设置configuration如下:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Ciphers AES 128/128: Enabled (1) AES 256/256: Enabled (1) DES 56/56: Enabled (0) NULL: Enabled (0) RC2 128/128: Enabled (0) RC2 40/128: Enabled (0) RC2 56/128: Enabled (0) RC4 128/128: Enabled (1) RC4 40/128: Enabled (0) RC4 56/128: Enabled (0) RC4 64/128: Enabled (0) Triple DES 168/168: Enabled (1) Protocols PCT 1.0 Server: Enabled (0) SSL 2.0 Server: Enabled (0) SSL 3.0 Server: Enabled (1) TLS 1.0 Server: Enabled (1) TLS 1.1 Server: DisabledByDefault (0), Enabled (1) TLS 1.2 Server: DisabledByDefault (0), Enabled (1) HKLM\SYSTEM\CurrentControlSet\Control\ SSLScan的输出是:
Supported Server Cipher(s): Rejected SSLv2 168 bits DES-CBC3-MD5 Rejected SSLv2 56 bits DES-CBC-MD5 Rejected SSLv2 128 bits IDEA-CBC-MD5 Rejected SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected SSLv2 128 bits RC2-CBC-MD5 Rejected SSLv2 40 bits EXP-RC4-MD5 Rejected SSLv2 128 bits RC4-MD5 Failed SSLv3 256 bits ADH-AES256-SHA Failed SSLv3 256 bits DHE-RSA-AES256-SHA Failed SSLv3 256 bits DHE-DSS-AES256-SHA Failed SSLv3 256 bits AES256-SHA Failed SSLv3 128 bits ADH-AES128-SHA Failed SSLv3 128 bits DHE-RSA-AES128-SHA Failed SSLv3 128 bits DHE-DSS-AES128-SHA Failed SSLv3 128 bits AES128-SHA Failed SSLv3 168 bits ADH-DES-CBC3-SHA Failed SSLv3 56 bits ADH-DES-CBC-SHA Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA Failed SSLv3 128 bits ADH-RC4-MD5 Failed SSLv3 40 bits EXP-ADH-RC4-MD5 Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Failed SSLv3 56 bits DES-CBC-SHA Failed SSLv3 40 bits EXP-DES-CBC-SHA Failed SSLv3 128 bits IDEA-CBC-SHA Failed SSLv3 40 bits EXP-RC2-CBC-MD5 Failed SSLv3 128 bits RC4-SHA Failed SSLv3 128 bits RC4-MD5 Failed SSLv3 40 bits EXP-RC4-MD5 Failed SSLv3 0 bits NULL-SHA Failed SSLv3 0 bits NULL-MD5 Failed TLSv1 256 bits ADH-AES256-SHA Failed TLSv1 256 bits DHE-RSA-AES256-SHA Failed TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Failed TLSv1 128 bits ADH-AES128-SHA Failed TLSv1 128 bits DHE-RSA-AES128-SHA Failed TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Failed TLSv1 168 bits ADH-DES-CBC3-SHA Failed TLSv1 56 bits ADH-DES-CBC-SHA Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA Failed TLSv1 128 bits ADH-RC4-MD5 Failed TLSv1 40 bits EXP-ADH-RC4-MD5 Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Failed TLSv1 56 bits DES-CBC-SHA Failed TLSv1 40 bits EXP-DES-CBC-SHA Failed TLSv1 128 bits IDEA-CBC-SHA Failed TLSv1 40 bits EXP-RC2-CBC-MD5 Failed TLSv1 128 bits RC4-SHA Failed TLSv1 128 bits RC4-MD5 Failed TLSv1 40 bits EXP-RC4-MD5 Failed TLSv1 0 bits NULL-SHA Failed TLSv1 0 bits NULL-MD5
首选服务器密码:SSLv3 168位DES-CBC3-SHA TLSv1 256位AES256-SHA
如您所见,RC4不被接受为选项。 在Windows 2003R2 / IIS6服务器上,我使用了相同的configuration(TLS 1.1-1.2除外),而RC4没有问题。
谁能帮我find为什么RC4 128/128不工作?
谢谢!
RC4不工作的原因是必须在registry中设置为0xfffffff或4294967295,而不是1来启用它。
下面是一些用于设置我们的IIS安装PCI兼容的PowerShellfunction:
该function用于启用/禁用所需的协议
function Set-IISSecurityProtocols { $protopath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" & reg.exe add "$protopath\PCT 1.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$protopath\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$protopath\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f & reg.exe add "$protopath\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f & reg.exe add "$protopath\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 00000001 /f & reg.exe add "$protopath\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f & reg.exe add "$protopath\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 00000001 /f & reg.exe add "$protopath\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f & reg.exe add "$protopath\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 00000001 /f & reg.exe add "$protopath\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f & reg.exe add "$protopath\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 00000001 /f & reg.exe add "$protopath\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
}
而这个函数是你设置什么密码被允许使用或不使用的地方
function Set-IISSupportedCiphers { $cipherpath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers" & reg.exe add "$cipherpath\NULL" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\DES 56/56" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC2 40/128" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC2 56/128" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC2 128/128" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC4 40/128" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC4 56/128" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC4 64/128" /v Enabled /t REG_DWORD /d 00000000 /f & reg.exe add "$cipherpath\RC4 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f & reg.exe add "$cipherpath\Triple DES 168/168" /v Enabled /t REG_DWORD /d 4294967295 /f & reg.exe add "$cipherpath\AES 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f & reg.exe add "$cipherpath\AES 256/256" /v Enabled /t REG_DWORD /d 4294967295 /f
}
一旦设置了这些更改(需要重新引导afaik),您可以设置密码的使用优先级。
为了避免BEAST漏洞,build议您先使用RC4,如下所示:http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php
直到任何一个都会如此