我已将 schannel 配置为按照标准建议禁用不安全的协议和密码,但 Sslscan 仅将 AES 和 3DES 报告为可用的密码选项。虽然应该启用 RC4,并将其设置为首选密码,但它并没有作为选项出现。
schannel 注册表设置配置如下:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Ciphers
AES 128/128: Enabled (1)
AES 256/256: Enabled (1)
DES 56/56: Enabled (0)
NULL: Enabled (0)
RC2 128/128: Enabled (0)
RC2 40/128: Enabled (0)
RC2 56/128: Enabled (0)
RC4 128/128: Enabled (1)
RC4 40/128: Enabled (0)
RC4 56/128: Enabled (0)
RC4 64/128: Enabled (0)
Triple DES 168/168: Enabled (1)
Protocols
PCT 1.0
Server: Enabled (0)
SSL 2.0
Server: Enabled (0)
SSL 3.0
Server: Enabled (1)
TLS 1.0
Server: Enabled (1)
TLS 1.1
Server: DisabledByDefault (0), Enabled (1)
TLS 1.2
Server: DisabledByDefault (0), Enabled (1)
HKLM\SYSTEM\CurrentControlSet\Control\
SSLScan 的输出是:
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Failed SSLv3 256 bits ADH-AES256-SHA
Failed SSLv3 256 bits DHE-RSA-AES256-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-SHA
Failed SSLv3 256 bits AES256-SHA
Failed SSLv3 128 bits ADH-AES128-SHA
Failed SSLv3 128 bits DHE-RSA-AES128-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-SHA
Failed SSLv3 128 bits AES128-SHA
Failed SSLv3 168 bits ADH-DES-CBC3-SHA
Failed SSLv3 56 bits ADH-DES-CBC-SHA
Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Failed SSLv3 128 bits ADH-RC4-MD5
Failed SSLv3 40 bits EXP-ADH-RC4-MD5
Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 56 bits DES-CBC-SHA
Failed SSLv3 40 bits EXP-DES-CBC-SHA
Failed SSLv3 128 bits IDEA-CBC-SHA
Failed SSLv3 40 bits EXP-RC2-CBC-MD5
Failed SSLv3 128 bits RC4-SHA
Failed SSLv3 128 bits RC4-MD5
Failed SSLv3 40 bits EXP-RC4-MD5
Failed SSLv3 0 bits NULL-SHA
Failed SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ADH-AES256-SHA
Failed TLSv1 256 bits DHE-RSA-AES256-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Failed TLSv1 128 bits ADH-AES128-SHA
Failed TLSv1 128 bits DHE-RSA-AES128-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Failed TLSv1 168 bits ADH-DES-CBC3-SHA
Failed TLSv1 56 bits ADH-DES-CBC-SHA
Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Failed TLSv1 128 bits ADH-RC4-MD5
Failed TLSv1 40 bits EXP-ADH-RC4-MD5
Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 56 bits DES-CBC-SHA
Failed TLSv1 40 bits EXP-DES-CBC-SHA
Failed TLSv1 128 bits IDEA-CBC-SHA
Failed TLSv1 40 bits EXP-RC2-CBC-MD5
Failed TLSv1 128 bits RC4-SHA
Failed TLSv1 128 bits RC4-MD5
Failed TLSv1 40 bits EXP-RC4-MD5
Failed TLSv1 0 bits NULL-SHA
Failed TLSv1 0 bits NULL-MD5
首选服务器密码:SSLv3 168 位 DES-CBC3-SHA TLSv1 256 位 AES256-SHA
如您所见,RC4 不被接受为选项。我之前在 Windows 2003R2/IIS6 服务器上使用过相同的配置(TLS 1.1-1.2 除外),RC4 没有任何问题。
有人能帮我找出为什么 RC4 128/128 不工作吗?
谢谢!
答案1
RC4 不起作用的问题是必须在注册表中将其设置为 0xfffffff 或 4294967295,而不是 1 才能启用它。
下面是一些用于设置我们的 IIS 安装以符合 PCI 标准的 PowerShell 函数:
该函数用于启用/禁用所需的协议
function Set-IISSecurityProtocols {
$protopath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
& reg.exe add "$protopath\PCT 1.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
}
您可以使用此功能设置允许使用或不允许使用的密码
function Set-IISSupportedCiphers {
$cipherpath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
& reg.exe add "$cipherpath\NULL" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\DES 56/56" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 128/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 64/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\Triple DES 168/168" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\AES 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\AES 256/256" /v Enabled /t REG_DWORD /d 4294967295 /f
}
一旦设置了这些更改(据我所知需要重新启动),您就可以设置使用密码的优先级。
为了免疫 BEAST 漏洞,建议您首先使用 RC4,如 @ 所述http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php
这种情况将持续到
- 所有浏览器均已修复 BEAST 漏洞
- 或者每个人都开始支持 TLS1.2