RC4 密码在 Windows 2008 R2 / IIS 7.5 上不起作用

tag-icon tag-icon windows-server-2008 iis ssl
RC4 密码在 Windows 2008 R2 / IIS 7.5 上不起作用

我已将 schannel 配置为按照标准建议禁用不安全的协议和密码,但 Sslscan 仅将 AES 和 3DES 报告为可用的密码选项。虽然应该启用 RC4,并将其设置为首选密码,但它并没有作为选项出现。

schannel 注册表设置配置如下:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  Ciphers
    AES 128/128: Enabled (1)
    AES 256/256: Enabled (1)
    DES 56/56: Enabled (0)
    NULL: Enabled (0)
    RC2 128/128: Enabled (0)
    RC2 40/128: Enabled (0)
    RC2 56/128: Enabled (0)
    RC4 128/128: Enabled (1)
    RC4 40/128: Enabled (0)
    RC4 56/128: Enabled (0)
    RC4 64/128: Enabled (0)
    Triple DES 168/168: Enabled (1)
  Protocols
    PCT 1.0
      Server: Enabled (0)
    SSL 2.0
      Server: Enabled (0)
    SSL 3.0
      Server: Enabled (1)
    TLS 1.0
      Server: Enabled (1)
    TLS 1.1
      Server: DisabledByDefault (0), Enabled (1)
    TLS 1.2
      Server: DisabledByDefault (0), Enabled (1)
HKLM\SYSTEM\CurrentControlSet\Control\

SSLScan 的输出是:

Supported Server Cipher(s):
Rejected  SSLv2  168 bits  DES-CBC3-MD5
Rejected  SSLv2   56 bits  DES-CBC-MD5
Rejected  SSLv2  128 bits  IDEA-CBC-MD5
Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
Rejected  SSLv2  128 bits  RC2-CBC-MD5
Rejected  SSLv2   40 bits  EXP-RC4-MD5
Rejected  SSLv2  128 bits  RC4-MD5
Failed    SSLv3  256 bits  ADH-AES256-SHA
Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
Failed    SSLv3  256 bits  AES256-SHA
Failed    SSLv3  128 bits  ADH-AES128-SHA
Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
Failed    SSLv3  128 bits  AES128-SHA
Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
Failed    SSLv3   56 bits  ADH-DES-CBC-SHA
Failed    SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
Failed    SSLv3  128 bits  ADH-RC4-MD5
Failed    SSLv3   40 bits  EXP-ADH-RC4-MD5
Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
Failed    SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
Failed    SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
Failed    SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
Failed    SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
Accepted  SSLv3  168 bits  DES-CBC3-SHA
Failed    SSLv3   56 bits  DES-CBC-SHA
Failed    SSLv3   40 bits  EXP-DES-CBC-SHA
Failed    SSLv3  128 bits  IDEA-CBC-SHA
Failed    SSLv3   40 bits  EXP-RC2-CBC-MD5
Failed    SSLv3  128 bits  RC4-SHA
Failed    SSLv3  128 bits  RC4-MD5
Failed    SSLv3   40 bits  EXP-RC4-MD5
Failed    SSLv3    0 bits  NULL-SHA
Failed    SSLv3    0 bits  NULL-MD5
Failed    TLSv1  256 bits  ADH-AES256-SHA
Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA
Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA
Accepted  TLSv1  256 bits  AES256-SHA
Failed    TLSv1  128 bits  ADH-AES128-SHA
Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA
Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA
Accepted  TLSv1  128 bits  AES128-SHA
Failed    TLSv1  168 bits  ADH-DES-CBC3-SHA
Failed    TLSv1   56 bits  ADH-DES-CBC-SHA
Failed    TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
Failed    TLSv1  128 bits  ADH-RC4-MD5
Failed    TLSv1   40 bits  EXP-ADH-RC4-MD5
Failed    TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
Failed    TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
Failed    TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
Failed    TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
Failed    TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
Failed    TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
Accepted  TLSv1  168 bits  DES-CBC3-SHA
Failed    TLSv1   56 bits  DES-CBC-SHA
Failed    TLSv1   40 bits  EXP-DES-CBC-SHA
Failed    TLSv1  128 bits  IDEA-CBC-SHA
Failed    TLSv1   40 bits  EXP-RC2-CBC-MD5
Failed    TLSv1  128 bits  RC4-SHA
Failed    TLSv1  128 bits  RC4-MD5
Failed    TLSv1   40 bits  EXP-RC4-MD5
Failed    TLSv1    0 bits  NULL-SHA
Failed    TLSv1    0 bits  NULL-MD5

首选服务器密码:SSLv3 168 位 DES-CBC3-SHA TLSv1 256 位 AES256-SHA

如您所见,RC4 不被接受为选项。我之前在 Windows 2003R2/IIS6 服务器上使用过相同的配置(TLS 1.1-1.2 除外),RC4 没有任何问题。

有人能帮我找出为什么 RC4 128/128 不工作吗?

谢谢!

答案1

RC4 不起作用的问题是必须在注册表中将其设置为 0xfffffff 或 4294967295,而不是 1 才能启用它。

下面是一些用于设置我们的 IIS 安装以符合 PCI 标准的 PowerShell 函数:

该函数用于启用/禁用所需的协议

function Set-IISSecurityProtocols {
$protopath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
& reg.exe add "$protopath\PCT 1.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

}

您可以使用此功能设置允许使用或不允许使用的密码

function Set-IISSupportedCiphers {
$cipherpath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
& reg.exe add "$cipherpath\NULL" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\DES 56/56" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 128/128" /v Enabled /t REG_DWORD /d 00000000 /f 
& reg.exe add "$cipherpath\RC4 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 64/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\Triple DES 168/168" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\AES 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f 
& reg.exe add "$cipherpath\AES 256/256" /v Enabled /t REG_DWORD /d 4294967295 /f

}

一旦设置了这些更改(据我所知需要重新启动),您就可以设置使用密码的优先级。

为了免疫 BEAST 漏洞,建议您首先使用 RC4,如 @ 所述http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php

这种情况将持续到

  • 所有浏览器均已修复 BEAST 漏洞
  • 或者每个人都开始支持 TLS1.2

相关内容