我正在尝试禁用 IIS/SMTP 服务器上的 SSL2。我们使用的是 Windows Server 2008 R2 Enterprise(64 位)。我们使用 IIS6 管理器来管理 SMTP 虚拟服务器。我尝试过多种方法,但均未成功。每次更改后我都会完全重新启动。
我正在使用以下命令从另一台服务器进行测试,但仍然显示为通过 SSL2 连接:
$ openssl s_client -debug -connect servername:25 -ssl2
CONNECTED(00000003)
write to 0x600078840 [0x600181951] (45 bytes => 45 (0x2D))
0000 - 80 2b 01 00 02 00 12 00-00 00 10 03 00 80 01 00 .+..............
0010 - 80 07 00 c0 06 00 40 04-00 80 02 00 80 ba 66 21 [email protected]!
0020 - fe 2d 4c 49 44 b9 23 e5-f9 10 a5 21 7f .-LID.#....!.
read from 0x600078840 [0x600070790] (2 bytes => 2 (0x2))
0000 - 32 32 22
read from 0x600078840 [0x600070792] (12851 bytes => 123 (0x7B))
0000 - 30 20 6d 61 69 6c 2e 65-67 32 2e 66 69 65 6c 64 0 mail.ourdomain
0010 - 67 6c 61 73 73 2e 6e 65-74 20 4d 69 63 72 6f 73 name.net Micros
0020 - 6f 66 74 20 45 53 4d 54-50 20 4d 41 49 4c 20 53 oft ESMTP MAIL S
0030 - 65 72 76 69 63 65 2c 20-56 65 72 73 69 6f 6e 3a ervice, Version:
0040 - 20 37 2e 35 2e 37 36 30-31 2e 31 37 35 31 34 20 7.5.7601.17514
0050 - 72 65 61 64 79 20 61 74-20 20 57 65 64 2c 20 38 ready at Wed, 8
0060 - 20 4a 75 6c 20 32 30 31-35 20 31 34 3a 32 36 3a Jul 2015 14:26:
0070 - 31 35 20 2b 30 30 30 30-20 0d 0a 15 +0000 ..
我首先参考了微软的建议:https://support.microsoft.com/en-us/kb/187498
我使用了 SSL 2.0,而不是 PCT 1.0:
要禁用 PCT 1.0 协议,以便 IIS 不会尝试使用 PCT 1.0 协议进行协商,请按照以下步骤操作:
单击“开始”,单击“运行”,键入 regedt32 或键入 regedit,然后单击“确定”。在注册表编辑器中,找到以下注册表项:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
在“编辑”菜单上,单击“添加值”。在“数据类型”列表中,单击“DWORD”。在“值名称”框中,键入“Enabled”,然后单击“确定”。
注意如果此值存在,请双击该值以编辑其当前值。在二进制编辑器中键入 00000000,将新键的值设置为“0”。单击“确定”。重新启动计算机。
我也尝试过这种方法:http://forums.iis.net/t/1151822.aspx?Disable+SSL+v2+in+IIS7+
我甚至尝试使用 IIS Crypto,但仍然显示通过 SSL2 连接。
答案1
这是我几个月前编写的 powershell 脚本的摘录,用于执行大量与协议支持和密码相关的操作。我专门为 Server 2008 R2 编写了它。
# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"
这只是创建并设置了一个注册表项,这意味着服务器将不再支持 SSL 2.0 传入连接。您可以在相关服务器上运行此命令以禁用 SSL 2.0。
如果您感兴趣的话,这里有完整的脚本。请在使用前检查它与您的场景的相关性,因为它不再支持使用较旧操作系统和浏览器的客户端。此外,这些设置是为 Web 服务器量身定制的。
# Enables TLS 1.1 & 1.2 and disbles SSL 2.0 and SSL 3.0 (both as client and server) on Windows Server 2008 R2 and Windows 7. Aditionally it reorders a few cipher suites to prefer stronger ciphers and disables RC4 ciphers.
# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"
# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
# Enable TLS 1.1 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
# Enable TLS 1.2 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"
# Disable SSL 3.0 (POODLE)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -name Enabled -value 0 -PropertyType "DWord"
# Set preferred cipher suites
new-itemproperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -name Functions -value "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" -PropertyType "String"
# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128"
# Disable RC4 ciphers
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" -name "Enabled" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" -name "Enabled" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" -name "Enabled" -value 0 -PropertyType "DWord"