SSL/TLS 握手失败

SSL/TLS 握手失败

配置

  • Windows 2008R2 RDS 服务器RDS01
  • Windows 2008R2 RDS 服务器RDS02
  • Windows 2012R2 RemoteApp 服务器APP01

问题

呼叫网址https://APP01.domain.local/rdweb

致命错误握手

  • 来自RDS02:响应代码 200,证书链正常

成功握手


诊断

使用安全诊断工具来自RDS01(握手失败已删除):

-= SUMMARY =-
Weak:         0
Intermediate: 0
Strong:       0

APP01接受 0 SSL 握手配置

使用安全诊断工具来自RDS02(握手失败已删除):

[+] Testing STRONG: TLS 1, ECDHE-RSA-AES256-SHA (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1, DHE-RSA-AES256-SHA (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1, ECDHE-RSA-AES128-SHA (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1, DHE-RSA-AES128-SHA (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.1, ECDHE-RSA-AES256-SHA (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.1, DHE-RSA-AES256-SHA (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.1, ECDHE-RSA-AES128-SHA (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, ECDHE-RSA-AES256-SHA384 (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, ECDHE-RSA-AES256-SHA (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, DHE-RSA-AES256-GCM-SHA384 (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, DHE-RSA-AES256-SHA (256 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, ECDHE-RSA-AES128-SHA256 (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, ECDHE-RSA-AES128-SHA (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, DHE-RSA-AES128-GCM-SHA256 (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK
[+] Testing STRONG: TLS 1.2, DHE-RSA-AES128-SHA (128 bits) ... CONNECT_OK SEND_OK RECEIVE_OK CERT_OK

-= SUMMARY =-
Weak:         0
Intermediate: 0
Strong:       15

APP01接受 15 次 SSL 握手配置


频道

  • RDS01SSL 选项激活 SSL 选项激活

  • RDS02SSL 选项激活 SSL 选项激活


帮助

欢迎任何帮助解决此问题的帮助


编辑1

此处,RDS01使用 IIS Crypto 手动启用所有(SSL 2.0 除外)后,SCHANNEL 注册表配置单元导出,以明确声明它们已启用

{schannel}=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

[{schannel}]
"EventLogging"=dword:00000001

[{schannel}\Ciphers]

[{schannel}\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\DES 56/56]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\NULL]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC2 128/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC2 40/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC2 56/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC4 40/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC4 56/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\RC4 64/128]
"Enabled"=dword:ffffffff

[{schannel}\Ciphers\Triple DES 168]
"Enabled"=dword:ffffffff

[{schannel}\CipherSuites]

[{schannel}\Hashes]

[{schannel}\Hashes\MD5]
"Enabled"=dword:ffffffff

[{schannel}\Hashes\SHA]
"Enabled"=dword:ffffffff

[{schannel}\Hashes\SHA256]
"Enabled"=dword:ffffffff

[{schannel}\Hashes\SHA384]
"Enabled"=dword:ffffffff

[{schannel}\Hashes\SHA512]
"Enabled"=dword:ffffffff

[{schannel}\KeyExchangeAlgorithms]

[{schannel}\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[{schannel}\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:ffffffff

[{schannel}\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[{schannel}\Protocols]

[{schannel}\Protocols\Multi-Protocol Unified Hello]

[{schannel}\Protocols\Multi-Protocol Unified Hello\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\PCT 1.0]

[{schannel}\Protocols\PCT 1.0\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\PCT 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\SSL 2.0]

[{schannel}\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[{schannel}\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[{schannel}\Protocols\SSL 3.0]

[{schannel}\Protocols\SSL 3.0\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\TLS 1.0]

[{schannel}\Protocols\TLS 1.0\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\TLS 1.1]

[{schannel}\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\TLS 1.2]

[{schannel}\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[{schannel}\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

答案1

过去,我曾因以不向后兼容的方式设置客户端通道而感到困扰。您可能应该查看 RDS01 上的客户端协议。

在你的情况下,我会使用 IIS Crypto 来启用全部通过选中所有框并使用“设置客户端协议”设置来(临时)在 RDS01 上设置客户端协议,然后在没有“设置客户端协议”的情况下应用最佳实践。

这应该可以排除任何客户端配置问题。

编辑:

如果这不起作用,我建议使用 Wireshark 来捕获和分析握手,并准确查看 RDS01 呈现的加密套件。我个人会在 APP01 上运行它,这样我就可以轻松地比较好的握手和坏的握手。

答案2

使用 WireShark 进行调试时,我发现了大量 TCP 碎片和重传。调整路由器后卫星发射系统设置,SSL 握手已正确建立。

抱歉,问题不完整,RDS01和服务器位于通过 IPSec VPN 网关RDS02连接到网络的同一网络上。由于正在运行,我没有考虑这种可能性。APP01RDS02

为了解决我的问题,我使用了这个表格并发现 MMS = 1384

  1500   Standard MTU
-   20   IP Header
-   24   GRE Encaps.
-   52   IPSec Encaps.
-  (8)   PPPoE (optional)
-   20   TCP Header
-------
= 1384   MMS

打开路由器管理页面并设置新的 MTU 或 MSS

相关内容