前段时间SSL爆出各种漏洞,找了半天,在谷歌上找到一篇win2008 下面关闭SSL2.0,开启TSL1.1和TSL1.2的方法。
首先确认自己服务器上是不是有SSL漏洞。打开https://sslcheck.globalsign.com/cn ,输入自己的域名,确定,等待检查结果,如果没有SSL漏洞,那恭喜你。如果有,可以通过如下PowerShell命令解决:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7 # These keys do not exist so they need to be created prior to setting values. md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" # Enable TLS 1.2 for client and server SCHANNEL communications new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord" # Disable SSL 2.0 (PCI Compliance) md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord" |
执行完毕后,打开注册表编辑器,看看内容是不是如下图所示:
然后再次去https://sslcheck.globalsign.com/cn 检查。
参考链接
http://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
——-更新 2017-10-18
今天遇到同样的需求,找到一个更好的工具,可以通过配置来开启加密方式
