简单几步让网站支持https,windows iis下https配置方式
1.https证书的分类
SSL证书没有所谓的"品质"和"等级"之分,只有三种不同的类型。
SSL证书需要向国际公认的证书证书认证机构(简称CA,Certificate Authority)申请。
CA机构颁发的证书有3种类型:
域名型SSL证书(DV SSL):信任等级普通,只需验证网站的真实性便可颁发证书保护网站;
企业型SSL证书(OV SSL):信任等级强,须要验证企业的身份,审核严格,安全性更高;
增强型SSL证书(EV SSL):信任等级最高,一般用于银行证券等金融机构,审核严格,安全性最高,同时可以激活绿色网址栏。
我们只要使用DV证书就可以了,一般来说我们申请到的免费ssl证书都是dv证书。
2.申请免费的证书
2.1 自签名惹的祸
Ca证书必须要可信任的机构颁发才可以信任,自签名证书就是自己给自己签名,没有通过第三方CA机构颁发。浏览器默认添加了一些可信任的CA机构,都是通过国际Web Trust认证的。
如果你的CA证书不是这些浏览器里默认添加的可信任的CA机构签发的话,那么就会出现像12306这样的笑话。
2.2申请免费的DV证书
Let's Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,靠谱!
申请免费的证书可以参考这篇文章,工具和步骤都非常的完整,这里就不累述了
http://www.cnblogs.com/teamblog/p/6219204.html
最后申请完之后iis的配置就是新建一个网站,其他都不用配置,就可以了,老的网站不要删除,如果要强制https访问的话可以再搜索其他的文章,这里不再展开
3.https网站安全验证
https已经可以访问了,但是https就一定是安全的吗,我们可以通过下面这个网站进一步检查你的网站的安全性,主要是从https的安全性去测试
https://www.ssllabs.com/ssltest/analyze.html
可能一开始测试是个F,像我一开始测试就是个F,这是因为操作系统的默认设置里有很多不安全的设置,需要我们手动来配置修改。
可以仔细看下面的说明,没有开启TLS1.2 ,RC4已经过时了,Forward Secrecy支持的不好等等。
4.为了A+不断修改
这里大段的删除线是我一下午的心血,哪怕最后发现了powerShell脚本可以一次性完成上面所有的工作,你可以不看,但请尊重我的劳动
4.1 关闭SLL2和SSL3
找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols右键->新建->项->新建SSL 2.0,SSL 3.0
SSL 2.0和SSL 3.0 中间是有空格的!!!
在SSL 2.0 和 SSL 3.0上分别右键->新建->项->新建Server, Client
在新建的Server和Client中都新建如下的项(DWORD 32位值),
DisabledByDefault 值1
Enabled 值0
总共8个
、
4.2 开启TLS1.0 1.1 1.2
还是在刚才的目录下面,新建3个TLS 1.0 ,TLS 1.1,TLS 1.2
然后分别在下面建立Client,Server
然后跟一样在每个里面建立下面的项(DWORD 32位值)
DisabledByDefault 值 0
Enabled 值1
图都一样,就不重复截图了
完成上面的步骤后重启服务器就可以看到效果了
4.3 关闭RC4
这里的步骤更复杂,但和上面大同小异 ,无非就是在注册表里创建项,设置键值。
但是做到这里,我发现最后一步的powerShell脚本把所有的事都做了。所以后面的步骤我们都省略吧!!!!!!!!
4.5 修改ssl配置设置
别的我就说,在这个ssl配置的时候我尝试了很多种Cipher Suites的配置方式,包括参考别人A+的网站上报告里的配置,一个一个复制出来,每次都要重启服务器,重新测试,花了好多时间,最后终于评价成为A-,剩下一个Forward Secrecy的问题,结果搜索到一份powershell的脚本,问题是一步一步处理的,没毛病,但最后找到一个脚本一次性解决了前面所有的问题,所以分享出来给大家,减少大家走弯路的时间
4.6 最后配置 Forward Secrecy
4.7 一键配置的powershell脚本
Powershell脚本原文:
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
使用方法是,开始-》运行-》输入powershell,打开类似cmd窗口的命令行工具,然后直接复制脚本进去执行就ok了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 | # Copyright 2016, Alexander Hass# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12## Version 1.7# - Windows Version compare failed. Get-CimInstance requires Windows 2012 or later.# Version 1.6# - OS version detection for cipher suites order.# Version 1.5# - Enabled ECDH and more secure hash functions and reorderd cipher list.# - Added Client setting for all ciphers.# Version 1.4# - RC4 has been disabled.# Version 1.3# - MD5 has been disabled.# Version 1.2# - Re-factored code style and output# Version 1.1# - SSLv3 has been disabled. (Poodle attack protection) Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'Write-Host '--------------------------------------------------------------------------------' # Disable Multi-Protocol Unified HelloNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'Multi-Protocol Unified Hello has been disabled.' # Disable PCT 1.0New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'PCT 1.0 has been disabled.' # Disable SSL 2.0 (PCI Compliance)New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'SSL 2.0 has been disabled.' # NOTE: If you disable SSL 3.0 the you may lock out some people still using# Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available# for these people to fall back. Safer shopping certifications may require that# you disable SSLv3.## Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protectionNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'SSL 3.0 has been disabled.' # Add and Enable TLS 1.0 for client and server SCHANNEL communicationsNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.0 has been enabled.' # Add and Enable TLS 1.1 for client and server SCHANNEL communicationsNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.1 has been enabled.' # Add and Enable TLS 1.2 for client and server SCHANNEL communicationsNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-NullWrite-Host 'TLS 1.2 has been enabled.' # Re-create the ciphers key.New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null # Disable insecure/weak ciphers.$insecureCiphers = @( 'DES 56/56', 'NULL', 'RC2 128/128', 'RC2 40/128', 'RC2 56/128', 'RC4 40/128', 'RC4 56/128', 'RC4 64/128', 'RC4 128/128')Foreach ($insecureCipher in $insecureCiphers) { $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher) $key.SetValue('Enabled', 0, 'DWord') $key.close() Write-Host "Weak cipher $insecureCipher has been disabled."} # Enable new secure ciphers.# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030$secureCiphers = @( 'AES 128/128', 'AES 256/256', 'Triple DES 168')Foreach ($secureCipher in $secureCiphers) { $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher) New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null $key.close() Write-Host "Strong cipher $secureCipher has been enabled."} # Set hashes configuration.New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null $secureHashes = @( 'SHA', 'SHA256', 'SHA384', 'SHA512')Foreach ($secureHash in $secureHashes) { $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes', $true).CreateSubKey($secureHash) New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null $key.close() Write-Host "Hash $secureHash has been enabled."} # Set KeyExchangeAlgorithms configuration.New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null$secureKeyExchangeAlgorithms = @( 'Diffie-Hellman', 'ECDH', 'PKCS')Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) { $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm) New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null $key.close() Write-Host "KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled."} # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).$os = Get-WmiObject -class Win32_OperatingSystemif ([System.Version]$os.Version -lt [System.Version]'10.0') { Write-Host 'Use cipher suites order for Windows 2008R2/2012/2012R2.' $cipherSuitesOrder = @( 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' )}else { Write-Host 'Use cipher suites order for Windows 10/2016 and later.' $cipherSuitesOrder = @( 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' )}$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)# One user reported this key does not exists on Windows 2012R2. Cannot repro myself on a brand new Windows 2012R2 core machine. Adding this just to be save.New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinueNew-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null Write-Host '--------------------------------------------------------------------------------'Write-Host 'NOTE: After the system has been rebooted you can verify your server'Write-Host ' configuration at https://www.ssllabs.com/ssltest/'Write-Host "--------------------------------------------------------------------------------`n" Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'Restart-Computer -Force -Confirm |
4.8 最后成功评价到A
至于A+还应该怎么做,我也不知道该怎么做下去了,一下午的劳动最后一个脚本就全部搞定了,为了防止大家再走弯路分享给大家,希望大家都能评价到A+。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· 单线程的Redis速度为什么快?
· SQL Server 2025 AI相关能力初探
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 展开说说关于C#中ORM框架的用法!