|
|
附录3:对应windows漏洞处理:
; |% W2 A8 R% w% \" o+ v* P" U, X7 w1)打开windows的Internet属性,找到高级–安全:取沟TLS1.0和1.1,只保留1.2;1.3也不勾选。- H7 o6 I) v" `+ N
 / @# J3 e; b7 z) t
2)打开组策略gpedit.msc,禁用弱密码算法即可,配置如下:
f& r) Q0 g& I
! s' _9 N w4 @! p默认启用后的密码算法如下:9 u0 G9 c% Q3 Z
4 A9 p( ?+ K3 u @. k
TLS_AES_256_GCM_SHA384、TLS_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384、TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256、TLS_DHE_RSA_WITH_AES_256_GCM_SHA384、TLS_DHE_RSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA、TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_AES_256_GCM_SHA384、TLS_RSA_WITH_AES_128_GCM_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA256、TLS_RSA_WITH_AES_128_CBC_SHA256、TLS_RSA_WITH_AES_256_CBC_SHA、TLS_RSA_WITH_AES_128_CBC_SHA、TLS_RSA_WITH_3DES_EDE_CBC_SHA、TLS_RSA_WITH_NULL_SHA256、TLS_RSA_WITH_NULL_SHA、TLS_PSK_WITH_AES_256_GCM_SHA384、TLS_PSK_WITH_AES_128_GCM_SHA256、TLS_PSK_WITH_AES_256_CBC_SHA384、TLS_PSK_WITH_AES_128_CBC_SHA256、TLS_PSK_WITH_NULL_SHA384、TLS_PSK_WITH_NULL_SHA2565 l/ z+ g- T+ d* Y! h" M; }
1
$ D* H: H, y! ^+ V4 |3 p但上述列表有个限制,不能超过 1,023 个字符;上述的算法列表是史蒂夫·吉布森(Steve Gibson)在GRC.com上汇总的列表,可推荐使用。列表必须是一个不间断的字符串,每个密码都用逗号分隔。 复制格式化的文本并将其粘贴到“ SSL Cipher Suites”字段中,然后单击“确定”。 最后,要使更改生效,必须重新启动OS。
& c/ D; ?& X0 x2 h. \8 [: I' }: F9 ?7 p# S4 `: e B. \& R
注:从密码套件列表中移除标识为弱的密码套件,可参考http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx;对于 Apache TomCat 服务器,请遵循以下指示信息:参照示例;
) U) B" X3 W( b
) k- e' j. m5 N; f+ x& z验证:重启后,在【PowerShell】上执行命令:Get-TlsCipherSuite
U7 \# m% {( A3 p8 y( L0 h) a/ e
2 M4 H% s& B. X" r# d9 B, _. m7 q( H
0 _& n7 X6 a: q( |) N9 V
3)注册表方式:(请谨慎选择,未验证)
2 V3 C5 q- |2 k& o2 y9 I1 R) q {* ^7 V$ ~( [+ D; |, s. Z% `
1>打开文本文件,粘贴一下内容,保存为*.reg文件,导入注册表重启(导入前请先备份注册表)$ M. c: f9 U& x$ n4 t5 L7 x4 L! ?
! n! n# k4 e. q5 V/ Y# Q
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]8 Z- ^0 B) p7 b, P9 \
"EventLogging"=dword:00000001
3 i. l% B' Q) E( c! b2 G$ p
6 |+ _1 c' F( W: F, ^ K8 Q
+ b/ B* q1 |- l3 R[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
- L4 [" I: I5 d* C2 t4 a1 v
5 A% ^# {5 ]- `, {" Q
& y. G B/ b l8 K9 R[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]. r. W' e! _2 K- I- k% P8 M
"Enabled"=dword:ffffffff
, I( ^; l O4 I+ E8 F/ V* U8 ]1 ^. n2 Y/ S# B
9 n# K4 H3 E/ S+ o4 c[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
. f# R# l5 B6 K: u"Enabled"=dword:ffffffff
3 f/ z! X4 a0 J4 K
! F, @: m/ p5 |% s# w* G
# [7 X3 r7 K8 l5 y5 z! j[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
- @' J5 ?# ]: S5 x0 `5 X"Enabled"=dword:00000000* P; D; P! _/ B$ ^$ V4 u# G
G/ I* ]0 u9 K" d3 b# `% r) l. `
' i8 O0 P$ }7 F+ c4 e" d) k[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
8 L" a2 ^! K5 y' g"Enabled"=dword:000000001 f4 S/ j; N+ M9 p: e* k' B! y
: o; F1 J; t+ X" F, k7 k
6 f6 K' k+ Y0 o7 e: ? x, Q9 a0 v[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]" ^. r- d( M" V9 i
"Enabled"=dword:00000000- }. e: ]1 ~- i3 w$ C4 \2 S6 J; c
" S6 p* o& p* t
7 ]3 ?# s3 @3 u- F. Q. c9 h[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]2 s' B2 H6 x5 V6 E1 g8 D3 T
"Enabled"=dword:00000000) S3 E$ C6 y, M0 E2 K, H+ ?
4 T' W8 G2 ?7 q( m) \7 P8 U
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
' R! J; u! {6 A- g* w! \3 ~0 ]- Z"Enabled"=dword:ffffffff5 Z( G8 v& a8 A7 P( o
' D% d: v1 x0 O# D9 f0 z' ^! ^
9 p' [: b2 X0 I& J- i0 b[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
" b+ f; h. ]6 S"Enabled"=dword:000000004 z. K. n% E5 [: y0 q ^, R
+ o: |1 H9 g- J6 f* \6 I( v2 ^& q1 A
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
+ N' k% a1 _3 {) |0 H( j"Enabled"=dword:000000009 {) v, `) `* ~* K X1 x0 ~
) P( B _7 ]: [& Y- k) F
) C. h3 T; v S1 G' a[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
9 @, ?- `; |% j' i* p! A' M"Enabled"=dword:00000000
+ z D0 q; ], {6 p5 g; F9 s6 ]- Y1 q2 q' B- V* X' h/ j
; @, K4 s5 Y, W' |4 x
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
* @6 c& r" K5 h6 r3 u/ B7 w"Enabled"=dword:ffffffff0 o( c+ [3 ]) ~3 F& j" m
! V, H7 L n9 J% n1 u- C0 z6 h
- V1 A3 }' n+ U, R[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]6 z/ ]% {% F* U& A
# P* }# `+ ]8 s# h. w. v6 }; P3 }! |8 E s6 K2 s# E. Y
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]+ p- S( h9 l$ A2 G& I8 O+ r. E
) c9 s) {+ F7 F( x+ p+ C0 i7 J
, J& e4 i- R/ m- h) M[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
0 ?! c2 F# P; m0 Q, l0 i"Enabled"=dword:ffffffff
& d+ e0 p9 B! {& H3 T
8 S* U! |0 J& }3 _' q: T
, @& q2 x1 u5 U: \[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]3 e4 ?1 q* E) x3 s
"Enabled"=dword:ffffffff3 w2 P" F5 ^/ Q5 v& t0 u
0 Q; }. B: R2 O4 p$ |[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]4 L/ ~6 G# I# e+ h) k( F) L& a: s
) S4 ~6 X* p# H1 z# c5 A7 n$ ~& w$ x6 r v1 I q4 `' Q
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
! P2 p* D- p. G% E5 Z+ C"Enabled"=dword:ffffffff+ |) Q7 a- `* J3 T2 X% _! }
' y* t+ t. v" x$ A6 x1 i
1 x5 k+ t4 w+ e+ J2 t& H3 m" b \. g$ f
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]9 r6 q9 y% d+ I! H9 L& e" t
"Enabled"=dword:ffffffff
O* B* I, A. [: L* F2 J5 u! i0 c/ G. `2 s- P3 |/ X. F' F5 F
5 P, E( u% m% y- A[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]9 R2 ]2 [+ H7 ~0 V& n" t% D9 @5 W
* L- |: l: B5 R% U# w
3 Y4 w" F4 y. g; i
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]; k: V9 E$ r5 L' G0 P' z
4 z N A4 G9 \& [3 V2 Y) q
7 ^0 i2 h% `& e2 N* j[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]% u# V' F7 F5 I1 }: J' B8 v6 s5 q; f
"Enabled"=dword:00000000( J3 F: d# c) S, I3 W
"DisabledByDefault"=dword:00000001' z4 R3 l. I( l% c2 u
' A7 S/ y2 L! ]
" o6 D8 @% }* j# D* s* R8 O[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]7 T; N: U8 J, c4 e1 p! f& {
) U9 |# D/ o. f1 W
" N& t9 q6 Y$ J+ `, f4 O[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
6 \ ]% S& h! {! l& }- u"Enabled"=dword:00000000) e$ k$ H3 L+ U' i
"DisabledByDefault"=dword:00000001
4 A1 S% M* u" Y3 n3 l* `" _
9 a6 Q, W+ y* P6 ?, U. P0 T[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]! N( P4 d7 b! i, \/ C* I1 j8 y
1 [2 @4 c& n" ]+ E1 r% S3 Z& v; W- p- ]/ h. \0 p/ ^3 G" y! Z
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]3 z1 d3 C0 [# w1 N. z$ a
"DisabledByDefault"=dword:0000ffff
6 f9 H& `9 i4 G4 @$ t0 D4 N7 c* Y
/ O1 C: Z4 U, w0 i
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
4 a, K5 d' [% ?' n"Enabled"=dword:00000000
0 r' w' p: x* Z ~4 g4 ]"DisabledByDefault"=dword:00000001) t% V9 H' U0 }
$ h" K t6 U# `/ A: k% L6 ^
6 p- o# [: `% ~8 g% X2 {! Z5 [! u[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]8 J- v; ?5 z8 t, O
) r$ ?( j) g- h: x
2 x! H g# E {3 ~3 x& X+ N[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]3 y6 g; o' r. {+ h
"Enabled"=dword:ffffffff2 r% Q. p7 J* ?- J P0 L
"DisabledByDefault"=dword:00000000# C6 q( e6 U4 i" E, G& ~ I
! P+ b$ |7 C- y- S: c8 y4 s6 F: p1 C* T* d( J2 _
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
9 i" c% J# T, `# F4 t# H
( h. |- P) B- @, i! B/ e, e# E8 P# y
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]' Z. y+ X. r2 [1 U) N$ _6 F1 Q
"Enabled"=dword:ffffffff. k) Y( c# J/ y4 V
"DisabledByDefault"=dword:00000000
3 F0 F8 Z7 w; D: w! {
! \9 _; R6 J5 S9 @[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1], P" W( _* c, `. H$ K) ~
2 I3 x/ y' s( V
% ^: f, t2 i2 \" C# v, w
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]; Y& g6 a, i/ _4 ]& I* H* @5 b
"Enabled"=dword:ffffffff
5 `* ~5 b: p9 ~. w: b+ ["DisabledByDefault"=dword:00000000
% Z) b$ \' h+ q% }4 p( |, L" x& Y8 k" g: R( I4 L, m
3 A2 e) h6 j) B7 w[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
- Y. E* U! g' }6 ~3 L* W- j* |0 y
3 [0 {# p9 v' P
) d* d2 D' y6 |% f[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] @2 k1 `! ~( y; p8 ^/ P! j
"Enabled"=dword:ffffffff F K! ~& E0 e
"DisabledByDefault"=dword:00000000
, ?# L" {. j! w7 S+ v4 t) ^$ y
9 Q' ?! F2 {6 o$ C$ }% g, l8 f! d$ N9 _: J! m9 @1 _, M
如果上述验证无效,尝试以下内容:5 L& \& }# c z
2 v$ S) k( V4 e: l9 a; J) R3 g[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
7 K# p, g/ d% L# Y"EventLogging"=dword:000000016 ^3 p& Q; z5 }% v @! x1 y
; F+ k0 ~5 ?" Y; s x+ o[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
& K/ U) y/ o/ x; p
{2 R5 G( D$ b5 C3 U* c6 I0 @' l[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]0 K; g% L) t+ Z5 k! t5 X
"Enabled"=dword:ffffffff
3 Y+ z0 d8 n: V( j+ }% i" _4 }# t
- V; {. U: C @0 x4 Q( j[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
& u* y5 T+ }0 C"Enabled"=dword:ffffffff
2 X9 D, E4 s; k6 h1 Z7 H q+ I' q+ C: b7 H/ a
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]' r3 @) [* |4 T/ K, Q% B
"Enabled"=dword:00000000
; g1 N1 e$ P3 V# F7 c4 \9 |) y0 L
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]) U) A3 |3 Q4 d" f. c
"Enabled"=dword:00000000" H5 S9 ~/ [+ |
) v) V; D8 q; M( j% S3 o[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
& k) H# e. R9 Q"Enabled"=dword:00000000
. m4 U9 y% Z# t* K+ b. U" f) G5 M$ j, B, f
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
3 c4 V- s/ S: J8 H: ?" L" O"Enabled"=dword:00000000
! ]! _0 p, `& \4 b: ~. t
1 I5 E% {+ c& q. j- c[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]) |5 q0 J$ S& C; m5 A, ^
"Enabled"=dword:00000000% o2 A; o! J5 t. V, ~ p" H" F. E
' Y: e7 Z: y- e5 ^[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
( y) w) H' X( \ k: ?- ]- M1 k1 {"Enabled"=dword:000000004 M9 L" ^% F" s% \" Z S
0 q* ]+ b4 a$ a[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
. N! z ]7 z0 W9 ?& w"Enabled"=dword:00000000
& o* R( l' I8 q% U& I% U; B X& C; @* K& z- |! Q7 n, `
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]* w* V' \/ e6 [
"Enabled"=dword:00000000
, w/ x- _. s9 _, ]8 B6 j& X9 U0 [
$ f- C. r: k } q, \[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]" g6 P* I0 D: c
"Enabled"=dword:00000000+ b/ ^8 Z4 ^ p& s0 R
; K2 H) X2 o* o& S! Y[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
2 p) w% J$ s: }* ]# T) t) X"Enabled"=dword:ffffffff
$ {. W+ o. m+ Z$ A. u. d7 `2 t: u! I, T4 ~3 X/ W$ r
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]# g6 `4 K4 z7 U* g% R1 N' H
& ^8 Q( U. w+ ]( D4 r6 @[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]2 B! h/ k, c4 f# p, t
4 X9 t: S) I8 O0 X1 p" J
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
" a0 W/ Y6 N: |' K* [: X. S"Enabled"=dword:00000000
( h1 F M9 ?0 a9 h
% ^5 z8 \% N! g" B5 E4 z" ~3 E3 o[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA] @/ J9 b4 A( b+ M
"Enabled"=dword:ffffffff/ i% ~- h" L/ M3 U7 u& E
5 V3 m R' H/ P$ h* V8 @) l+ ?8 M" q( F
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
) Y: B( a, h3 h# A9 ^3 s+ C
5 \6 _* K! J5 i3 K8 q! G[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]" R8 M: m# [& V
"Enabled"=dword:ffffffff
" w) d7 V: L1 f- w0 u( o* t8 v6 Z0 A' t
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]# p! X- t. L' o: P6 R6 G' S
"Enabled"=dword:ffffffff
- b. v; S) I6 k5 U$ P* {3 j; C1 P: h: o' t8 T
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
! Q) |( \; S/ E/ H& R0 P4 o1 ?: z/ _. v7 d5 `
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
6 b* w, V% C, ~. e. h1 _9 {& b- Y7 z/ U# w h( _( D
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]. @! i7 O5 [! G' I( T: M6 E8 i: Q9 g
"Enabled"=dword:00000000% G2 Y- f& |; J' w' I; O6 k: G
"DisabledByDefault"=dword:00000001 f# v) v0 l5 x
( d" @1 [; F/ d[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]: K, J* C0 K4 z
# {+ [. \) [! D+ D6 m[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]* L# X. Z0 g6 J1 ^5 K. k
"Enabled"=dword:00000000
. B, C+ {+ o. \"DisabledByDefault"=dword:00000001
. W/ r6 y- @3 C# L; l
2 e1 L# M% _- v+ m9 z7 g. h6 L4 A[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
$ K& S$ }# M( k i
. a4 u; ?% l1 {" }7 v0 k9 x+ N[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]6 j: o6 ]( l* Q3 _: Q6 s) G8 H1 Q
"DisabledByDefault"=dword:0000ffff
. U V- @# S/ j! G) t4 V' R/ T2 o7 b& B9 ], y8 `( r
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]9 U3 m0 G i$ [7 V, Y
"Enabled"=dword:00000000
% D: i. u/ r: l( j4 a"DisabledByDefault"=dword:00000001& }7 ^+ P- R. C5 i: {3 W9 w ]
9 K* F) h7 R7 \+ Q% C7 O3 z
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]" O; |. |, e& K/ ~, [5 Z- Q: P
4 b+ H, U/ @( B[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
8 Q* L- U4 L* q"Enabled"=dword:00000000
4 R; h+ [* `9 z0 r0 N( x"DisabledByDefault"=dword:00000001
0 @0 e( e, S( s7 E# D9 V8 N+ [1 h i* G! j
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]7 Z8 o$ m$ w; o& X) S9 I- Q
1 W1 Q7 e/ L9 k
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
) R) G1 ]' v0 B# b8 e8 `' k"Enabled"=dword:ffffffff/ b% u: o& ]5 j/ s; \# w3 D
"DisabledByDefault"=dword:000000005 w7 h: {0 J P1 g0 e
* ~. B8 y4 Y# P" E[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]& R' Z/ j9 s/ q5 S- o3 N
8 M0 y# L' E% \
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
% C$ A/ n r8 P4 i$ M4 _+ I3 e"Enabled"=dword:ffffffff( ^( P+ ]6 M4 H% j% a" m, e# c
"DisabledByDefault"=dword:00000000" O! D0 m5 V4 z8 o+ Y1 }: W j1 w6 ?: p
( b9 p3 o( ]# p. s* V8 s8 `
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
% v5 |1 v7 R! G# I$ j* X
) x* c f) ?0 V7 v[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]; l/ H: _# y- _4 Y, K/ x- F6 T
"Enabled"=dword:ffffffff) n$ R+ \, R9 V* k/ w# H
"DisabledByDefault"=dword:00000000
( I5 L, Y$ c; G- O$ y/ l1 C7 d" R" s+ Y( [$ {: S" k* H" U
4)手动修改注册表# e$ g. O& I- J% g
) ^( o2 `1 R- m, F1 \0 |! q6 v" {
1>:找到计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
+ x1 P4 N: d8 |. N. u1 `& b6 u& w, R/ b9 | [" Z" W9 N1 K
备份完成后修改:. S# f1 M. I6 v0 i) B: x, E
1>禁止的协议可以在Protocol项里面新建项-名字跟需要禁止的协议的名字相同:
9 S* ^/ Q6 C9 C9 c3 X+ w4 i# Z+ E5 @& W) s* {4 B0 b, ^4 D3 h
在目标协议的项下面新建Client和Server两个项,同时新建DisableByDefault和Enable两个DWORD(32 位)* s( C6 S# _8 o: B
2 I! W" p4 e& H/ e- Y! m4 U“Enabled”=dword:00000000
) j/ L. P6 j9 p9 O
! S6 M8 A- O. ~8 F8 b/ R“DisabledByDefault”=dword:00000001(禁用协议)
# X R+ R r# f. C" p4 c
3 t0 y: h' y+ I8 R3 L+ t; z2 a; [7 m! j: {8 X
|
|
发表于 2022-7-6 15:00:07