前言
2017年1月1日起app store上的所有app应用将强制开启ats功能。
苹果的ats(app transport security)对服务器硬性3点要求:
① ats要求tls1.2或者更高,tls 是 ssl 新的别称。
② 通讯中的加密套件配置要求支持列出的正向保密。
③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的rsa密钥或者256位及以上的ecc密钥。
由于领导舍不得花钱,只能辛苦我们自己搞个不花钱的证书。在网上找了一大堆各种配置证书服务的文章,在ios端运行的时候总是直接报错,很是费解,后来注意到必须是tls1.2或者更高的版本,而按照网上的配置弄好后都是ssl1.0,根本原因没有解决。所以必须先升级服务器ssl的版本,这个升级的文章很多,有用的不多。在这里整理下找到的资料,供大家参考。注意:证书服务可以不用安装,升级ssl后即可正常访问。
1.首先打开服务器组策略,命令行输入gpedit.msc,找到ssl配置设置,双击ssl密码套件顺序,选择已启用,并保存。准备工作完成!
2.在下面选择您需要的配置并复制,打开powershell直接粘贴。最后会提示是否重启服务器,输入y会直接重启,根据自己的情况而定吧,重启后生效哦~
2.1. configure your iis server with perfect forward secrecy and tls 1.2:
我要评论
# copyright 2016, alexander hass
# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
#
# version 1.7
# - windows version compare failed. get-ciminstance requires windows 2012 or later.
# version 1.6
# - os version detection for cipher suites order.
# version 1.5
# - enabled ecdh and more secure hash functions and reorderd cipher list.
# - added client setting for all ciphers.
# version 1.4
# - rc4 has been disabled.
# version 1.3
# - md5 has been disabled.
# version 1.2
# - re-factored code style and output
# version 1.1
# - sslv3 has been disabled. (poodle attack protection)
write-host 'configuring iis with ssl/tls deployment best practices...'
write-host '--------------------------------------------------------------------------------'
# disable multi-protocol unified hello
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'multi-protocol unified hello has been disabled.'
# disable pct 1.0
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'pct 1.0 has been disabled.'
# disable ssl 2.0 (pci compliance)
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'ssl 2.0 has been disabled.'
# note: if you disable ssl 3.0 the you may lock out some people still using
# windows xp with ie6/7. without ssl 3.0 enabled, there is no protocol available
# for these people to fall back. safer shopping certifications may require that
# you disable sslv3.
#
# disable ssl 3.0 (pci compliance) and enable "poodle" protection
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null
write-host 'ssl 3.0 has been disabled.'
# add and enable tls 1.0 for client and server schannel communications
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
write-host 'tls 1.0 has been enabled.'
# add and enable tls 1.1 for client and server schannel communications
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
write-host 'tls 1.1 has been enabled.'
# add and enable tls 1.2 for client and server schannel communications
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null
write-host 'tls 1.2 has been enabled.'
# re-create the ciphers key.
new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\ciphers' -force | out-null
# disable insecure/weak ciphers.
$insecureciphers = @(
'des 56/56',
'null',
'rc2 128/128',
'rc2 40/128',
'rc2 56/128',
'rc4 40/128',
'rc4 56/128',
'rc4 64/128',
'rc4 128/128'
)
foreach ($insecurecipher in $insecureciphers) {
$key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\ciphers', $true).createsubkey($insecurecipher)
$key.setvalue('enabled', 0, 'dword')
$key.close()
write-host "weak cipher $insecurecipher has been disabled."
}
# enable new secure ciphers.
# - rc4: it is recommended to disable rc4, but you may lock out winxp/ie8 if you enforce this. this is a requirement for fips 140-2.
# - 3des: it is recommended to disable these in near future. this is the last cipher supported by windows xp.
# - windows vista and before 'triple des 168' was named 'triple des 168/168' per https://support.microsoft.com/en-us/kb/245030
$secureciphers = @(
'aes 128/128',
'aes 256/256',
'triple des 168'
)
foreach ($securecipher in $secureciphers) {
$key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\ciphers', $true).createsubkey($securecipher)
new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers\$securecipher" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
$key.close()
write-host "strong cipher $securecipher has been enabled."
}
# set hashes configuration.
new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\hashes' -force | out-null
new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\md5' -force | out-null
new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\md5' -name enabled -value 0 -propertytype 'dword' -force | out-null
$securehashes = @(
'sha',
'sha256',
'sha384',
'sha512'
)
foreach ($securehash in $securehashes) {
$key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\hashes', $true).createsubkey($securehash)
new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\$securehash" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
$key.close()
write-host "hash $securehash has been enabled."
}
# set keyexchangealgorithms configuration.
new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms' -force | out-null
$securekeyexchangealgorithms = @(
'diffie-hellman',
'ecdh',
'pkcs'
)
foreach ($securekeyexchangealgorithm in $securekeyexchangealgorithms) {
$key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms', $true).createsubkey($securekeyexchangealgorithm)
new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms\$securekeyexchangealgorithm" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null
$key.close()
write-host "keyexchangealgorithm $securekeyexchangealgorithm has been enabled."
}
# set cipher suites order as secure as possible (enables perfect forward secrecy).
$os = get-wmiobject -class win32_operatingsystem
if ([system.version]$os.version -lt [system.version]'10.0') {
write-host 'use cipher suites order for windows 2008r2/2012/2012r2.'
$ciphersuitesorder = @(
'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p521',
'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p384',
'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p256',
'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p521',
'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p384',
'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p256',
'tls_ecdhe_rsa_with_aes_256_cbc_sha_p521',
'tls_ecdhe_rsa_with_aes_256_cbc_sha_p384',
'tls_ecdhe_rsa_with_aes_256_cbc_sha_p256',
'tls_ecdhe_rsa_with_aes_128_cbc_sha_p521',
'tls_ecdhe_rsa_with_aes_128_cbc_sha_p384',
'tls_ecdhe_rsa_with_aes_128_cbc_sha_p256',
'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p521',
'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p384',
'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p521',
'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p384',
'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p256',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p521',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p384',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p521',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p384',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p256',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p521',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p384',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p256',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p521',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p384',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p256',
'tls_rsa_with_aes_256_gcm_sha384',
'tls_rsa_with_aes_128_gcm_sha256',
'tls_rsa_with_aes_256_cbc_sha256',
'tls_rsa_with_aes_128_cbc_sha256',
'tls_rsa_with_aes_256_cbc_sha',
'tls_rsa_with_aes_128_cbc_sha',
'tls_rsa_with_3des_ede_cbc_sha'
)
}
else {
write-host 'use cipher suites order for windows 10/2016 and later.'
$ciphersuitesorder = @(
'tls_ecdhe_rsa_with_aes_256_gcm_sha384',
'tls_ecdhe_rsa_with_aes_128_gcm_sha256',
'tls_ecdhe_rsa_with_aes_256_cbc_sha384',
'tls_ecdhe_rsa_with_aes_128_cbc_sha256',
'tls_ecdhe_rsa_with_aes_256_cbc_sha',
'tls_ecdhe_rsa_with_aes_128_cbc_sha',
'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384',
'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256',
'tls_ecdhe_ecdsa_with_aes_256_cbc_sha',
'tls_ecdhe_ecdsa_with_aes_128_cbc_sha',
'tls_rsa_with_aes_256_gcm_sha384',
'tls_rsa_with_aes_128_gcm_sha256',
'tls_rsa_with_aes_256_cbc_sha256',
'tls_rsa_with_aes_128_cbc_sha256',
'tls_rsa_with_aes_256_cbc_sha',
'tls_rsa_with_aes_128_cbc_sha',
'tls_rsa_with_3des_ede_cbc_sha'
)
}
$ciphersuitesasstring = [string]::join(',', $ciphersuitesorder)
# one user reported this key does not exists on windows 2012r2. cannot repro myself on a brand new windows 2012r2 core machine. adding this just to be save.
new-item 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -erroraction silentlycontinue
new-itemproperty -path 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -name 'functions' -value $ciphersuitesasstring -propertytype 'string' -force | out-null
write-host '--------------------------------------------------------------------------------'
write-host 'note: after the system has been rebooted you can verify your server'
write-host ' configuration at https://www.ssllabs.com/ssltest/'
write-host "--------------------------------------------------------------------------------`n"
write-host -foregroundcolor red 'a computer restart is required to apply settings. restart computer now?'
restart-computer -force -confirm
2.2 iisresetssltoweakdefaults
# copyright 2016, alexander hass # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 # # version 1.0 # - rollback script created. write-host 'reset iis to weak and insecure ssl defaults...' write-host '--------------------------------------------------------------------------------' new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphersuites' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -force new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name disabledbydefault -value 1 -propertytype 'dword' new-item 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -force restart-computer -force
3.最后配置iis站点,添加ssl自签名证书,站点绑定https,并选择刚添加的自签名证书即可。
4.全称无需给服务器安装证书服务,ios客户端证书校验时默认全部通过即可,如果对安全要求严格的客户端可导入证书做校验。
如对本文有疑问, 点击进行留言回复!!
Windows Server 2008 r2服务器无故自动重启故障的解决方法
Windows CVE-2019-0708 远程桌面代码执行漏洞复现问题
网友评论