zoukankan      html  css  js  c++  java
  • 检查windows系统支持的密码套件

    Windows 10客户端及Windows server 2016 服务器可以使用powershell 命令获得系统支持的密码套件列表,禁用启用相应的密码套件。

    #命令链接:https://technet.microsoft.com/zh-cn/library/dn931990.aspx
    #win10 server2016获得系统支持的套件的列表
    Get-TlsCipherSuite |ft name #win10 server2016启用密码套件 Enable-TlsCipherSuite -name "" #win10 server2016禁用密码套件 Disable-TlsCipherSuite -name ""

    Windows server 2016之前版本微软并没有给出相应的powershell 命令来获取密码套件列表,但在msdn上给出了c++代码

    msdn链接:https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

     1 #include <stdio.h>
     2 #include <windows.h>
     3 #include <bcrypt.h>
     4 
     5 
     6 void main()
     7 {
     8 
     9    HRESULT Status = ERROR_SUCCESS;
    10    DWORD   cbBuffer = 0;
    11    PCRYPT_CONTEXT_FUNCTIONS pBuffer = NULL;
    12 
    13     Status = BCryptEnumContextFunctions(
    14         CRYPT_LOCAL,
    15         L"SSL",
    16         NCRYPT_SCHANNEL_INTERFACE,
    17         &cbBuffer,
    18         &pBuffer);
    19     if(FAILED(Status))
    20     {
    21         printf_s("
    **** Error 0x%x returned by BCryptEnumContextFunctions
    ", Status);
    22         goto Cleanup;
    23     }
    24                 
    25     if(pBuffer == NULL)
    26     {
    27         printf_s("
    **** Error pBuffer returned from BCryptEnumContextFunctions is null");
    28         goto Cleanup;
    29     }
    30 
    31     printf_s("
    
     Listing Cipher Suites ");
    32     for(UINT index = 0; index < pBuffer->cFunctions; ++index)
    33     {
    34         printf_s("
    %S", pBuffer->rgpszFunctions[index]);
    35     }
    36 
    37 Cleanup:
    38     if (pBuffer != NULL)
    39     {
    40         BCryptFreeBuffer(pBuffer);
    41     }
    42 }
    获得密码套件列表
     1 #include <stdio.h> 
     2 #include <windows.h> 
     3 #include <bcrypt.h> void main()
     4 { 
     5     SECURITY_STATUS Status = ERROR_SUCCESS; 
     6     LPWSTR wszCipher =(L “RSA_EXPORT1024_DES_CBC_SHA”); 
     7     Status = BCryptAddContextFunction(
     8                 CRYPT_LOCAL,
     9                 L “SSL”,
    10                 NCRYPT_SCHANNEL_INTERFACE,
    11                 wszCipher,
    12                 CRYPT_PRIORITY_TOP); 
    13 }
    添加某个密码套件到优先顶部
     1 #include <stdio.h> 
     2 #include <windows.h> 
     3 #include <bcrypt.h> void main()
     4 { 
     5     SECURITY_STATUS Status = ERROR_SUCCESS; 
     6       LPWSTR wszCipher =(L “TLS_RSA_WITH_RC4_128_SHA”); 
     7     Status = BCryptRemoveContextFunction(
     8                 CRYPT_LOCAL,
     9                 L “SSL”,
    10                 NCRYPT_SCHANNEL_INTERFACE,
    11                 wszCipher); 
    12 }
    删除某个密码套件

    stackoverflow.上有人将获得密码套件列表的代码改成了c#,然后利用powershell 命令可以直接调用这些代码(add-type),也可以将这些代码利用csc.exe编译成.dll或者.exe,建议编译成exe,可以直接在其他的终端cmd控制台调用。

    stackoverflow.链接:https://stackoverflow.com/questions/19695623/how-to-call-schannel-functions-from-net-c

     1 using System;
     2 using System.Text;
     3 using System.Runtime.InteropServices;
     4 
     5 namespace ConsoleApplication1
     6 {
     7     class Program
     8     {
     9         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]
    10         static extern uint BCryptEnumContextFunctions(uint dwTable, string pszContext, uint dwInterface, ref uint pcbBuffer, ref IntPtr ppBuffer);
    11 
    12         [DllImport("Bcrypt.dll")]
    13         static extern void BCryptFreeBuffer(IntPtr pvBuffer);
    14 
    15         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]
    16         static extern uint BCryptAddContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction, uint dwPosition);
    17 
    18         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]
    19         static extern uint BCryptRemoveContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction);
    20 
    21         [StructLayout(LayoutKind.Sequential)]
    22         public struct CRYPT_CONTEXT_FUNCTIONS
    23         {
    24             public uint cFunctions;
    25             public IntPtr rgpszFunctions;
    26         }
    27 
    28         const uint CRYPT_LOCAL = 0x00000001;
    29         const uint NCRYPT_SCHANNEL_INTERFACE = 0x00010002;
    30         const uint CRYPT_PRIORITY_TOP = 0x00000000;
    31         const uint CRYPT_PRIORITY_BOTTOM = 0xFFFFFFFF;
    32 
    33         public static void DoStuff()
    34         {
    35             uint cbBuffer = 0;
    36             IntPtr ppBuffer = IntPtr.Zero;
    37             uint Status = BCryptEnumContextFunctions(
    38                     CRYPT_LOCAL,
    39                     "SSL",
    40                     NCRYPT_SCHANNEL_INTERFACE,
    41                     ref cbBuffer,
    42                     ref ppBuffer);
    43             if (Status == 0)
    44             {
    45                 CRYPT_CONTEXT_FUNCTIONS functions = (CRYPT_CONTEXT_FUNCTIONS)Marshal.PtrToStructure(ppBuffer, typeof(CRYPT_CONTEXT_FUNCTIONS));
    46                 Console.WriteLine(functions.cFunctions);
    47                 IntPtr pStr = functions.rgpszFunctions;
    48                 for (int i = 0; i < functions.cFunctions; i++)
    49                 {
    50                     Console.WriteLine(Marshal.PtrToStringUni(Marshal.ReadIntPtr(pStr)));
    51                     pStr += IntPtr.Size;
    52                 }
    53                 BCryptFreeBuffer(ppBuffer);
    54             }
    55         }
    56 
    57         static void Main(string[] args)
    58         {
    59             DoStuff();
    60             Console.ReadLine();
    61         }
    62     }
    63 }
    密码套件列表

    openssl 也可以获得密码套件列表:

    opessl ciphers -v

    微软也给出了各操作系统版本中默认启用的密码套件列表以及相应的设置

    各操作系统支持密码套件的列表:https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

    TLS/SSL设置:https://technet.microsoft.com/zh-cn/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_SSL30

  • 相关阅读:
    Security headers quick reference Learn more about headers that can keep your site safe and quickly look up the most important details.
    Missing dollar riddle
    Where Did the Other Dollar Go, Jeff?
    proteus 与 keil 联调
    cisco router nat
    router dhcp and dns listen
    配置802.1x在交换机的端口验证设置
    ASAv931安装&初始化及ASDM管理
    S5700与Cisco ACS做802.1x认证
    playwright
  • 原文地址:https://www.cnblogs.com/-windows/p/7765439.html
Copyright © 2011-2022 走看看