Windows 10客户端及Windows server 2016 服务器可以使用powershell 命令获得系统支持的密码套件列表,禁用启用相应的密码套件。
#命令链接:https://technet.microsoft.com/zh-cn/library/dn931990.aspx
#win10 server2016获得系统支持的套件的列表
Get-TlsCipherSuite |ft name
#win10 server2016启用密码套件
Enable-TlsCipherSuite -name ""
#win10 server2016禁用密码套件
Disable-TlsCipherSuite -name ""
Windows server 2016之前版本微软并没有给出相应的powershell 命令来获取密码套件列表,但在msdn上给出了c++代码
msdn链接:https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx
#include <stdio.h>
#include <windows.h>
#include <bcrypt.h> void main()
{ HRESULT Status = ERROR_SUCCESS;
DWORD cbBuffer = ;
PCRYPT_CONTEXT_FUNCTIONS pBuffer = NULL; Status = BCryptEnumContextFunctions(
CRYPT_LOCAL,
L"SSL",
NCRYPT_SCHANNEL_INTERFACE,
&cbBuffer,
&pBuffer);
if(FAILED(Status))
{
printf_s("\n**** Error 0x%x returned by BCryptEnumContextFunctions\n", Status);
goto Cleanup;
} if(pBuffer == NULL)
{
printf_s("\n**** Error pBuffer returned from BCryptEnumContextFunctions is null");
goto Cleanup;
} printf_s("\n\n Listing Cipher Suites ");
for(UINT index = ; index < pBuffer->cFunctions; ++index)
{
printf_s("\n%S", pBuffer->rgpszFunctions[index]);
} Cleanup:
if (pBuffer != NULL)
{
BCryptFreeBuffer(pBuffer);
}
}
获得密码套件列表
#include <stdio.h>
#include <windows.h>
#include <bcrypt.h> void main()
{
SECURITY_STATUS Status = ERROR_SUCCESS;
LPWSTR wszCipher =(L “RSA_EXPORT1024_DES_CBC_SHA”);
Status = BCryptAddContextFunction(
CRYPT_LOCAL,
L “SSL”,
NCRYPT_SCHANNEL_INTERFACE,
wszCipher,
CRYPT_PRIORITY_TOP);
}
添加某个密码套件到优先顶部
#include <stdio.h>
#include <windows.h>
#include <bcrypt.h> void main()
{
SECURITY_STATUS Status = ERROR_SUCCESS;
LPWSTR wszCipher =(L “TLS_RSA_WITH_RC4_128_SHA”);
Status = BCryptRemoveContextFunction(
CRYPT_LOCAL,
L “SSL”,
NCRYPT_SCHANNEL_INTERFACE,
wszCipher);
}
删除某个密码套件
stackoverflow.上有人将获得密码套件列表的代码改成了c#,然后利用powershell 命令可以直接调用这些代码(add-type),也可以将这些代码利用csc.exe编译成.dll或者.exe,建议编译成exe,可以直接在其他的终端cmd控制台调用。
stackoverflow.链接:https://stackoverflow.com/questions/19695623/how-to-call-schannel-functions-from-net-c
using System;
using System.Text;
using System.Runtime.InteropServices; namespace ConsoleApplication1
{
class Program
{
[DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]
static extern uint BCryptEnumContextFunctions(uint dwTable, string pszContext, uint dwInterface, ref uint pcbBuffer, ref IntPtr ppBuffer); [DllImport("Bcrypt.dll")]
static extern void BCryptFreeBuffer(IntPtr pvBuffer); [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]
static extern uint BCryptAddContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction, uint dwPosition); [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]
static extern uint BCryptRemoveContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction); [StructLayout(LayoutKind.Sequential)]
public struct CRYPT_CONTEXT_FUNCTIONS
{
public uint cFunctions;
public IntPtr rgpszFunctions;
} const uint CRYPT_LOCAL = 0x00000001;
const uint NCRYPT_SCHANNEL_INTERFACE = 0x00010002;
const uint CRYPT_PRIORITY_TOP = 0x00000000;
const uint CRYPT_PRIORITY_BOTTOM = 0xFFFFFFFF; public static void DoStuff()
{
uint cbBuffer = ;
IntPtr ppBuffer = IntPtr.Zero;
uint Status = BCryptEnumContextFunctions(
CRYPT_LOCAL,
"SSL",
NCRYPT_SCHANNEL_INTERFACE,
ref cbBuffer,
ref ppBuffer);
if (Status == )
{
CRYPT_CONTEXT_FUNCTIONS functions = (CRYPT_CONTEXT_FUNCTIONS)Marshal.PtrToStructure(ppBuffer, typeof(CRYPT_CONTEXT_FUNCTIONS));
Console.WriteLine(functions.cFunctions);
IntPtr pStr = functions.rgpszFunctions;
for (int i = ; i < functions.cFunctions; i++)
{
Console.WriteLine(Marshal.PtrToStringUni(Marshal.ReadIntPtr(pStr)));
pStr += IntPtr.Size;
}
BCryptFreeBuffer(ppBuffer);
}
} static void Main(string[] args)
{
DoStuff();
Console.ReadLine();
}
}
}
密码套件列表
openssl 也可以获得密码套件列表:
opessl ciphers -v
微软也给出了各操作系统版本中默认启用的密码套件列表以及相应的设置
各操作系统支持密码套件的列表:https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
TLS/SSL设置:https://technet.microsoft.com/zh-cn/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_SSL30