无法为 SSL/TLS 建立安全通道:如何在 windows server 2008 上启用 TLS

本文介绍了无法为 SSL/TLS 建立安全通道:如何在 windows server 2008 上启用 TLS的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

这个问题与另一个问题的答案有关.正确答案的人写道:在我们的例子中，当目标服务器上的配置更改为接受 TLS 时，问题得到解决.

This question is related to an answer on another question.The person with the correct answer writes: In our case, the problem was resolved when the configuration on the destination server was changed to accept TLS.

在评论中，我问他是否可以更具体地说明如何实现这一目标.约翰桑德斯建议我为此单独提出一个问题.所以这里是:

In a comment I asked if he could be more specific on how to achieve that. John Saunders suggested I make a separate question for that. So here it is:

如何在 windows 2008 上启用 TLS?我根据 this 对注册表进行了更改，然后重新启动了服务器.我正在努力解决的错误仍然存在.我还需要做些什么来启用 TLS?

How does one enable TLS on windows 2008?I made registry changes based on this, restarted the server. The error I'm struggling with persists. Is there anything else I need to do to enable TLS?

推荐答案

TLS 1.0 应在 Windows Server (WS) 2008 上默认启用，因此我假设客户端需要更新的 TLS 版本.WS 2008 R2 中引入了对较新 TLS 协议版本 TLS 1.1 和 TLS 1.2 的支持，但默认情况下它们处于禁用状态.在 WS 2012 中，TLS 1.1 和 TLS 1.2 默认启用.

TLS 1.0 should be enabled by default on Windows Server (WS) 2008 so I assume the client requires a newer TLS version. Support for the newer TLS protocol versions, TLS 1.1 and TLS 1.2, were introduced in WS 2008 R2 but they're disabled by default. In WS 2012, TLS 1.1 and TLS 1.2 are enabled by default.

如果客户端需要 TLS 1.1 或 TLS 1.2，您必须升级到 WS 2008 R2 或更新版本.您可以在 WS 2008 R2 中手动启用 TLS 1.1 和 TLS 1.2.在这种情况下，您需要添加一些注册表设置，记录在如何限制使用某些加密算法和Schannel.dll 中的协议.相关条目是:

If the client needs TLS 1.1 or TLS 1.2, you'll have to upgrade to WS 2008 R2 or newer. You can enable TLS 1.1 and TLS 1.2 in WS 2008 R2 by hand. In that case you'll need to add some registry settings, documented in How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll. The relevant entries are:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.1]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.1Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.1Server]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.2]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.2Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.2Server]
"DisabledByDefault"=dword:00000000

您需要重新启动才能使更改生效.

You'll need a reboot for the changes to take effect.

如果您升级到 WS 2012，默认情况下您将获得 TLS 1.1/1.2.您可以在我关于的博客文章中找到有关 TLS 配置的更多详细信息强化 Windows Server 2008/2012 和 Azure SSL/TLS 配置.

If you upgrade to WS 2012, you'll get TLS 1.1/1.2 by default. You can find more details on TLS configuration in my blog post on Hardening Windows Server 2008/2012 and Azure SSL/TLS configuration.

这篇关于无法为 SSL/TLS 建立安全通道:如何在 windows server 2008 上启用 TLS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！