Windows Server 2008 R2 下配置TLS1.2添加自签名证书的图文教程
前言
2017年1月1日起app store上的所有app应用将强制开启ats功能。
苹果的ats(app transport security)对服务器硬性3点要求:
① ats要求tls1.2或者更高,tls 是 ssl 新的别称。
② 通讯中的加密套件配置要求支持列出的正向保密。
③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的rsa密钥或者256位及以上的ecc密钥。
由于领导舍不得花钱,只能辛苦我们自己搞个不花钱的证书。在网上找了一大堆各种配置证书服务的文章,在ios端运行的时候总是直接报错,很是费解,后来注意到必须是tls1.2或者更高的版本,而按照网上的配置弄好后都是ssl1.0,根本原因没有解决。所以必须先升级服务器ssl的版本,这个升级的文章很多,有用的不多。在这里整理下找到的资料,供大家参考。注意:证书服务可以不用安装,升级ssl后即可正常访问。
1.首先打开服务器组策略,命令行输入gpedit.msc,找到ssl配置设置,双击ssl密码套件顺序,选择已启用,并保存。准备工作完成!
2.在下面选择您需要的配置并复制,打开powershell直接粘贴。最后会提示是否重启服务器,输入y会直接重启,根据自己的情况而定吧,重启后生效哦~
2.1. configure your iis server with perfect forward secrecy and tls 1.2:
# copyright 2016, alexander hass # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 # # version 1.7 # - windows version compare failed. get-ciminstance requires windows 2012 or later. # version 1.6 # - os version detection for cipher suites order. # version 1.5 # - enabled ecdh and more secure hash functions and reorderd cipher list. # - added client setting for all ciphers. # version 1.4 # - rc4 has been disabled. # version 1.3 # - md5 has been disabled. # version 1.2 # - re-factored code style and output # version 1.1 # - sslv3 has been disabled. (poodle attack protection) write-host 'configuring iis with ssl/tls deployment best practices...' write-host '--------------------------------------------------------------------------------' # disable multi-protocol unified hello new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\multi-protocol unified hello\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null write-host 'multi-protocol unified hello has been disabled.' # disable pct 1.0 new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\pct 1.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null write-host 'pct 1.0 has been disabled.' # disable ssl 2.0 (pci compliance) new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null write-host 'ssl 2.0 has been disabled.' # note: if you disable ssl 3.0 the you may lock out some people still using # windows xp with ie6/7. without ssl 3.0 enabled, there is no protocol available # for these people to fall back. safer shopping certifications may require that # you disable sslv3. # # disable ssl 3.0 (pci compliance) and enable "poodle" protection new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -name enabled -value 0 -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\client' -name 'disabledbydefault' -value 1 -propertytype 'dword' -force | out-null write-host 'ssl 3.0 has been disabled.' # add and enable tls 1.0 for client and server schannel communications new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.0\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null write-host 'tls 1.0 has been enabled.' # add and enable tls 1.1 for client and server schannel communications new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.1\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null write-host 'tls 1.1 has been enabled.' # add and enable tls 1.2 for client and server schannel communications new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\server' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\tls 1.2\client' -name 'disabledbydefault' -value 0 -propertytype 'dword' -force | out-null write-host 'tls 1.2 has been enabled.' # re-create the ciphers key. new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\ciphers' -force | out-null # disable insecure/weak ciphers. $insecureciphers = @( 'des 56/56', 'null', 'rc2 128/128', 'rc2 40/128', 'rc2 56/128', 'rc4 40/128', 'rc4 56/128', 'rc4 64/128', 'rc4 128/128' ) foreach ($insecurecipher in $insecureciphers) { $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\ciphers', $true).createsubkey($insecurecipher) $key.setvalue('enabled', 0, 'dword') $key.close() write-host "weak cipher $insecurecipher has been disabled." } # enable new secure ciphers. # - rc4: it is recommended to disable rc4, but you may lock out winxp/ie8 if you enforce this. this is a requirement for fips 140-2. # - 3des: it is recommended to disable these in near future. this is the last cipher supported by windows xp. # - windows vista and before 'triple des 168' was named 'triple des 168/168' per https://support.microsoft.com/en-us/kb/245030 $secureciphers = @( 'aes 128/128', 'aes 256/256', 'triple des 168' ) foreach ($securecipher in $secureciphers) { $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\ciphers', $true).createsubkey($securecipher) new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers\$securecipher" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null $key.close() write-host "strong cipher $securecipher has been enabled." } # set hashes configuration. new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\hashes' -force | out-null new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\md5' -force | out-null new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\md5' -name enabled -value 0 -propertytype 'dword' -force | out-null $securehashes = @( 'sha', 'sha256', 'sha384', 'sha512' ) foreach ($securehash in $securehashes) { $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\hashes', $true).createsubkey($securehash) new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes\$securehash" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null $key.close() write-host "hash $securehash has been enabled." } # set keyexchangealgorithms configuration. new-item 'hklm:system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms' -force | out-null $securekeyexchangealgorithms = @( 'diffie-hellman', 'ecdh', 'pkcs' ) foreach ($securekeyexchangealgorithm in $securekeyexchangealgorithms) { $key = (get-item hklm:\).opensubkey('system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms', $true).createsubkey($securekeyexchangealgorithm) new-itemproperty -path "hklm:\system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms\$securekeyexchangealgorithm" -name 'enabled' -value '0xffffffff' -propertytype 'dword' -force | out-null $key.close() write-host "keyexchangealgorithm $securekeyexchangealgorithm has been enabled." } # set cipher suites order as secure as possible (enables perfect forward secrecy). $os = get-wmiobject -class win32_operatingsystem if ([system.version]$os.version -lt [system.version]'10.0') { write-host 'use cipher suites order for windows 2008r2/2012/2012r2.' $ciphersuitesorder = @( 'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p521', 'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p384', 'tls_ecdhe_rsa_with_aes_256_cbc_sha384_p256', 'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p521', 'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p384', 'tls_ecdhe_rsa_with_aes_128_cbc_sha256_p256', 'tls_ecdhe_rsa_with_aes_256_cbc_sha_p521', 'tls_ecdhe_rsa_with_aes_256_cbc_sha_p384', 'tls_ecdhe_rsa_with_aes_256_cbc_sha_p256', 'tls_ecdhe_rsa_with_aes_128_cbc_sha_p521', 'tls_ecdhe_rsa_with_aes_128_cbc_sha_p384', 'tls_ecdhe_rsa_with_aes_128_cbc_sha_p256', 'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p521', 'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p384', 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p521', 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p384', 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p256', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p521', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p384', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p521', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p384', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p256', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p521', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p384', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha_p256', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p521', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p384', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha_p256', 'tls_rsa_with_aes_256_gcm_sha384', 'tls_rsa_with_aes_128_gcm_sha256', 'tls_rsa_with_aes_256_cbc_sha256', 'tls_rsa_with_aes_128_cbc_sha256', 'tls_rsa_with_aes_256_cbc_sha', 'tls_rsa_with_aes_128_cbc_sha', 'tls_rsa_with_3des_ede_cbc_sha' ) } else { write-host 'use cipher suites order for windows 10/2016 and later.' $ciphersuitesorder = @( 'tls_ecdhe_rsa_with_aes_256_gcm_sha384', 'tls_ecdhe_rsa_with_aes_128_gcm_sha256', 'tls_ecdhe_rsa_with_aes_256_cbc_sha384', 'tls_ecdhe_rsa_with_aes_128_cbc_sha256', 'tls_ecdhe_rsa_with_aes_256_cbc_sha', 'tls_ecdhe_rsa_with_aes_128_cbc_sha', 'tls_ecdhe_ecdsa_with_aes_256_gcm_sha384', 'tls_ecdhe_ecdsa_with_aes_128_gcm_sha256', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha384', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha256', 'tls_ecdhe_ecdsa_with_aes_256_cbc_sha', 'tls_ecdhe_ecdsa_with_aes_128_cbc_sha', 'tls_rsa_with_aes_256_gcm_sha384', 'tls_rsa_with_aes_128_gcm_sha256', 'tls_rsa_with_aes_256_cbc_sha256', 'tls_rsa_with_aes_128_cbc_sha256', 'tls_rsa_with_aes_256_cbc_sha', 'tls_rsa_with_aes_128_cbc_sha', 'tls_rsa_with_3des_ede_cbc_sha' ) } $ciphersuitesasstring = [string]::join(',', $ciphersuitesorder) # one user reported this key does not exists on windows 2012r2. cannot repro myself on a brand new windows 2012r2 core machine. adding this just to be save. new-item 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -erroraction silentlycontinue new-itemproperty -path 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -name 'functions' -value $ciphersuitesasstring -propertytype 'string' -force | out-null write-host '--------------------------------------------------------------------------------' write-host 'note: after the system has been rebooted you can verify your server' write-host ' configuration at https://www.ssllabs.com/ssltest/' write-host "--------------------------------------------------------------------------------`n" write-host -foregroundcolor red 'a computer restart is required to apply settings. restart computer now?' restart-computer -force -confirm
2.2 iisresetssltoweakdefaults
# copyright 2016, alexander hass # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 # # version 1.0 # - rollback script created. write-host 'reset iis to weak and insecure ssl defaults...' write-host '--------------------------------------------------------------------------------' new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphers' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\ciphersuites' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\hashes' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\keyexchangealgorithms' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols' -force new-item 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -force new-itemproperty -path 'hklm:\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 2.0\client' -name disabledbydefault -value 1 -propertytype 'dword' new-item 'hklm:\software\policies\microsoft\cryptography\configuration\ssl\00010002' -force restart-computer -force
3.最后配置iis站点,添加ssl自签名证书,站点绑定https,并选择刚添加的自签名证书即可。
4.全称无需给服务器安装证书服务,ios客户端证书校验时默认全部通过即可,如果对安全要求严格的客户端可导入证书做校验。