Check the password suites supported by the windows system.

Check the password suites supported by the windows system.

On Windows 10 clients and Windows server 2016 servers, you can use the powershell command to obtain a list of supported cipher suites and disable enabling the corresponding cipher suites.

# Command link: https://technet.microsoft.com/zh-cn/library/dn931990.aspx

# List of packages supported by the system obtained by win10 server2016
Get-TlsCipherSuite | ft name # win10 server2016 Enable cipher suite Enable-TlsCipherSuite-name "# win10 server2016 Disable cipher suite Disable-TlsCipherSuite-name ""

In versions earlier than Windows server 2016, Microsoft did not provide the appropriate powershell command to obtain the list of cipher suites, but c ++ code is provided on msdn.

Link: https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930 (v = vs.85). aspx

 1 #include <stdio.h> 2 #include <windows.h> 3 #include <bcrypt.h> 4  5  6 void main() 7 { 8  9    HRESULT Status = ERROR_SUCCESS;10    DWORD   cbBuffer = 0;11    PCRYPT_CONTEXT_FUNCTIONS pBuffer = NULL;12 13     Status = BCryptEnumContextFunctions(14         CRYPT_LOCAL,15         L"SSL",16         NCRYPT_SCHANNEL_INTERFACE,17         &cbBuffer,18         &pBuffer);19     if(FAILED(Status))20     {21         printf_s("\n**** Error 0x%x returned by BCryptEnumContextFunctions\n", Status);22         goto Cleanup;23     }24                 25     if(pBuffer == NULL)26     {27         printf_s("\n**** Error pBuffer returned from BCryptEnumContextFunctions is null");28         goto Cleanup;29     }30 31     printf_s("\n\n Listing Cipher Suites ");32     for(UINT index = 0; index < pBuffer->cFunctions; ++index)33     {34         printf_s("\n%S", pBuffer->rgpszFunctions[index]);35     }36 37 Cleanup:38     if (pBuffer != NULL)39     {40         BCryptFreeBuffer(pBuffer);41     }42 }

Obtain the list of cipher suites

 1 #include <stdio.h>  2 #include <windows.h>  3 #include <bcrypt.h> void main（） 4 {  5     SECURITY_STATUS Status = ERROR_SUCCESS;  6     LPWSTR wszCipher =（L “RSA_EXPORT1024_DES_CBC_SHA”）;  7     Status = BCryptAddContextFunction（ 8                 CRYPT_LOCAL， 9                 L “SSL”，10                 NCRYPT_SCHANNEL_INTERFACE，11                 wszCipher，12                 CRYPT_PRIORITY_TOP）; 13 }

Add a cipher suite to the top priority

 1 #include <stdio.h>  2 #include <windows.h>  3 #include <bcrypt.h> void main（） 4 {  5     SECURITY_STATUS Status = ERROR_SUCCESS;  6       LPWSTR wszCipher =（L “TLS_RSA_WITH_RC4_128_SHA”）;  7     Status = BCryptRemoveContextFunction（ 8                 CRYPT_LOCAL， 9                 L “SSL”，10                 NCRYPT_SCHANNEL_INTERFACE，11                 wszCipher）; 12 }

Delete a cipher suite

Stackoverflow. Someone changed the code for getting the cipher suite list to c #, and then compiled it into exe using powershell compiler, which can be called directly on the cmd console of other terminals.

Stackoverflow. Link: https://stackoverflow.com/questions/19695623/how-to-call-schannel-functions-from-net-c

 1 using System; 2 using System.Text; 3 using System.Runtime.InteropServices; 4  5 namespace ConsoleApplication1 6 { 7     class Program 8     { 9         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]10         static extern uint BCryptEnumContextFunctions(uint dwTable, string pszContext, uint dwInterface, ref uint pcbBuffer, ref IntPtr ppBuffer);11 12         [DllImport("Bcrypt.dll")]13         static extern void BCryptFreeBuffer(IntPtr pvBuffer);14 15         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]16         static extern uint BCryptAddContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction, uint dwPosition);17 18         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]19         static extern uint BCryptRemoveContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction);20 21         [StructLayout(LayoutKind.Sequential)]22         public struct CRYPT_CONTEXT_FUNCTIONS23         {24             public uint cFunctions;25             public IntPtr rgpszFunctions;26         }27 28         const uint CRYPT_LOCAL = 0x00000001;29         const uint NCRYPT_SCHANNEL_INTERFACE = 0x00010002;30         const uint CRYPT_PRIORITY_TOP = 0x00000000;31         const uint CRYPT_PRIORITY_BOTTOM = 0xFFFFFFFF;32 33         public static void DoStuff()34         {35             uint cbBuffer = 0;36             IntPtr ppBuffer = IntPtr.Zero;37             uint Status = BCryptEnumContextFunctions(38                     CRYPT_LOCAL,39                     "SSL",40                     NCRYPT_SCHANNEL_INTERFACE,41                     ref cbBuffer,42                     ref ppBuffer);43             if (Status == 0)44             {45                 CRYPT_CONTEXT_FUNCTIONS functions = (CRYPT_CONTEXT_FUNCTIONS)Marshal.PtrToStructure(ppBuffer, typeof(CRYPT_CONTEXT_FUNCTIONS));46                 Console.WriteLine(functions.cFunctions);47                 IntPtr pStr = functions.rgpszFunctions;48                 for (int i = 0; i < functions.cFunctions; i++)49                 {50                     Console.WriteLine(Marshal.PtrToStringUni(Marshal.ReadIntPtr(pStr)));51                     pStr += IntPtr.Size;52                 }53                 BCryptFreeBuffer(ppBuffer);54             }55         }56 57         static void Main(string[] args)58         {59             DoStuff();60             Console.ReadLine();61         }62     }63 }

Cipher Suite list

Openssl can also obtain the list of cipher suites:

opessl ciphers -v

 

Microsoft also provides a list of default enabled cipher suites and corresponding settings for each operating system version.

List of Supported Cipher Suites for each operating system: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx? F = 255 & MSPPError =-2147217396

TLS/SSL settings: https://technet.microsoft.com/zh-cn/library/dn786418%28v=ws.11%29.aspx? F = 255 & MSPPError =-2147217396 # BKMK_SchannelTR_SSL30