檢查windows系統支援的密碼套件

標籤：刪除   src   out   ros   local   library   mars   log   代碼   

Windows 10用戶端及Windows server 2016 伺服器可以使用powershell 命令獲得系統支援的密碼套件列表，禁用啟用相應的密碼套件。

#命令連結：https://technet.microsoft.com/zh-cn/library/dn931990.aspx

#win10 server2016獲得系統支援的套件的列表
Get-TlsCipherSuite |ft name#win10 server2016啟用密碼套件Enable-TlsCipherSuite -name ""#win10 server2016禁用密碼套件Disable-TlsCipherSuite -name ""

Windows server 2016之前版本微軟並沒有給出相應的powershell 命令來擷取密碼套件列表，但在msdn上給出了c++代碼

msdn連結：https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

 1 #include <stdio.h> 2 #include <windows.h> 3 #include <bcrypt.h> 4  5  6 void main() 7 { 8  9    HRESULT Status = ERROR_SUCCESS;10    DWORD   cbBuffer = 0;11    PCRYPT_CONTEXT_FUNCTIONS pBuffer = NULL;12 13     Status = BCryptEnumContextFunctions(14         CRYPT_LOCAL,15         L"SSL",16         NCRYPT_SCHANNEL_INTERFACE,17         &cbBuffer,18         &pBuffer);19     if(FAILED(Status))20     {21         printf_s("\n**** Error 0x%x returned by BCryptEnumContextFunctions\n", Status);22         goto Cleanup;23     }24                 25     if(pBuffer == NULL)26     {27         printf_s("\n**** Error pBuffer returned from BCryptEnumContextFunctions is null");28         goto Cleanup;29     }30 31     printf_s("\n\n Listing Cipher Suites ");32     for(UINT index = 0; index < pBuffer->cFunctions; ++index)33     {34         printf_s("\n%S", pBuffer->rgpszFunctions[index]);35     }36 37 Cleanup:38     if (pBuffer != NULL)39     {40         BCryptFreeBuffer(pBuffer);41     }42 }

獲得密碼套件列表

 1 #include <stdio.h>  2 #include <windows.h>  3 #include <bcrypt.h> void main（） 4 {  5     SECURITY_STATUS Status = ERROR_SUCCESS;  6     LPWSTR wszCipher =（L “RSA_EXPORT1024_DES_CBC_SHA”）;  7     Status = BCryptAddContextFunction（ 8                 CRYPT_LOCAL， 9                 L “SSL”，10                 NCRYPT_SCHANNEL_INTERFACE，11                 wszCipher，12                 CRYPT_PRIORITY_TOP）; 13 }

添加某個密碼套件到優先頂部

 1 #include <stdio.h>  2 #include <windows.h>  3 #include <bcrypt.h> void main（） 4 {  5     SECURITY_STATUS Status = ERROR_SUCCESS;  6       LPWSTR wszCipher =（L “TLS_RSA_WITH_RC4_128_SHA”）;  7     Status = BCryptRemoveContextFunction（ 8                 CRYPT_LOCAL， 9                 L “SSL”，10                 NCRYPT_SCHANNEL_INTERFACE，11                 wszCipher）; 12 }

刪除某個密碼套件

stackoverflow.上有人將獲得密碼套件列表的代碼改成了c#，然後利用powershell 命令可以直接調用這些代碼（add-type）,也可以將這些代碼利用csc.exe編譯成.dll或者.exe,建議編譯成exe,可以直接在其他的終端cmd控制台調用。

stackoverflow.連結：https://stackoverflow.com/questions/19695623/how-to-call-schannel-functions-from-net-c

 1 using System; 2 using System.Text; 3 using System.Runtime.InteropServices; 4  5 namespace ConsoleApplication1 6 { 7     class Program 8     { 9         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]10         static extern uint BCryptEnumContextFunctions(uint dwTable, string pszContext, uint dwInterface, ref uint pcbBuffer, ref IntPtr ppBuffer);11 12         [DllImport("Bcrypt.dll")]13         static extern void BCryptFreeBuffer(IntPtr pvBuffer);14 15         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]16         static extern uint BCryptAddContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction, uint dwPosition);17 18         [DllImport("Bcrypt.dll", CharSet = CharSet.Unicode)]19         static extern uint BCryptRemoveContextFunction(uint dwTable, string pszContext, uint dwInterface, string pszFunction);20 21         [StructLayout(LayoutKind.Sequential)]22         public struct CRYPT_CONTEXT_FUNCTIONS23         {24             public uint cFunctions;25             public IntPtr rgpszFunctions;26         }27 28         const uint CRYPT_LOCAL = 0x00000001;29         const uint NCRYPT_SCHANNEL_INTERFACE = 0x00010002;30         const uint CRYPT_PRIORITY_TOP = 0x00000000;31         const uint CRYPT_PRIORITY_BOTTOM = 0xFFFFFFFF;32 33         public static void DoStuff()34         {35             uint cbBuffer = 0;36             IntPtr ppBuffer = IntPtr.Zero;37             uint Status = BCryptEnumContextFunctions(38                     CRYPT_LOCAL,39                     "SSL",40                     NCRYPT_SCHANNEL_INTERFACE,41                     ref cbBuffer,42                     ref ppBuffer);43             if (Status == 0)44             {45                 CRYPT_CONTEXT_FUNCTIONS functions = (CRYPT_CONTEXT_FUNCTIONS)Marshal.PtrToStructure(ppBuffer, typeof(CRYPT_CONTEXT_FUNCTIONS));46                 Console.WriteLine(functions.cFunctions);47                 IntPtr pStr = functions.rgpszFunctions;48                 for (int i = 0; i < functions.cFunctions; i++)49                 {50                     Console.WriteLine(Marshal.PtrToStringUni(Marshal.ReadIntPtr(pStr)));51                     pStr += IntPtr.Size;52                 }53                 BCryptFreeBuffer(ppBuffer);54             }55         }56 57         static void Main(string[] args)58         {59             DoStuff();60             Console.ReadLine();61         }62     }63 }

密碼套件列表

openssl 也可以獲得密碼套件列表：

opessl ciphers -v

 

微軟也給出了各作業系統版本中預設啟用的密碼套件列表以及相應的設定

各作業系統支援密碼套件的列表：https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

TLS/SSL設定：https://technet.microsoft.com/zh-cn/library/dn786418%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_SchannelTR_SSL30

檢查windows系統支援的密碼套件