目标主机使用了不受支持的SSL加密算法【原理扫描】

hoho_122026-06-04 12:29

描述:

通过向服务端发送请求,获取到Banner信息,从而检测到目标服务加密通信使用的SSL加密算法

解决办法:

切换到TLSv1.2或者更高解密协议。

执行操作:

  1. 以管理员身份运行PowerShell
    按 Win + X → 选择 "Windows PowerShell (管理员)"

  2. 执行以下命令:

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
    cd C:\UpgradeFix
    .\Fix-SSLTLS-Protocol.ps1

ps1的完整脚本如下:

复制代码 
# ============================================================
# SSL/TLS Protocol Security Hardening Script
# Function: Disable insecure SSL/TLS protocols, enable TLS 1.2 and TLS 1.3
# Usage: Run PowerShell as Administrator, execute this script
# ============================================================

$ErrorActionPreference = "Stop"

Write-Host "========================================" -ForegroundColor Cyan
Write-Host "  SSL/TLS Protocol Configuration Script" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Host "ERROR: Please run this script as Administrator!" -ForegroundColor Red
    Write-Host "Right-click PowerShell -> Run as Administrator" -ForegroundColor Yellow
    exit 1
}

Write-Host "[OK] Administrator privilege check passed" -ForegroundColor Green
Write-Host ""

Write-Host "WARNING: This script will modify system SSL/TLS protocol configuration" -ForegroundColor Yellow
Write-Host "  - Disable SSL 2.0, SSL 3.0" -ForegroundColor Yellow
Write-Host "  - Disable TLS 1.0, TLS 1.1" -ForegroundColor Yellow
Write-Host "  - Enable TLS 1.2, TLS 1.3" -ForegroundColor Yellow
Write-Host ""
$confirm = Read-Host "Continue execution? (Y/N)"

if ($confirm -ne "Y" -and $confirm -ne "y") {
    Write-Host "Operation cancelled" -ForegroundColor Yellow
    exit 0
}

Write-Host ""
Write-Host "Starting SSL/TLS protocol configuration..." -ForegroundColor Cyan
Write-Host ""

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"

try {
    Write-Host "[1/6] Disabling SSL 2.0..." -ForegroundColor White
    New-Item -Path "$regPath\SSL 2.0" -Force | Out-Null
    New-Item -Path "$regPath\SSL 2.0\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\SSL 2.0\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] SSL 2.0 disabled" -ForegroundColor Green

    Write-Host "[2/6] Disabling SSL 3.0..." -ForegroundColor White
    New-Item -Path "$regPath\SSL 3.0" -Force | Out-Null
    New-Item -Path "$regPath\SSL 3.0\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\SSL 3.0\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] SSL 3.0 disabled" -ForegroundColor Green

    Write-Host "[3/6] Disabling TLS 1.0..." -ForegroundColor White
    New-Item -Path "$regPath\TLS 1.0" -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.0\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.0\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] TLS 1.0 disabled" -ForegroundColor Green

    Write-Host "[4/6] Disabling TLS 1.1..." -ForegroundColor White
    New-Item -Path "$regPath\TLS 1.1" -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.1\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.1\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] TLS 1.1 disabled" -ForegroundColor Green

    Write-Host "[5/6] Enabling TLS 1.2..." -ForegroundColor White
    New-Item -Path "$regPath\TLS 1.2" -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.2\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.2\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] TLS 1.2 enabled" -ForegroundColor Green

    Write-Host "[6/6] Enabling TLS 1.3..." -ForegroundColor White
    try {
        New-Item -Path "$regPath\TLS 1.3" -Force | Out-Null
        New-Item -Path "$regPath\TLS 1.3\Client" -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
        New-Item -Path "$regPath\TLS 1.3\Server" -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
        Write-Host "  [OK] TLS 1.3 enabled" -ForegroundColor Green
    }
    catch {
        Write-Host "  [!] TLS 1.3 not supported on this Windows version (requires Windows Server 2022 or later)" -ForegroundColor Yellow
    }

    Write-Host ""
    Write-Host "========================================" -ForegroundColor Green
    Write-Host "  SSL/TLS Protocol Configuration Completed!" -ForegroundColor Green
    Write-Host "========================================" -ForegroundColor Green
    Write-Host ""

    Write-Host "Configuration Summary:" -ForegroundColor Cyan
    Write-Host "  Disabled: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1" -ForegroundColor Yellow
    Write-Host "  Enabled: TLS 1.2, TLS 1.3" -ForegroundColor Green
    Write-Host ""

    Write-Host "IMPORTANT:" -ForegroundColor Red
    Write-Host "  Configuration completed, but requires server restart to take effect!" -ForegroundColor Red
    Write-Host "  Please restart the server during a maintenance window." -ForegroundColor Red
    Write-Host ""

    $restart = Read-Host "Restart server now? (Y/N)"
    if ($restart -eq "Y" -or $restart -eq "y") {
        Write-Host "Restarting server..." -ForegroundColor Yellow
        Restart-Computer -Force
    }
    else {
        Write-Host "Please restart the server manually when convenient to apply configuration." -ForegroundColor Yellow
    }

}
catch {
    Write-Host ""
    Write-Host "ERROR: Exception occurred during configuration" -ForegroundColor Red
    Write-Host "Details: $_" -ForegroundColor Red
    Write-Host ""
    Write-Host "Suggestions:" -ForegroundColor Yellow
    Write-Host "  1. Confirm running as Administrator" -ForegroundColor Yellow
    Write-Host "  2. Check system permission settings" -ForegroundColor Yellow
    Write-Host "  3. Configure manually via Registry Editor" -ForegroundColor Yellow
    exit 1
}
相关推荐
Zero_Era1 小时前
凌科芯安LKT4304 国密安全芯片 在气象设备系统的应用
网络·物联网·安全
天启HTTP2 小时前
多开账号时,如何避免网络环境暴露异常特征
网络·网络协议·tcp/ip
wapicn992 小时前
HTTPS原理详解:从握手到证书链验证,一张SSL证书的完整生命周期
网络协议·https·ssl
宋浮檀s2 小时前
应急响应——内网渗透基础&横向移动应急排查
网络·安全·web安全
bkspiderx2 小时前
HTTP协议:Web通信的“通用语言”解析
前端·网络协议·http
无风听海2 小时前
PKCE 的 S256 算法深度剖析:从协议设计到密码学原理
javascript·网络·算法·密码学
24zhgjx-fuhao2 小时前
BGP水平分割
网络·智能路由器
运维行者_2 小时前
通过Applications Manager的TCP监控确保无缝网络连接
运维·服务器·网络·数据库·人工智能
路人蛃2 小时前
【深入理解计算机系统】第二章第一节(信息存储)笔记
服务器·网络·笔记·计算机网络·系统架构
热门推荐
01GitHub 镜像站点022026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf03【AI】2026 年具身智能模型和世界模型总结04Codex 下载安装指南:Windows 和 macOS 官方版下载05Codex 桌面端更新后 Chrome 插件和 Computer Use 不可用,怎么排查和修复06【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法07CC-Switch 下载、安装与使用配置指南【2026.5.29】08裂开!ChatGPT 居然开始要手机号验证,附详细解决方法09Codex 接入 DeepSeek API 完整配置文档10CC-Switch & Claude 基于 Linux 服务器安装使用指南