目标主机使用了不受支持的SSL加密算法【原理扫描】

描述:

通过向服务端发送请求,获取到Banner信息,从而检测到目标服务加密通信使用的SSL加密算法

解决办法:

切换到TLSv1.2或者更高解密协议。

执行操作:

  1. 以管理员身份运行PowerShell
    按 Win + X → 选择 "Windows PowerShell (管理员)"

  2. 执行以下命令:

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
    cd C:\UpgradeFix
    .\Fix-SSLTLS-Protocol.ps1

ps1的完整脚本如下:

复制代码
# ============================================================
# SSL/TLS Protocol Security Hardening Script
# Function: Disable insecure SSL/TLS protocols, enable TLS 1.2 and TLS 1.3
# Usage: Run PowerShell as Administrator, execute this script
# ============================================================

$ErrorActionPreference = "Stop"

Write-Host "========================================" -ForegroundColor Cyan
Write-Host "  SSL/TLS Protocol Configuration Script" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Host "ERROR: Please run this script as Administrator!" -ForegroundColor Red
    Write-Host "Right-click PowerShell -> Run as Administrator" -ForegroundColor Yellow
    exit 1
}

Write-Host "[OK] Administrator privilege check passed" -ForegroundColor Green
Write-Host ""

Write-Host "WARNING: This script will modify system SSL/TLS protocol configuration" -ForegroundColor Yellow
Write-Host "  - Disable SSL 2.0, SSL 3.0" -ForegroundColor Yellow
Write-Host "  - Disable TLS 1.0, TLS 1.1" -ForegroundColor Yellow
Write-Host "  - Enable TLS 1.2, TLS 1.3" -ForegroundColor Yellow
Write-Host ""
$confirm = Read-Host "Continue execution? (Y/N)"

if ($confirm -ne "Y" -and $confirm -ne "y") {
    Write-Host "Operation cancelled" -ForegroundColor Yellow
    exit 0
}

Write-Host ""
Write-Host "Starting SSL/TLS protocol configuration..." -ForegroundColor Cyan
Write-Host ""

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"

try {
    Write-Host "[1/6] Disabling SSL 2.0..." -ForegroundColor White
    New-Item -Path "$regPath\SSL 2.0" -Force | Out-Null
    New-Item -Path "$regPath\SSL 2.0\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\SSL 2.0\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 2.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] SSL 2.0 disabled" -ForegroundColor Green

    Write-Host "[2/6] Disabling SSL 3.0..." -ForegroundColor White
    New-Item -Path "$regPath\SSL 3.0" -Force | Out-Null
    New-Item -Path "$regPath\SSL 3.0\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\SSL 3.0\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\SSL 3.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] SSL 3.0 disabled" -ForegroundColor Green

    Write-Host "[3/6] Disabling TLS 1.0..." -ForegroundColor White
    New-Item -Path "$regPath\TLS 1.0" -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.0\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.0\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] TLS 1.0 disabled" -ForegroundColor Green

    Write-Host "[4/6] Disabling TLS 1.1..." -ForegroundColor White
    New-Item -Path "$regPath\TLS 1.1" -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.1\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.1\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] TLS 1.1 disabled" -ForegroundColor Green

    Write-Host "[5/6] Enabling TLS 1.2..." -ForegroundColor White
    New-Item -Path "$regPath\TLS 1.2" -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.2\Client" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
    New-Item -Path "$regPath\TLS 1.2\Server" -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path "$regPath\TLS 1.2\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
    Write-Host "  [OK] TLS 1.2 enabled" -ForegroundColor Green

    Write-Host "[6/6] Enabling TLS 1.3..." -ForegroundColor White
    try {
        New-Item -Path "$regPath\TLS 1.3" -Force | Out-Null
        New-Item -Path "$regPath\TLS 1.3\Client" -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
        New-Item -Path "$regPath\TLS 1.3\Server" -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
        New-ItemProperty -Path "$regPath\TLS 1.3\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
        Write-Host "  [OK] TLS 1.3 enabled" -ForegroundColor Green
    }
    catch {
        Write-Host "  [!] TLS 1.3 not supported on this Windows version (requires Windows Server 2022 or later)" -ForegroundColor Yellow
    }

    Write-Host ""
    Write-Host "========================================" -ForegroundColor Green
    Write-Host "  SSL/TLS Protocol Configuration Completed!" -ForegroundColor Green
    Write-Host "========================================" -ForegroundColor Green
    Write-Host ""

    Write-Host "Configuration Summary:" -ForegroundColor Cyan
    Write-Host "  Disabled: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1" -ForegroundColor Yellow
    Write-Host "  Enabled: TLS 1.2, TLS 1.3" -ForegroundColor Green
    Write-Host ""

    Write-Host "IMPORTANT:" -ForegroundColor Red
    Write-Host "  Configuration completed, but requires server restart to take effect!" -ForegroundColor Red
    Write-Host "  Please restart the server during a maintenance window." -ForegroundColor Red
    Write-Host ""

    $restart = Read-Host "Restart server now? (Y/N)"
    if ($restart -eq "Y" -or $restart -eq "y") {
        Write-Host "Restarting server..." -ForegroundColor Yellow
        Restart-Computer -Force
    }
    else {
        Write-Host "Please restart the server manually when convenient to apply configuration." -ForegroundColor Yellow
    }

}
catch {
    Write-Host ""
    Write-Host "ERROR: Exception occurred during configuration" -ForegroundColor Red
    Write-Host "Details: $_" -ForegroundColor Red
    Write-Host ""
    Write-Host "Suggestions:" -ForegroundColor Yellow
    Write-Host "  1. Confirm running as Administrator" -ForegroundColor Yellow
    Write-Host "  2. Check system permission settings" -ForegroundColor Yellow
    Write-Host "  3. Configure manually via Registry Editor" -ForegroundColor Yellow
    exit 1
}
相关推荐
laoli_coding7 小时前
如何配置HTTPS站点访问的免费SSL域名证书
网络协议·https·node.js·ssl
IpdataCloud9 小时前
担心IP暴露隐私?用安全IP查询工具自查,三步配置网络出口
网络·tcp/ip·安全·ip
xy345310 小时前
wireshark 如何捕获信息
网络·测试工具·渗透测试·wireshark
玖玥拾11 小时前
C# 语言进阶(十五)C# 游戏服务端 MySQL 数据库
服务器·开发语言·网络·数据库·mysql·c#
一个有温度的技术博主13 小时前
【VulnHub 实战】DC-1 靶机渗透测试笔记(一):信息收集与主机发现
服务器·网络·笔记
白帽小阳13 小时前
2026前端面试题!(附答案及解析)
javascript·网络·python·安全·web安全·网络安全·护网行动
hehelm15 小时前
Linux网络编程—TCP字典翻译系统
linux·开发语言·网络·c++·tcp/ip
持力行15 小时前
D-BUS会话总线
运维·网络
pt104315 小时前
思科网络自动化-API常用数据编码格式(JSON/XML/YAML)课程与实践
linux·服务器·网络
糖果店的幽灵16 小时前
安全测试从入门到精通_网络基础与HTTPS
网络·https·php