描述:
通过向服务端发送请求,获取到Banner信息,从而检测到目标服务加密通信使用的SSL加密算法
解决办法:
切换到TLSv1.2或者更高解密协议。
执行操作:
-
以管理员身份运行PowerShell
按 Win + X → 选择 "Windows PowerShell (管理员)" -
执行以下命令:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
cd C:\UpgradeFix
.\Fix-SSLTLS-Protocol.ps1
ps1的完整脚本如下:
# ============================================================
# SSL/TLS Protocol Security Hardening Script
# Function: Disable insecure SSL/TLS protocols, enable TLS 1.2 and TLS 1.3
# Usage: Run PowerShell as Administrator, execute this script
# ============================================================
$ErrorActionPreference = "Stop"
Write-Host "========================================" -ForegroundColor Cyan
Write-Host " SSL/TLS Protocol Configuration Script" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
Write-Host "ERROR: Please run this script as Administrator!" -ForegroundColor Red
Write-Host "Right-click PowerShell -> Run as Administrator" -ForegroundColor Yellow
exit 1
}
Write-Host "[OK] Administrator privilege check passed" -ForegroundColor Green
Write-Host ""
Write-Host "WARNING: This script will modify system SSL/TLS protocol configuration" -ForegroundColor Yellow
Write-Host " - Disable SSL 2.0, SSL 3.0" -ForegroundColor Yellow
Write-Host " - Disable TLS 1.0, TLS 1.1" -ForegroundColor Yellow
Write-Host " - Enable TLS 1.2, TLS 1.3" -ForegroundColor Yellow
Write-Host ""
$confirm = Read-Host "Continue execution? (Y/N)"
if ($confirm -ne "Y" -and $confirm -ne "y") {
Write-Host "Operation cancelled" -ForegroundColor Yellow
exit 0
}
Write-Host ""
Write-Host "Starting SSL/TLS protocol configuration..." -ForegroundColor Cyan
Write-Host ""
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
try {
Write-Host "[1/6] Disabling SSL 2.0..." -ForegroundColor White
New-Item -Path "$regPath\SSL 2.0" -Force | Out-Null
New-Item -Path "$regPath\SSL 2.0\Client" -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 2.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 2.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
New-Item -Path "$regPath\SSL 2.0\Server" -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 2.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 2.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
Write-Host " [OK] SSL 2.0 disabled" -ForegroundColor Green
Write-Host "[2/6] Disabling SSL 3.0..." -ForegroundColor White
New-Item -Path "$regPath\SSL 3.0" -Force | Out-Null
New-Item -Path "$regPath\SSL 3.0\Client" -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 3.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 3.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
New-Item -Path "$regPath\SSL 3.0\Server" -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 3.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\SSL 3.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
Write-Host " [OK] SSL 3.0 disabled" -ForegroundColor Green
Write-Host "[3/6] Disabling TLS 1.0..." -ForegroundColor White
New-Item -Path "$regPath\TLS 1.0" -Force | Out-Null
New-Item -Path "$regPath\TLS 1.0\Client" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.0\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.0\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
New-Item -Path "$regPath\TLS 1.0\Server" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.0\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.0\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
Write-Host " [OK] TLS 1.0 disabled" -ForegroundColor Green
Write-Host "[4/6] Disabling TLS 1.1..." -ForegroundColor White
New-Item -Path "$regPath\TLS 1.1" -Force | Out-Null
New-Item -Path "$regPath\TLS 1.1\Client" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.1\Client" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
New-Item -Path "$regPath\TLS 1.1\Server" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.1\Server" -Name "Enabled" -Value 0 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 -PropertyType DWORD -Force | Out-Null
Write-Host " [OK] TLS 1.1 disabled" -ForegroundColor Green
Write-Host "[5/6] Enabling TLS 1.2..." -ForegroundColor White
New-Item -Path "$regPath\TLS 1.2" -Force | Out-Null
New-Item -Path "$regPath\TLS 1.2\Client" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.2\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
New-Item -Path "$regPath\TLS 1.2\Server" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.2\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.2\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
Write-Host " [OK] TLS 1.2 enabled" -ForegroundColor Green
Write-Host "[6/6] Enabling TLS 1.3..." -ForegroundColor White
try {
New-Item -Path "$regPath\TLS 1.3" -Force | Out-Null
New-Item -Path "$regPath\TLS 1.3\Client" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.3\Client" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.3\Client" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
New-Item -Path "$regPath\TLS 1.3\Server" -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.3\Server" -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "$regPath\TLS 1.3\Server" -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force | Out-Null
Write-Host " [OK] TLS 1.3 enabled" -ForegroundColor Green
}
catch {
Write-Host " [!] TLS 1.3 not supported on this Windows version (requires Windows Server 2022 or later)" -ForegroundColor Yellow
}
Write-Host ""
Write-Host "========================================" -ForegroundColor Green
Write-Host " SSL/TLS Protocol Configuration Completed!" -ForegroundColor Green
Write-Host "========================================" -ForegroundColor Green
Write-Host ""
Write-Host "Configuration Summary:" -ForegroundColor Cyan
Write-Host " Disabled: SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1" -ForegroundColor Yellow
Write-Host " Enabled: TLS 1.2, TLS 1.3" -ForegroundColor Green
Write-Host ""
Write-Host "IMPORTANT:" -ForegroundColor Red
Write-Host " Configuration completed, but requires server restart to take effect!" -ForegroundColor Red
Write-Host " Please restart the server during a maintenance window." -ForegroundColor Red
Write-Host ""
$restart = Read-Host "Restart server now? (Y/N)"
if ($restart -eq "Y" -or $restart -eq "y") {
Write-Host "Restarting server..." -ForegroundColor Yellow
Restart-Computer -Force
}
else {
Write-Host "Please restart the server manually when convenient to apply configuration." -ForegroundColor Yellow
}
}
catch {
Write-Host ""
Write-Host "ERROR: Exception occurred during configuration" -ForegroundColor Red
Write-Host "Details: $_" -ForegroundColor Red
Write-Host ""
Write-Host "Suggestions:" -ForegroundColor Yellow
Write-Host " 1. Confirm running as Administrator" -ForegroundColor Yellow
Write-Host " 2. Check system permission settings" -ForegroundColor Yellow
Write-Host " 3. Configure manually via Registry Editor" -ForegroundColor Yellow
exit 1
}