1.https证书的分类

SSL证书没有所谓的"品质"和"等级"之分,只有三种不同的类型
SSL证书需要向国际公认的证书证书认证机构(简称CA,Certificate Authority)申请。
CA机构颁发的证书有3种类型:
域名型SSL证书(DV SSL):信任等级普通,只需验证网站的真实性便可颁发证书保护网站;
企业型SSL证书(OV SSL):信任等级强,须要验证企业的身份,审核严格,安全性更高;
增强型SSL证书(EV SSL):信任等级最高,一般用于银行证券等金融机构,审核严格,安全性最高,同时可以激活绿色网址栏。

我们只要使用DV证书就可以了,一般来说我们申请到的免费ssl证书都是dv证书。

2.申请免费的证书

2.1 自签名惹的祸

Ca证书必须要可信任的机构颁发才可以信任,自签名证书就是自己给自己签名,没有通过第三方CA机构颁发。浏览器默认添加了一些可信任的CA机构,都是通过国际Web Trust认证的。

如果你的CA证书不是这些浏览器里默认添加的可信任的CA机构签发的话,那么就会出现像12306这样的笑话。

2.2申请免费的DV证书

Let's Encrypt是国外一个公共的免费SSL项目,由 Linux 基金会托管,由Mozilla、思科、Akamai、IdenTrust和EFF等组织发起,靠谱!

申请免费的证书可以参考这篇文章,工具和步骤都非常的完整,这里就不累述了

http://www.cnblogs.com/teamblog/p/6219204.html

最后申请完之后iis的配置就是新建一个网站,其他都不用配置,就可以了,老的网站不要删除,如果要强制https访问的话可以再搜索其他的文章,这里不再展开

3.https网站安全验证

https已经可以访问了,但是https就一定是安全的吗,我们可以通过下面这个网站进一步检查你的网站的安全性,主要是从https的安全性去测试

https://www.ssllabs.com/ssltest/analyze.html

可能一开始测试是个F,像我一开始测试就是个F,这是因为操作系统的默认设置里有很多不安全的设置,需要我们手动来配置修改。

可以仔细看下面的说明,没有开启TLS1.2 ,RC4已经过时了,Forward Secrecy支持的不好等等。

4.为了A+不断修改

这里大段的删除线是我一下午的心血,哪怕最后发现了powerShell脚本可以一次性完成上面所有的工作,你可以不看,但请尊重我的劳动

4.1 关闭SLL2和SSL3

找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols右键->新建->项->新建SSL 2.0,SSL 3.0
SSL 2.0和SSL 3.0 中间是有空格的!!!

在SSL 2.0 和 SSL 3.0上分别右键->新建->项->新建Server, Client
在新建的Server和Client中都新建如下的项(DWORD 32位值),

DisabledByDefault 值1

Enabled 值0

总共8个

4.2 开启TLS1.0 1.1 1.2

还是在刚才的目录下面,新建3个TLS 1.0 ,TLS 1.1,TLS 1.2

然后分别在下面建立Client,Server

然后跟一样在每个里面建立下面的项(DWORD 32位值)

DisabledByDefault 值 0

Enabled 值1

图都一样,就不重复截图了

完成上面的步骤后重启服务器就可以看到效果了

4.3 关闭RC4

这里的步骤更复杂,但和上面大同小异 ,无非就是在注册表里创建项,设置键值。

但是做到这里,我发现最后一步的powerShell脚本把所有的事都做了。所以后面的步骤我们都省略吧!!!!!!!!

4.5 修改ssl配置设置

别的我就说,在这个ssl配置的时候我尝试了很多种Cipher Suites的配置方式,包括参考别人A+的网站上报告里的配置,一个一个复制出来,每次都要重启服务器,重新测试,花了好多时间,最后终于评价成为A-,剩下一个Forward Secrecy的问题,结果搜索到一份powershell的脚本,问题是一步一步处理的,没毛病,但最后找到一个脚本一次性解决了前面所有的问题,所以分享出来给大家,减少大家走弯路的时间

4.6 最后配置 Forward Secrecy

4.7 一键配置的powershell脚本

Powershell脚本原文:

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

使用方法是,开始-》运行-》输入powershell,打开类似cmd窗口的命令行工具,然后直接复制脚本进去执行就ok了。

  1. # Copyright 2016, Alexander Hass
  2. # http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
  3. #
  4. # Version 1.7
  5. # - Windows Version compare failed. Get-CimInstance requires Windows 2012 or later.
  6. # Version 1.6
  7. # - OS version detection for cipher suites order.
  8. # Version 1.5
  9. # - Enabled ECDH and more secure hash functions and reorderd cipher list.
  10. # - Added Client setting for all ciphers.
  11. # Version 1.4
  12. # - RC4 has been disabled.
  13. # Version 1.3
  14. # - MD5 has been disabled.
  15. # Version 1.2
  16. # - Re-factored code style and output
  17. # Version 1.1
  18. # - SSLv3 has been disabled. (Poodle attack protection)
  19.  
  20. Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'
  21. Write-Host '--------------------------------------------------------------------------------'
  22.  
  23. # Disable Multi-Protocol Unified Hello
  24. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null
  25. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  26. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  27. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-Null
  28. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  29. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  30. Write-Host 'Multi-Protocol Unified Hello has been disabled.'
  31.  
  32. # Disable PCT 1.0
  33. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null
  34. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  35. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  36. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -Force | Out-Null
  37. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  38. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  39. Write-Host 'PCT 1.0 has been disabled.'
  40.  
  41. # Disable SSL 2.0 (PCI Compliance)
  42. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
  43. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  44. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  45. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null
  46. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  47. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  48. Write-Host 'SSL 2.0 has been disabled.'
  49.  
  50. # NOTE: If you disable SSL 3.0 the you may lock out some people still using
  51. # Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available
  52. # for these people to fall back. Safer shopping certifications may require that
  53. # you disable SSLv3.
  54. #
  55. # Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
  56. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
  57. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  58. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  59. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null
  60. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  61. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
  62. Write-Host 'SSL 3.0 has been disabled.'
  63.  
  64. # Add and Enable TLS 1.0 for client and server SCHANNEL communications
  65. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
  66. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  67. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  68. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
  69. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  70. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  71. Write-Host 'TLS 1.0 has been enabled.'
  72.  
  73. # Add and Enable TLS 1.1 for client and server SCHANNEL communications
  74. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
  75. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  76. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  77. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
  78. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  79. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  80. Write-Host 'TLS 1.1 has been enabled.'
  81.  
  82. # Add and Enable TLS 1.2 for client and server SCHANNEL communications
  83. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
  84. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  85. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  86. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
  87. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  88. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
  89. Write-Host 'TLS 1.2 has been enabled.'
  90.  
  91. # Re-create the ciphers key.
  92. New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null
  93.  
  94. # Disable insecure/weak ciphers.
  95. $insecureCiphers = @(
  96.   'DES 56/56',
  97.   'NULL',
  98.   'RC2 128/128',
  99.   'RC2 40/128',
  100.   'RC2 56/128',
  101.   'RC4 40/128',
  102.   'RC4 56/128',
  103.   'RC4 64/128',
  104.   'RC4 128/128'
  105. )
  106. Foreach ($insecureCipher in $insecureCiphers) {
  107.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  108.   $key.SetValue('Enabled', 0, 'DWord')
  109.   $key.close()
  110.   Write-Host "Weak cipher $insecureCipher has been disabled."
  111. }
  112.  
  113. # Enable new secure ciphers.
  114. # - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.
  115. # - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.
  116. # - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030
  117. $secureCiphers = @(
  118.   'AES 128/128',
  119.   'AES 256/256',
  120.   'Triple DES 168'
  121. )
  122. Foreach ($secureCipher in $secureCiphers) {
  123.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
  124.   New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  125.   $key.close()
  126.   Write-Host "Strong cipher $secureCipher has been enabled."
  127. }
  128.  
  129. # Set hashes configuration.
  130. New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null
  131. New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
  132. New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null
  133.  
  134. $secureHashes = @(
  135.   'SHA',
  136.   'SHA256',
  137.   'SHA384',
  138.   'SHA512'
  139. )
  140. Foreach ($secureHash in $secureHashes) {
  141.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes', $true).CreateSubKey($secureHash)
  142.   New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  143.   $key.close()
  144.   Write-Host "Hash $secureHash has been enabled."
  145. }
  146.  
  147. # Set KeyExchangeAlgorithms configuration.
  148. New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null
  149. $secureKeyExchangeAlgorithms = @(
  150.   'Diffie-Hellman',
  151.   'ECDH',
  152.   'PKCS'
  153. )
  154. Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {
  155.   $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)
  156.   New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
  157.   $key.close()
  158.   Write-Host "KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled."
  159. }
  160.  
  161. # Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).
  162. $os = Get-WmiObject -class Win32_OperatingSystem
  163. if ([System.Version]$os.Version -lt [System.Version]'10.0') {
  164.   Write-Host 'Use cipher suites order for Windows 2008R2/2012/2012R2.'
  165.   $cipherSuitesOrder = @(
  166.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',
  167.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
  168.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
  169.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',
  170.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
  171.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
  172.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',
  173.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
  174.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
  175.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',
  176.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
  177.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
  178.     'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
  179.     'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
  180.     'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
  181.     'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
  182.     'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
  183.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',
  184.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
  185.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',
  186.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
  187.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
  188.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',
  189.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
  190.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
  191.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',
  192.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
  193.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
  194.     'TLS_RSA_WITH_AES_256_GCM_SHA384',
  195.     'TLS_RSA_WITH_AES_128_GCM_SHA256',
  196.     'TLS_RSA_WITH_AES_256_CBC_SHA256',
  197.     'TLS_RSA_WITH_AES_128_CBC_SHA256',
  198.     'TLS_RSA_WITH_AES_256_CBC_SHA',
  199.     'TLS_RSA_WITH_AES_128_CBC_SHA',
  200.     'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
  201.   )
  202. }
  203. else {
  204.   Write-Host 'Use cipher suites order for Windows 10/2016 and later.'
  205.   $cipherSuitesOrder = @(
  206.     'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
  207.     'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
  208.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
  209.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
  210.     'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
  211.     'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
  212.     'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
  213.     'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
  214.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
  215.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
  216.     'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
  217.     'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
  218.     'TLS_RSA_WITH_AES_256_GCM_SHA384',
  219.     'TLS_RSA_WITH_AES_128_GCM_SHA256',
  220.     'TLS_RSA_WITH_AES_256_CBC_SHA256',
  221.     'TLS_RSA_WITH_AES_128_CBC_SHA256',
  222.     'TLS_RSA_WITH_AES_256_CBC_SHA',
  223.     'TLS_RSA_WITH_AES_128_CBC_SHA',
  224.     'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
  225.   )
  226. }
  227. $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
  228. # One user reported this key does not exists on Windows 2012R2. Cannot repro myself on a brand new Windows 2012R2 core machine. Adding this just to be save.
  229. New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue
  230. New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
  231.  
  232. Write-Host '--------------------------------------------------------------------------------'
  233. Write-Host 'NOTE: After the system has been rebooted you can verify your server'
  234. Write-Host '      configuration at https://www.ssllabs.com/ssltest/'
  235. Write-Host "--------------------------------------------------------------------------------`n"
  236.  
  237. Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'
  238. Restart-Computer -Force -Confirm

  

4.8 最后成功评价到A

至于A+还应该怎么做,我也不知道该怎么做下去了,一下午的劳动最后一个脚本就全部搞定了,为了防止大家再走弯路分享给大家,希望大家都能评价到A+。

简单几步让网站支持https,windows iis下https配置方式的更多相关文章

  1. 简单几步让网站支持https,windows iis配置方式

    1.https证书的分类 SSL证书没有所谓的"品质"和"等级"之分,只有三种不同的类型.SSL证书需要向国际公认的证书证书认证机构(简称CA,Certific ...

  2. Windows IIS 服务器配置HTTPS启用TLS协议。

    好消息, 程序员专用早餐机.和掌柜说 ideaam,可以节省20元. 点击链接   或復·制这段描述¥k3MbbVKccMU¥后到淘♂寳♀ Windows IIS 服务器配置HTTPS启用TLS协议. ...

  3. Django 1.6在Windows平台下的配置

    Django 1.6 在Windows平台下的配置 前言 最近两天研究了下Django1.6在Windows平台中的配置安装,服务器采用Apache.期间遇到过许多新手所遇到的各种问题,也算是一种宝贵 ...

  4. Windows环境下Git配置及使用

    Windows环境下Git配置及使用 一.安装包位置 Git下载地址https://git-scm.com/download/win TortoiseGit下载地址https://tortoisegi ...

  5. resin-pro-4.0.34 服務器在windows环境下的配置

    resin-pro-4.0.34 服務器在windows环境下的配置(轉載请注明作者:icelong) 到caucho網站上http://www.caucho.com/download/下載resin ...

  6. Windows 10下安装配置Caffe并支持GPU加速(修改版)

    基本环境 建议严格按照版本来 - Windows 10 - Visual Studio 2013 - Matlab R2016b - Anaconda - CUDA 8.0.44 - cuDNN v4 ...

  7. IIS下如何配置免费的https

    1.首先我们要取走我们的证书,保存在我们本地的电脑里,然后复制到服务器即可. 2.取走后接下来干嘛?当然是打开文件看看里面有些什么啊.我们找到IIS那个压缩包并解压. 3.解析得到pfx文件,也就是我 ...

  8. 如何在Windows平台下安装配置Memcached

    Memcached是一个自由开源的,高性能,分布式内存对象缓存系统. Memcached是以LiveJournal旗下Danga Interactive公司的Brad Fitzpatric为首开发的一 ...

  9. windows环境下wampserver配置https

    因为公司业务主要是在微信上进行开展的,所以作为程序员的我们每天的开发任务就都是在与微信打交道,这个时候我们就需要在本地配置端口映射到外网,方便我们在微信客户端进行调试. 最近某种需要,所以需要配置 h ...

随机推荐

  1. java 中的基本数据类型

    1,  变量 Java是强类型语言, 对于每一种数据都定义了类型,基本数据类型分为数值型,字符型,布尔型.数值型又分为了整型和浮点型. 整型又分为byte, int, short long. 浮点型又 ...

  2. 【题解】放球游戏A

    题目描述 校园里在上活动课,Red和Blue两位小朋友在玩一种游戏,他俩在一排N个格子里,自左到右地轮流放小球,每个格子只能放一个小球.每个人一次只能放1至5个球,最后面对没有空格而不能放球的人为输. ...

  3. apache Storm 学习笔记

    Storm流之FieldGrouping字段分组: https://blog.csdn.net/Simon_09010817/article/details/80092080

  4. Kubernetes从懵圈到熟练:读懂这一篇,集群节点不下线

    排查完全陌生的问题,完全不熟悉的系统组件,是售后工程师的一大工作乐趣,当然也是挑战.今天借这篇文章,跟大家分析一例这样的问题.排查过程中,需要理解一些自己完全陌生的组件,比如systemd和dbus. ...

  5. 【BZOJ5496】[十二省联考2019]字符串问题(后缀树)

    [BZOJ5496][十二省联考2019]字符串问题(后缀树) 题面 BZOJ 洛谷 题解 首先显然可以把具有支配关系的串从\(A\)到\(B\)连一条有向边,如果\(B_i\)是\(A_j\)的前缀 ...

  6. 转:centos 7 安装音频视频解码器

    (原文:https://blog.csdn.net/zhou1519/article/details/39035233/) 1.安装额外的软件源epel和nux-dextop rpm -Uvh htt ...

  7. 插入mysql失败,因为java数据类型是个实体类,加上.id就好了

    错误信息: ### Error updating database. Cause: java.sql.SQLException: Incorrect string value: '\xAC\xED\x ...

  8. OpenStack VS Kubernetes,谁是你心中的王者?

      当下云计算的领域里热度最高的两个项目,无疑是OpenStack和Kubernetes.如果云计算是一个风起云涌的江湖,毫不夸张的说OpenStack和Kubernetes就是江湖里的泰山北斗.Op ...

  9. sqlalchemy查询结果类型简析

    Sqlalchemy的查询方式有很多种,例如可以查询全部,可以查询符合条件的,可以查询指定字段的.那么这么多种查询,返回的结果是不是一样的呢?作本文记录分析结果. Sql_forengin.py #c ...

  10. 使用C语言中qsort()函数对浮点型数组无法成功排序的问题

    一 写在开头 1.1 本节内容 本节主要内容是有关C语言中qsort()函数的探讨. 二 问题和相应解决方法 qsort()是C标准库中的一个通用的排序函数.它既能对整型数据进行排序也能对浮点型数据进 ...