前言

2017年1月1日起App Store上的所有App应用将强制开启ATS功能。

苹果的ATS(App Transport Security)对服务器硬性3点要求:

① ATS要求TLS1.2或者更高,TLS 是 SSL 新的别称。

② 通讯中的加密套件配置要求支持列出的正向保密。

③ 数字证书必须使用sha256或者更高级的签名哈希算法,并且保证密钥是2048位及以上的RSA密钥或者256位及以上的ECC密钥。

由于领导舍不得花钱,只能辛苦我们自己搞个不花钱的证书。在网上找了一大堆各种配置证书服务的文章,在ios端运行的时候总是直接报错,很是费解,后来注意到必须是TLS1.2或者更高的版本,而按照网上的配置弄好后都是ssl1.0,根本原因没有解决。所以必须先升级服务器ssl的版本,这个升级的文章很多,有用的不多。在这里整理下找到的资料,供大家参考。注意:证书服务可以不用安装,升级ssl后即可正常访问。

1.首先打开服务器组策略,命令行输入gpedit.msc,找到ssl配置设置,双击ssl密码套件顺序,选择已启用,并保存。准备工作完成!

2.在下面选择您需要的配置并复制,打开Powershell直接粘贴。最后会提示是否重启服务器,输入Y会直接重启,根据自己的情况而定吧,重启后生效哦~

2.1. configure your IIS server with Perfect Forward Secrecy and TLS 1.2:

# Copyright 2016, Alexander Hass

# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

#

# Version 1.7

# - Windows Version compare failed. Get-CimInstance requires Windows 2012 or later.

# Version 1.6

# - OS version detection for cipher suites order.

# Version 1.5

# - Enabled ECDH and more secure hash functions and reorderd cipher list.

# - Added Client setting for all ciphers.

# Version 1.4

# - RC4 has been disabled.

# Version 1.3

# - MD5 has been disabled.

# Version 1.2

# - Re-factored code style and output

# Version 1.1

# - SSLv3 has been disabled. (Poodle attack protection)

Write-Host 'Configuring IIS with SSL/TLS Deployment Best Practices...'

Write-Host '--------------------------------------------------------------------------------'

# Disable Multi-Protocol Unified Hello

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'Multi-Protocol Unified Hello has been disabled.'

# Disable PCT 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'PCT 1.0 has been disabled.'

# Disable SSL 2.0 (PCI Compliance)

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'SSL 2.0 has been disabled.'

# NOTE: If you disable SSL 3.0 the you may lock out some people still using

# Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available

# for these people to fall back. Safer shopping certifications may require that

# you disable SSLv3.

#

# Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'SSL 3.0 has been disabled.'

# Add and Enable TLS 1.0 for client and server SCHANNEL communications

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.0 has been enabled.'

# Add and Enable TLS 1.1 for client and server SCHANNEL communications

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.1 has been enabled.'

# Add and Enable TLS 1.2 for client and server SCHANNEL communications

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been enabled.'

# Re-create the ciphers key.

New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force | Out-Null

# Disable insecure/weak ciphers.

$insecureCiphers = @(

  'DES 56/56',

  'NULL',

  'RC2 128/128',

  'RC2 40/128',

  'RC2 56/128',

  'RC4 40/128',

  'RC4 56/128',

  'RC4 64/128',

  'RC4 128/128'

)

Foreach ($insecureCipher in $insecureCiphers) {

  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)

  $key.SetValue('Enabled', 0, 'DWord')

  $key.close()

  Write-Host "Weak cipher $insecureCipher has been disabled."

}

# Enable new secure ciphers.

# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.

# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.

# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030

$secureCiphers = @(

  'AES 128/128',

  'AES 256/256',

  'Triple DES 168'

)

Foreach ($secureCipher in $secureCiphers) {

  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)

  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$secureCipher" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

  $key.close()

  Write-Host "Strong cipher $secureCipher has been enabled."

}

# Set hashes configuration.

New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

$secureHashes = @(

  'SHA',

  'SHA256',

  'SHA384',

  'SHA512'

)

Foreach ($secureHash in $secureHashes) {

  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes', $true).CreateSubKey($secureHash)

  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\$secureHash" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

  $key.close()

  Write-Host "Hash $secureHash has been enabled."

}

# Set KeyExchangeAlgorithms configuration.

New-Item 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force | Out-Null

$secureKeyExchangeAlgorithms = @(

  'Diffie-Hellman',

  'ECDH',

  'PKCS'

)

Foreach ($secureKeyExchangeAlgorithm in $secureKeyExchangeAlgorithms) {

  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms', $true).CreateSubKey($secureKeyExchangeAlgorithm)

  New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\$secureKeyExchangeAlgorithm" -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null

  $key.close()

  Write-Host "KeyExchangeAlgorithm $secureKeyExchangeAlgorithm has been enabled."

}

# Set cipher suites order as secure as possible (Enables Perfect Forward Secrecy).

$os = Get-WmiObject -class Win32_OperatingSystem

if ([System.Version]$os.Version -lt [System.Version]'10.0') {

  Write-Host 'Use cipher suites order for Windows 2008R2/2012/2012R2.'

  $cipherSuitesOrder = @(

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',

    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',

    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',

    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',

    'TLS_RSA_WITH_AES_256_GCM_SHA384',

    'TLS_RSA_WITH_AES_128_GCM_SHA256',

    'TLS_RSA_WITH_AES_256_CBC_SHA256',

    'TLS_RSA_WITH_AES_128_CBC_SHA256',

    'TLS_RSA_WITH_AES_256_CBC_SHA',

    'TLS_RSA_WITH_AES_128_CBC_SHA',

    'TLS_RSA_WITH_3DES_EDE_CBC_SHA'

  )

}

else {

  Write-Host 'Use cipher suites order for Windows 10/2016 and later.'

  $cipherSuitesOrder = @(

    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',

    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',

    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',

    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',

    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',

    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',

    'TLS_RSA_WITH_AES_256_GCM_SHA384',

    'TLS_RSA_WITH_AES_128_GCM_SHA256',

    'TLS_RSA_WITH_AES_256_CBC_SHA256',

    'TLS_RSA_WITH_AES_128_CBC_SHA256',

    'TLS_RSA_WITH_AES_256_CBC_SHA',

    'TLS_RSA_WITH_AES_128_CBC_SHA',

    'TLS_RSA_WITH_3DES_EDE_CBC_SHA'

  )

}

$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)

# One user reported this key does not exists on Windows 2012R2. Cannot repro myself on a brand new Windows 2012R2 core machine. Adding this just to be save.

New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -ErrorAction SilentlyContinue

New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null

Write-Host '--------------------------------------------------------------------------------'

Write-Host 'NOTE: After the system has been rebooted you can verify your server'

Write-Host '      configuration at https://www.ssllabs.com/ssltest/'

Write-Host "--------------------------------------------------------------------------------`n"

Write-Host -ForegroundColor Red 'A computer restart is required to apply settings. Restart computer now?'

Restart-Computer -Force -Confirm

2.2 iisresetssltoweakdefaults

# Copyright 2016, Alexander Hass

# http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

#

# Version 1.0

# - Rollback script created.

Write-Host 'Reset IIS to weak and insecure SSL defaults...'

Write-Host '--------------------------------------------------------------------------------'

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name DisabledByDefault -value 1 -PropertyType 'DWord'

New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Force

Restart-Computer -Force
 

3.最后配置IIS站点,添加ssl自签名证书,站点绑定https,并选择刚添加的自签名证书即可。

4.全程无需给服务器安装证书服务,ios客户端证书校验时默认全部通过即可,如果对安全要求严格的客户端可导入证书做校验。

Windows Server 2008 R2 下配置TLS1.2,添加自签名证书的更多相关文章

  1. Windows Server 2008 R2 下配置证书服务器和HTTPS方式访问网站

    http://www.cnblogs.com/zhongweiv/archive/2013/01/07/https.html 配置环境 了解HTTPS 配置CA证书服务器 新建示例网站并发布在IIS ...

  2. IIS7.0 Windows Server 2008 R2 下配置证书服务器和HTTPS方式访问网站

    配置环境 Windows版本:Windows Server 2008 R2 Enterprise Service Pack 1 系统类型: 64 位操作系统 了解HTTPS 为什么需要 HTTPS ? ...

  3. 【服务器运维】Windows Server 2008 R2 下配置证书服务器和HTTPS

    前言 2017年1月1日起App Store上的所有App应用将强制开启ATS功能. 苹果的ATS(App Transport Security)对服务器硬性3点要求: ① ATS要求TLS1.2或者 ...

  4. 如何在Windows Server 2008 R2下搭建FTP服务

    在Windows Server 2008 R2下搭建FTP服务,供客户端读取和上传文件 百度经验:jingyan.baidu.com 工具/原料 Windows Server 2008 R2 百度经验 ...

  5. 【转】Windows Server 2008 R2下安装 .net framework3.5

    原文地址:http://hi.baidu.com/tonny_dxf/item/6831bcdc3d7c06e7b2f7777c      [你必须用角色管理工具安装.net framework3.5 ...

  6. Windows Server 2008 R2 下 Core界面

    Windows Server 2008 R2 下 Core界面 关于 sc 以及 net 命令 Sc 命令较不全面,仅仅是给服务发送一个开启或者关闭就结束了 Net 命令比较安全,它监视了整个服务的启 ...

  7. cmd 执行Dcpromo错误:在该 SKU 上不支持 Active Directory 域服务安装向导,Windows Server 2008 R2 Enterprise 配置AD(Active Directory)域控制器

    今天,要安装AD域控制器,运行dcpromo结果提示:在该 SKU 上不支持 Active Directory 域服务安装向导. 以前弄的时候直接就通过了,这次咋回事?终于搞了大半天搞定了. 主要原因 ...

  8. Windows Server 2008 R2下将JBoss安装成windows系统服务

    JBoss版本是jboss-4.2.3.GA-jdk6.zip,操作系统是Windows Server 2008 R2. 1.系统已安装好java环境,JAVA_HOME已配置好: 2.下载所需文件. ...

  9. 在Windows Server 2008 R2下搭建jsp环境(四)-在测试的过程中可能出现的问题

    环境基本部署好了之后,便开始测试,一定要让他经得起"考验",他才会值得你的信赖.Tomcat服务器部署成功的的验证方法(默认端口的情况下): 1.loacalhost:8080 2 ...

随机推荐

  1. 理解CSS视觉格式化

    前面的话   CSS视觉格式化这个词可能比较陌生,但说起盒模型可能就恍然大悟了.实际上,盒模型只是CSS视觉格式化的一部分.视觉格式化分为块级和行内两种处理方式.理解视觉格式化,可以确定得到的效果是应 ...

  2. ASP.NET Aries 入门开发教程5:自定义列表页工具栏区

    前言: 抓紧时间,继续写教程,因为发现用户期待的内容,都在业务处理那一块. 不得不继续勤劳了. 这节主要介绍工具栏区的玩法. 工具栏的默认介绍: 工具栏默认包括5个按钮,根据不同的权限决定显示: 添加 ...

  3. Java基础Map接口+Collections

    1.Map中我们主要讲两个接口 HashMap  与   LinkedHashMap (1)其中LinkedHashMap是有序的  怎么存怎么取出来 我们讲一下Map的增删改查功能: /* * Ma ...

  4. JavaScript 字符串实用常操纪要

    JavaScript 字符串用于存储和处理文本.因此在编写 JS 代码之时她总如影随形,在你处理用户的输入数据的时候,在读取或设置 DOM 对象的属性时,在操作 Cookie 时,在转换各种不同 Da ...

  5. 从零开始编写自己的C#框架(26)——小结

    一直想写个总结,不过实在太忙了,所以一直拖啊拖啊,拖到现在,不过也好,有了这段时间的沉淀,发现自己又有了小小的进步.哈哈...... 原想框架开发的相关开发步骤.文档.代码.功能.部署等都简单的讲过了 ...

  6. C#多线程之线程池篇2

    在上一篇C#多线程之线程池篇1中,我们主要学习了如何在线程池中调用委托以及如何在线程池中执行异步操作,在这篇中,我们将学习线程池和并行度.实现取消选项的相关知识. 三.线程池和并行度 在这一小节中,我 ...

  7. DDD 领域驱动设计-谈谈 Repository、IUnitOfWork 和 IDbContext 的实践(3)

    上一篇:<DDD 领域驱动设计-谈谈 Repository.IUnitOfWork 和 IDbContext 的实践(2)> 这篇文章主要是对 DDD.Sample 框架增加 Transa ...

  8. AspNetPager分页控件样式的使用

    分页是Web应用程序中最常用到的功能之一,AspNetPager  简单实用,应用到项目后台中,棒极了! 自定义样式: <style type="text/css"> ...

  9. SharePoint 2013: A feature with ID has already been installed in this farm

    使用Visual Studio 2013创建一个可视web 部件,当右击项目选择"部署"时报错: "Error occurred in deployment step ' ...

  10. DockerCon 2016 – 微软带来了什么?

    根据Forrester的调查,接近半数的企业CIO在考虑IT架构的时候更乐于接受开源方案,这主要是基于低成本,避免供应商锁定和敏捷的需求:同时另外一家North Bridge的调研机构的调查显示,20 ...