TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
这可以防止XP客户端连接到服务器,因为XP Cryptographic API默认情况下不支持任何AES密码.
因此,尝试使用Internet Explorer或远程桌面进行连接时,服务器日志中会显示以下错误. (因为他们使用微软的CAPI)
Schannel Error 36874 “An TLS 1.0 connection was recieved from a remote client application,but dodne of the cipher suites supported by the client are supported by the server. The SSL connection request has Failed.”
Schannel Error 36888 “The following fatal alert was generated: 40. The internal error state is 1204”
当Web服务器尝试使用其新的加密下一代(CNG)框架处理请求时,似乎与旧框架中存储的遗留框架中存储的RSA私钥相关的内容.结果,RSA密码套件的使用受到严格限制.
MMC | Local Computer Certificate Manager | Personal Certificates Folder |
(right click) | All Tasks -> Advanced Operations | Create Custom Request |
“Proceed without enrollment policy” | select “(no template) CNG key” | proceed to complete the certificate request according to your needs.
验证密钥是否在正确的位置:
http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx
http://www.jensign.com/KeyPal/index.html
用于验证正确密码套件的工具:
http://pentestit.com/2010/05/16/ssltls-audit-audit-web-servers-ssl-ciphers/
https://www.ssllabs.com/
SSL密码套件设置:
http://support.microsoft.com/kb/245030
http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx
这花了我们一个星期的时间来弄明白.我希望这可以节省同样的麻烦.
