SSLv2 有弱點,所以我要把它關閉,除了用 regedit 找出來關閉之外,
也可以拿 IIS Crypto 工具來用,打開後把 SSL 2.0 勾勾拿掉,再 Apply,重開機
再拿 SSL 工具掃一掃,看到 unsupported or failed 就成功了
工具資訊如下 :
IIS Crypto 可以
- enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012
- reorder SSL/TLS cipher suites offered by IIS and mitigate the BEAST attack.
-
Single click to mitigate the BEAST attack
-
Easily disable SSL 2.0
-
Enable TLS 1.1 and 1.2
-
Disable other weak protocols and ciphers
-
Reorder cipher suites
-
Templates for compliance with government and industry regulations – FIPS 140-2 and PCI
它有分 GUI 及 command 的版本
- IIS Crypto GUI version 1.3 build 4 (.Net 2.0, 65 KB)
- IIS Crypto GUI version 1.3 build 4 (.Net 4.0, 75 KB)
- IIS Crypto Command Line version 1.3 build 4 (.Net 2.0, 60 KB)
- IIS Crypto Command Line version 1.3 build 4 (.Net 4.0, 70 KB)
THCSSLCheck 可以掃描 SSL
另一個工具 SSLScan-win
留言