[英]Could not establish secure channel for SSL/TLS: how to enable TLS on windows server 2008
This question is related to an answer on another question . 这个问题与另一个问题的答案有关 。 The person with the correct answer writes: In our case, the problem was resolved when the configuration on the destination server was changed to accept TLS.
正确答案的人写道: In our case, the problem was resolved when the configuration on the destination server was changed to accept TLS.
In a comment I asked if he could be more specific on how to achieve that. 我在评论中询问他是否可以更具体地说明如何实现这一目标。 John Saunders suggested I make a separate question for that. 约翰·桑德斯(John Saunders)建议我为此提出一个单独的问题。 So here it is: 所以这里是:
How does one enable TLS on windows 2008? 如何在Windows 2008上启用TLS? I made registry changes based on this , restarted the server. 我基于此进行了注册表更改,并重新启动了服务器。 The error I'm struggling with persists. 我一直在努力的错误仍然存在。 Is there anything else I need to do to enable TLS? 我还需要做些其他事情来启用TLS吗?
TLS 1.0 should be enabled by default on Windows Server (WS) 2008 so I assume the client requires a newer TLS version. 默认情况下,应在Windows Server(WS)2008上启用TLS 1.0,因此我假定客户端需要较新的TLS版本。 Support for the newer TLS protocol versions, TLS 1.1 and TLS 1.2, were introduced in WS 2008 R2 but they're disabled by default. WS 2008 R2中引入了对较新的TLS协议版本TLS 1.1和TLS 1.2的支持,但默认情况下将其禁用。 In WS 2012, TLS 1.1 and TLS 1.2 are enabled by default. 在WS 2012中,默认情况下启用TLS 1.1和TLS 1.2。
If the client needs TLS 1.1 or TLS 1.2, you'll have to upgrade to WS 2008 R2 or newer. 如果客户端需要TLS 1.1或TLS 1.2,则必须升级到WS 2008 R2或更高版本。 You can enable TLS 1.1 and TLS 1.2 in WS 2008 R2 by hand. 您可以手动在WS 2008 R2中启用TLS 1.1和TLS 1.2。 In that case you'll need to add some registry settings, documented in How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll . 在这种情况下,您将需要添加一些注册表设置,如如何限制Schannel.dll中某些加密算法和协议的使用中所述 。 The relevant entries are: 相关条目为:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
You'll need a reboot for the changes to take effect. 您需要重新启动才能使更改生效。
If you upgrade to WS 2012, you'll get TLS 1.1/1.2 by default. 如果升级到WS 2012,则默认情况下将获得TLS 1.1 / 1.2。 You can find more details on TLS configuration in my blog post on Hardening Windows Server 2008/2012 and Azure SSL/TLS configuration . 您可以在我的关于强化Windows Server 2008/2012和Azure SSL / TLS配置的博客文章中找到有关TLS配置的更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.