我想仅在客户端hello数据包中的Windows上强制使用特定的密码套件。我使用Windows注册表项和Powershell cmdlet(Disable-TlsCipherSuite,Enable-TlsCipherSuite)禁用了所有其他密码套件并启用了我需要的列表,为此付出了很多努力。但是,当我尝试从应用程序连接到https服务时,客户端问候包中发送的密码套件列表不是我设置的(使用wireshark)。
可以这样做吗?
我使用的powershell脚本是:
get-tlsciphersuite > listciphers.txt
$ciphersuites = New-Object Collections.Generic.List[string]
$reader = New-Object System.IO.StreamReader("listciphers.txt")
$lines = @()
if ($reader -ne $null) {
while (!$reader.EndOfStream) {
$line = $reader.ReadLine()
if ($line.Contains("TLS_")) {
$newValue = $line -replace "Name", ""
$newValue = $newValue -replace ":", ""
$newValue = $newValue.Trim()
$ciphersuites.Add($newValue)
}
}
}
foreach($c in $ciphersuites){
Try{
$c = """" + $c + """"
Disable-TlsCipherSuite -Name $c
write-output $c
}
Catch{
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
write-output $ErrorMessage + "Disable" + " " + $c
}
}
$preferedCiphersuites = New-Object Collections.Generic.List[string]
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_256_CBC_SHA256")
$preferedCiphersuites.Add("TLS_RSA_WITH_AES_128_CBC_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
$preferedCiphersuites.Add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
foreach($p in $preferedCiphersuites){
Try{
$p = """" + $p + """"
Enable-TlsCipherSuite -Name $p
write-output $p
}
Catch{
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
write-output $ErrorMessage + "Enable" + " " + $p
}
}
Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');