使用BCryptAddContextFunction和BCryptRemoveContextFunction为SLSnel密码套件优先处理TLS 1.2

Question

我有一个密码套装列表，我的服务器上应该可以接受。 例如：我想只处理系统中的那些套件

“TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256” “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256” “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”

我尝试使用来自的样本 https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx#adding__removing__and_prioritizing_cipher_suites 但......这只在理论上有效

// for visual c++
#include <stdio.h>
#include <windows.h>
#include <bcrypt.h>
#pragma comment(lib, "Bcrypt.lib")
#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif

void addToTop(LPWSTR wszCipher){

    SECURITY_STATUS Status = ERROR_SUCCESS;
    wprintf_s(wszCipher);
    printf_s("\r\n");
    Status = BCryptAddContextFunction(
        CRYPT_LOCAL,
        L"SSL",
        NCRYPT_SCHANNEL_INTERFACE,
        wszCipher,
        CRYPT_PRIORITY_TOP);
    if (FAILED(Status))
    {
        printf_s("\n**** Error 0x%x returned by BCryptAddContextFunction\n", Status);
    }

}

void printCipherSuites()
{
    HRESULT Status = ERROR_SUCCESS;
    DWORD   cbBuffer = 0;
    PCRYPT_CONTEXT_FUNCTIONS pBuffer = NULL;

    Status = BCryptEnumContextFunctions(
        CRYPT_LOCAL,
        L"SSL",
        NCRYPT_SCHANNEL_INTERFACE,
        &cbBuffer,
        &pBuffer);
    if (FAILED(Status))
    {
        printf_s("\n**** Error 0x%x returned by BCryptEnumContextFunctions\n", Status);
        goto Cleanup;
    }

    if (pBuffer == NULL)
    {
        printf_s("\n**** Error pBuffer returned from BCryptEnumContextFunctions is null");
        goto Cleanup;
    }

    for (UINT index = 0; index < pBuffer->cFunctions; ++index)
    {
        printf_s("\n%S", pBuffer->rgpszFunctions[index]);
    }
Cleanup:
    if (pBuffer != NULL)
    {
        BCryptFreeBuffer(pBuffer);
    }
    getchar();
}

int removeSth()
{
    printf_s("\nRemoving TLS_RSA_WITH_AES_128_CBC_SHA256");
    LPWSTR wszCipher = L"TLS_RSA_WITH_AES_128_CBC_SHA256";
    SECURITY_STATUS Status = ERROR_SUCCESS;

    Status = BCryptRemoveContextFunction(
        CRYPT_LOCAL,
        L"SSL",
        NCRYPT_SCHANNEL_INTERFACE,
        wszCipher);
    if (FAILED(Status))
    {
        printf_s("\n**** Error 0x%x returned by BCryptRemoveContextFunction\n", Status);
    }
    return 0;
}
void main()
{
    addToTop(L"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
    addToTop(L"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
    addToTop(L"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384");
    printCipherSuites();
}

你可以看到 - 调用BCryptAddContextFunction不会改变系统中的任何内容。我没有这个调用的状态失败，但是 - 当我列出所有密码套件时 - 列表中没有TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256，LS_ECDHE_RSA_WITH_AES_128_CBC_SHA256，TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

我找不到有效的WinAPI示例。我应该在代码中更改什么来优先考虑Schannel密码套件？

编辑： 我发现了一件有趣的事情...... WinApi删除/添加函数返回STATUS_SUCCESS - 但SSL Cipher Suites列表未更新。

我们也看不到BCryptAddContextFunction / BCryptRemoveContextFunction的结果 gpedit.msc，计算机配置 - ＆gt;管理模板 - ＆gt;网络 - ＆gt;本地组策略编辑器 - ＆gt; SSL密码套件订单