Admin
openvas
TLS管理

TLS管理

issues

可以通过openssl是用tls1协议连接

openssl s_client -connect 172.16.123.70:3389 -tls1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = VEEAM
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = VEEAM
verify return:1
---
Certificate chain
 0 s:CN = VEEAM
   i:CN = VEEAM
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  6 03:15:21 2025 GMT; NotAfter: Nov  5 03:15:21 2025 GMT
---
...
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
...
---

处理方式

可以参考微软TLS相关的文章 配置注册表来关闭TLS1.0TLS1.1

关闭后在用tls1.0连接会报错

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1756265453
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
# Purpose:
#   - Disable TLS 1.0 / TLS 1.1 (Server & Client roles)
#   - Enable  TLS 1.2 (Server & Client roles)
#   - Optionally enable TLS 1.3 if OS supports (Server & Client roles)
#
# Notes:
#   - Applies to Schannel, which RDP (3389) uses for TLS.
#   - A reboot is required for Schannel protocol changes to fully apply.
#   - Only "Enabled" values are strictly required on modern Windows versions.
#
# Optional RDP hardening:
#   - SecurityLayer = 2 forces RDP to use TLS.
#   - UserAuthentication = 1 enables Network Level Authentication (NLA).

# Check admin privilege
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
  Write-Error "Please run this script as Administrator."
  exit 1
}

$base = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols'
$matrix = @(
  @{ Name = 'TLS 1.0'; Enable = 0 },
  @{ Name = 'TLS 1.1'; Enable = 0 },
  @{ Name = 'TLS 1.2'; Enable = 1 },
  @{ Name = 'TLS 1.3'; Enable = 1 }
)

# Configure TLS protocols
foreach ($item in $matrix) {
  foreach ($role in 'Server','Client') {
    $p = Join-Path (Join-Path $base $item.Name) $role
    if (-not (Test-Path $p)) { New-Item -Path $p -Force | Out-Null }
    New-ItemProperty -Path $p -Name 'Enabled' -PropertyType DWord -Value $item.Enable -Force | Out-Null
    Write-Host ("{0}\{1}: Enabled={2}" -f $item.Name,$role,$item.Enable) -ForegroundColor Cyan
  }
}


Write-Host "`nRegistry entries applied. Please reboot the server for RDP/Schannel to fully enforce changes." -ForegroundColor Yellow
最后更新于