Site Tools


software:win:sec:enabletls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
software:win:sec:enabletls [2015/05/13 00:52]
– создано root
software:win:sec:enabletls [2015/05/13 00:57]
– [Дополнительные настройки TLS/SSL] root
Line 133: Line 133:
 при этом 1.1 и 1.2 они оставляют в подвешенном состоянии.\\ при этом 1.1 и 1.2 они оставляют в подвешенном состоянии.\\
  
-**Отключаем SSL2 и SSL3**+==== Отключаем SSL2 и SSL3 ====
 <code>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] <code>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
  
Line 154: Line 154:
 "Enabled"=dword:00000000</code> "Enabled"=dword:00000000</code>
  
-**Включаем TLS 1.1 и 1.2**+==== Включаем TLS 1.1 и 1.2 ====
 <code>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] <code>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
  
Line 214: Line 214:
  
  
-И на последок, есть такая утилита: [[https://www.nartac.com/Products/IISCrypto/Default.aspx]] +===== Утилита ===== 
-<img src="http://habrastorage.org/getpro/habr/post_images/4bf/243/ebf/4bf243ebfc01431c20aba2e39612514c.png" alt="image"/>+И на последок, есть такая утилита: [[https://www.nartac.com/Products/IISCrypto/Default.aspx]]\\ 
 +{{:ru:software:win:sec:iis_crypto.png|}}
  
  
Line 222: Line 223:
   * Many applications that use schannel are written so that the receiver side assumes application data will be packed into a single packet. This occurs even though the application calls schannel for decryption. The applications ignore a flag that is set by schannel. The flag indicates to the application that there is more data to be decrypted and picked up by the receiver. **This method does not follow the MSDN-prescribed method of using schannel. Because the security update enforces record-splitting, this breaks such applications.**   * Many applications that use schannel are written so that the receiver side assumes application data will be packed into a single packet. This occurs even though the application calls schannel for decryption. The applications ignore a flag that is set by schannel. The flag indicates to the application that there is more data to be decrypted and picked up by the receiver. **This method does not follow the MSDN-prescribed method of using schannel. Because the security update enforces record-splitting, this breaks such applications.**
   * **Broken applications include Microsoft products and in-box components.** The following are examples of scenarios that may be broken when the SendExtraRecord registry value is set to 1:   * **Broken applications include Microsoft products and in-box components.** The following are examples of scenarios that may be broken when the SendExtraRecord registry value is set to 1:
-  ** All SQL products, and applications that are built onto SQL. + * All SQL products, and applications that are built onto SQL.\\ 
-  ** Terminal Servers that have Network Level Authentication (NLA) turned on. By default, NLA is enabled in Windows Vista and later versions of Windows. + * Terminal Servers that have Network Level Authentication (NLA) turned on. By default, NLA is enabled in Windows Vista and later versions of Windows.\\ 
-  ** Some Routing Remote Access Service (RRAS) scenarios.+ * Some Routing Remote Access Service (RRAS) scenarios.\\
  
software/win/sec/enabletls.txt · Last modified: 2022/02/05 04:38 by root