管理 Tls (TLS)Manage Transport Layer Security (TLS)

設定 TLS 密碼套件訂單Configuring TLS Cipher Suite Order

不同的 Windows 版本支援不同的 TLS 密碼套件和的優先順序。Different Windows versions support different TLS cipher suites and priority order. 查看在 TLS SSL (Schannel SSP) 的編碼器套件的支援 Microsoft Schannel 者不同的 Windows 版本中的預設順序。See Cipher Suites in TLS/SSL (Schannel SSP) for the default order supported by the Microsoft Schannel Provider in different Windows versions.

注意

您也可以修改清單的密碼套件藉由 CNG 功能,請查看設定優先順序 Schannel 密碼套件如需詳細資訊。You can also modify the list of cipher suites by using CNG functions, see Prioritizing Schannel Cipher Suites for details.

變更 TLS 密碼套件順序會在下一次開機生效。Changes to the TLS cipher suite order will take effect on the next boot. 重新開機或關機,直到現有的順序會生效。Until restart or shutdown, the existing order will be in effect.

警告

更新的登錄設定預設優先順序訂購不支援,且可能會重設以維護更新。Updating the registry settings for the default priority ordering is not supported and may be reset with servicing updates.

使用群組原則設定 TLS 密碼套件訂單Configuring TLS Cipher Suite Order by using Group Policy

您可以使用 SSL 加密套件訂單群組原則設定來設定預設 TLS 密碼套件訂單。You can use the SSL Cipher Suite Order Group Policy settings to configure the default TLS cipher suite order.

  1. 從群組原則管理主控台中,移至電腦設定 > 系統管理範本] > 網路 > SSL 設定From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Networks > SSL Configuration Settings.
  2. 按兩下SSL 加密套件訂單,然後按一下 [啟用選項。Double-click SSL Cipher Suite Order, and then click the Enabled option.
  3. 以滑鼠右鍵按一下SSL 加密套件方塊中,然後選取 [選取所有的快顯功能表。Right-click SSL Cipher Suites box and select Select all from the pop-up menu.

    群組原則設定

  4. 以滑鼠右鍵按一下 [選取的文字,然後選取 [複製的快顯功能表。Right-click the selected text, and select copy from the pop-up menu.

  5. 文字貼上文字編輯器 notepad.exe 和更新的新密碼套件順序清單。Paste the text into a text editor such as notepad.exe and update with the new cipher suite order list.

    注意

    嚴格以逗號分隔格式必須 TLS 密碼套件順序清單。The TLS cipher suite order list must be in strict comma delimited format. 每個密碼套件字串將會以逗號 (,) 以右側的結尾。Each cipher suite string will end with a comma (,) to the right side of it.

    此外,清單中的密碼套件僅限於 1023 字元。Additionally, the list of cipher suites is limited to 1,023 characters.

  6. 更換的清單中SSL 加密套件的更新排序的清單。Replace the list in the SSL Cipher Suites with the updated ordered list.

  7. 按一下[確定]套用Click OK or Apply.

使用 MDM,設定 TLS 密碼套件訂單Configuring TLS Cipher Suite Order by using MDM

Windows 10 原則 CSP 支援 TLS 密碼套件的設定。The Windows 10 Policy CSP supports configuration of the TLS Cipher Suites. 查看密碼編譯日 TLSCipherSuites如需詳細資訊。See Cryptography/TLSCipherSuites for more information.

使用 TLS PowerShell Cmdlet 設定 TLS 密碼套件訂單Configuring TLS Cipher Suite Order by using TLS PowerShell Cmdlets

TLS PowerShell 模組支援取得 TLS 密碼套件排序的清單,停用加密套件,讓密碼套件。The TLS PowerShell module supports getting the ordered list of TLS cipher suites, disabling a cipher suite, and enabling a cipher suite. 查看TLS 模組如需詳細資訊。See TLS Module for more information.

設定 TLS ECC 曲線訂單Configuring TLS ECC Curve Order

開始使用 Windows 10 與 Windows Server 2016、 ECC 曲線訂單可以設定獨立套件順序的密碼。Beginning with Windows 10 & Windows Server 2016, ECC curve order can be configured independent of the cipher suite order. 如果 TLS 密碼清單中有橢圓曲線尾碼套件順序,它們將會覆寫的新橢圓曲線優先順序,當支援。If the TLS cipher suite order list has elliptic curve suffixes, they will be overridden by the new elliptic curve priority order, when enabled. 這可讓組織使用群組原則物件的相同的密碼套件順序設定不同版本的 Windows。This allow organizations to use a Group Policy object to configure different versions of Windows with the same cipher suites order.

注意

Windows 10 的前密碼套件字串已附加橢圓曲線判斷曲線優先順序。Prior to Windows 10, cipher suite strings were appended with the elliptic curve to determine the curve priority.

管理 Windows ECC 曲線使用 CertUtilManaging Windows ECC curves using CertUtil

開始使用 Windows 10 與 Windows Server 2016,Windows 會提供橢圓曲線參數管理但命令列公用程式 certuil.exe。Beginning with Windows 10 and Windows Server 2016, Windows provides elliptic curve parameter management though the command line utility certuil.exe. 橢圓曲線通常會儲存在 bcryptprimitives.dll。Elliptic curve parameters are stored in the bcryptprimitives.dll. 使用 certutil.exe,系統管理員可以新增和分別移除曲線參數的 Windows。Using certutil.exe, administrators can add and remove curve parameters to and from Windows, respectively. Certutil.exe 安全地儲存曲線參數登錄中。Certutil.exe stores the curve parameters securely in the registry. Windows 可以開始使用曲線參數曲線相關聯的名稱。Windows can begin using the curve parameters by the name associated with the curve.

顯示且已的曲線Displaying Registered Curves

使用下列命令 certutil.exe 顯示曲線登記目前電腦的清單。Use the following certutil.exe command to display a list of curves registered for the current computer.

certutil.exe –displayEccCurve

Certutil 顯示曲線

若要顯示清單的且已曲線輸出圖 1 Certutil.exe。Figure 1 Certutil.exe output to display the list of registered curves.

新增新的曲線Adding a New Curve

建立並使用的受信任的其他實體研究曲線參數組織。Organizations can create and use curve parameters researched by other trusted entities.
想要在 Windows 中使用這些新曲線系統管理員必須新增曲線。Administrators wanting to use these new curves in Windows must add the curve.
使用下列命令 certutil.exe 新增曲線目前的電腦:Use the following certutil.exe command to add a curve to current computer:

Certutil —addEccCurue curveName curveParameters [curveOID] [curveType]
  • CurveName引數代表的曲線新增曲線參數了的名稱。The curveName argument represents the name of the curve under which the curve parameters were added.
  • CurveParameters引數代表的憑證,其中包含參數曲線您想要新增的檔案名稱。The curveParameters argument represents the filename of a certificate that contains the parameters of the curves you want to add.
  • CurveOid引數代表包含您想要新增 (選擇性) 的曲線參數 OID 憑證的檔案名稱。The curveOid argument represents a filename of a certificate that contains the OID of the curve parameters you want to add (optional).
  • CurveType引數代表值從命名曲線EC 名曲線登錄(選擇性)。The curveType argument represents a decimal value of the named curve from the EC Named Curve Registry (optional).

Certutil 新增曲線

新增使用 certutil.exe 曲線圖 2。Figure 2 Adding a curve using certutil.exe.

移除曲線先前加入Removing a Previously Added Curve

系統管理員可以移除使用下列命令 certutil.exe 先前加入的曲線:Administrators can remove a previously added curve using the following certutil.exe command:

Certutil.exe –deleteEccCurve curveName

系統管理員的身分曲線移除電腦之後,Windows 不能使用命名的曲線。Windows cannot use a named curve after an administrator removes the curve from computer.

管理 Windows ECC 曲線使用群組原則Managing Windows ECC curves using Group Policy

組織分散曲線參數企業版加入網域電腦使用群組原則和的群組原則的喜好設定登錄擴充功能。Organizations can distribute curve parameters to enterprise, domain-joined, computer using Group Policy and the Group Policy Preferences Registry extension.
散布曲線的程序為:The process for distributing a curve is:

  1. 在 Windows 10 及 Windows Server 2016 上,使用certutil.exe以新增新的且已命名的曲線 windows。On Windows 10 and Windows Server 2016, use certutil.exe to add a new registered named curve to Windows.
  2. 該相同電腦上,從左群組原則管理主控台 (GPMC)、 建立新的群組原則物件,並且進行編輯。From that same computer, Open the Group Policy Management Console (GPMC), create a new Group Policy object, and edit it.
  3. 瀏覽至電腦設定 |喜好設定 |Windows 設定 |登錄Navigate to Computer Configuration|Preferences|Windows Settings|Registry. 以滑鼠右鍵按一下登錄Right-click Registry. 暫留在新增] ,然後選取的收藏的項目Hover over New and select Collection Item. 重新命名符合曲線名稱收藏的項目。Rename the collection item to match the name of the curve. 您將會建立在每一個登錄鍵一個登錄收集項目HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Cryptography\ECCParametersYou’ll create one Registry Collection item for each registry key under HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Cryptography\ECCParameters.
  4. 建立新的群組原則喜好設定登錄集合設定來新增新的登錄項目底下列出的每個登錄值的HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Cryptography\ECCParameters\ [curveName]Configure the newly created Group Policy Preference Registry Collection by adding a new Registry Item for each registry value listed under HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Cryptography\ECCParameters[curveName].
  5. 將部署群組原則物件包含應該會收到新命名的曲線 Windows 10 與 Windows Server 2016 的電腦群組原則登錄收藏的項目。Deploy the Group Policy object containing Group Policy Registry Collection item to Windows 10 and Windows Server 2016 computers that should receive the new named curves.

    GPP 散發曲線

    圖 3 所示使用 「 群組原則喜好設定來散發曲線Figure 3 Using Group Policy Preferences to distribute curves

管理 TLS ECC 訂單Managing TLS ECC order

開始使用 Windows 10 與 Windows Server 2016、 ECC 曲線訂單群組原則設定可設定預設 TLS ECC 曲線訂單。Beginning with Windows 10 and Windows Server 2016, ECC Curve Order group policy settings can be used configure the default TLS ECC Curve Order. 使用一般 ECC 這個設定,組織,可以新增自己受信任的名作業系統曲線 (也就使用的 TLS 核准),並再新增這些名稱曲線曲線優先順序群組原則設定,以確保未來 TLS handshakes 中使用。Using Generic ECC and this setting, organizations can add their own trusted named curves (that are approved for use with TLS) to the operating system and then add those named curves to the curve priority Group Policy setting to ensure they are used in future TLS handshakes. 新曲線優先順序清單會變成作用中的下一步重新開機之後接收的原則設定。New curve priority lists become active on the next reboot after receiving the policy settings.

GPP 散發曲線

圖 4 管理 TLS 弧形優先順序使用群組原則Figure 4 Managing TLS curve priority using Group Policy