運送層安全性 (TLS) 登錄設定Transport Layer Security (TLS) registry settings

適用於:Windows Server(以每年次通道)、Windows Server 2016、Windows Server 2008 R2、Windows Server 2008、Windows 10、Windows 8.1、Windows 8、Windows 7、Windows VistaApplies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista

本參考主題適用於 IT 專業人員包含支援的登錄設定 Windows 實作傳輸層級的安全性 (TLS) 通訊協定和資訊的安全通訊端層 (SSL) 通訊協定透過 Schannel 安全性支援提供者 (SSP)。This reference topic for the IT professional contains supported registry setting information for the Windows implementation of the Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol through the Schannel Security Support Provider (SSP). 此主題協助您管理和疑難排解 Schannel SSP,所涵蓋的項目與登錄子專門 TLS 和 SSL 通訊協定。The registry subkeys and entries covered in this topic help you administer and troubleshoot the Schannel SSP, specifically the TLS and SSL protocols.

警告

為您進行疑難排解或驗證需要的設定的套用時使用的參考提供這項資訊。This information is provided as a reference to use when you are troubleshooting or verifying that the required settings are applied. 我們建議您執行不直接編輯登錄除非另有任何其他另一種方式。We recommend that you do not directly edit the registry unless there is no other alternative. 變更登錄無法驗證它們套用之前的作業系統,或 Windows 作業系統。Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. 如此一來,不正確的值可以儲存,並將導致處於無法復原錯誤系統中。As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. 可能的話,而不是直接,編輯登錄使用群組原則」或其他 Windows 工具例如 Microsoft 管理 Console (MMC) 完成工作。When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. 如果您必須編輯登錄,小心謹慎。If you must edit the registry, use extreme caution.

CertificateMappingMethodsCertificateMappingMethods

此項目不存在於登錄預設。This entry does not exist in the registry by default. 預設值是所有的四個憑證對應方法列在下方的支援。The default value is that all four certificate mapping methods, listed below, are supported.

伺服器應用程式需要 client 驗證時, Schannel 會自動嘗試憑證帳號 client 電腦所提供的地圖。When a server application requires client authentication, Schannel automatically attempts to map the certificate that is supplied by the client computer to a user account. 您可以進行驗證使用者建立對應的相關資訊的 Windows 使用者帳號,憑證登入以 client 憑證。You can authenticate users who sign in with a client certificate by creating mappings, which relate the certificate information to a Windows user account. 您建立以及憑證對應之後,client 提出 client 憑證,每次您的伺服器應用程式會自動關聯使用者適當的 Windows 使用者 account。After you create and enable a certificate mapping, each time a client presents a client certificate, your server application automatically associates that user with the appropriate Windows user account.

在大部分案例中,憑證對應至帳號,在其中一種方式:In most cases, a certificate is mapped to a user account in one of two ways:

  • 單一憑證對應至單一使用者 account(一一對應)。A single certificate is mapped to a single user account (one-to-one mapping).
  • 多個憑證對應至一的使用者 account(多一對應)。Multiple certificates are mapped to one user account (many-to-one mapping).

根據預設,Schannel 提供者將會使用下列四個憑證對應,所列的方法順序的喜好設定:By default, the Schannel provider will use the following four certificate mapping methods, listed in order of preference:

  1. Kerberos 服務的使用者 (S4U) 憑證對應Kerberos service-for-user (S4U) certificate mapping
  2. 使用者主體名稱對應User principal name mapping
  3. 一一對應(也稱為主旨日發行者對應)One-to-one mapping (also known as subject/issuer mapping)
  4. 多一對應Many-to-one mapping

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

加密Ciphers

藉由設定密碼套件訂單應該控制 TLS 日 SSL 加密。TLS/SSL ciphers should be controlled by configuring the cipher suite order. 如需詳細資訊,請查看設定 TLS 密碼套件訂單For details, see Configuring TLS Cipher Suite Order.

如預設加密套件順序 Schannel SSP 所使用的相關資訊,請查看在 TLS SSL (Schannel SSP) 的編碼器套件For information about default cipher suites order that are used by the Schannel SSP, see Cipher Suites in TLS/SSL (Schannel SSP).

CipherSuitesCipherSuites

設定 TLS 日 SSL 加密套件,應該要使用群組原則、MDM 或 PowerShell,查看設定 TLS 密碼套件訂單如需詳細資訊。Configuring TLS/SSL cipher suites should be done using group policy, MDM or PowerShell, see Configuring TLS Cipher Suite Order for details.

如預設加密套件順序 Schannel SSP 所使用的相關資訊,請查看在 TLS SSL (Schannel SSP) 的編碼器套件For information about default cipher suites order that are used by the Schannel SSP, see Cipher Suites in TLS/SSL (Schannel SSP).

ClientCacheTimeClientCacheTime

此項目控制量作業系統所需時間(毫秒)到期 client 端快取的項目。This entry controls the amount of time that the operating system takes in milliseconds to expire client-side cache entries. 設定為 0 關閉安全連接快取。A value of 0 turns off secure-connection caching. 此項目不存在於登錄預設。This entry does not exist in the registry by default.

第一次 client 連接到透過 Schannel SSP,完整伺服器 TLS 日 SSL 交換執行。The first time a client connects to a server through the Schannel SSP, a full TLS/SSL handshake is performed. 當您完成時,主要密碼、密碼套件及憑證儲存各自 client 伺服器上的快取工作階段中。When this is complete, the master secret, cipher suite, and certificates are stored in the session cache on the respective client and server.

開始使用 Windows Server 2008 和 Windows Vista,預設 client 快取時間是 10 小時。Beginning with Windows Server 2008 and Windows Vista, the default client cache time is 10 hours.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

預設 client 快取的時間Default client cache time

FIPSAlgorithmPolicyFIPSAlgorithmPolicy

此項目控制聯邦資訊處理 (FIPS) 相容。This entry controls Federal Information Processing (FIPS) compliance. 預設為 0。The default is 0.

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\LSARegistry path: HKLM SYSTEM\CurrentControlSet\Control\LSA

Windows Server FIPS 密碼套件:查看支援密碼套件和通訊協定 Schannel SSP 在Windows Server FIPS cipher suites: See Supported Cipher Suites and Protocols in the Schannel SSP.

HashesHashes

藉由設定密碼套件訂單應該控制 TLS 日 SSL hash 演算法。TLS/SSL hash algorithms should be controlled by configuring the cipher suite order. 查看設定 TLS 密碼套件訂單如需詳細資訊。See Configuring TLS Cipher Suite Order for details.

IssuerCacheSizeIssuerCacheSize

此項目控制發行者快取的大小,並可搭配發行者對應。This entry controls the size of the issuer cache, and it is used with issuer mapping. 地圖中 client 的憑證鏈結發行者的所有嘗試 Schannel SSP-不僅直接 client 憑證的發行者。The Schannel SSP attempts to map all of the issuers in the client’s certificate chain—not only the direct issuer of the client certificate. 伺服器時不會發行者對應到帳號,一般,則可能會嘗試地圖相同發行者名稱重複數百種秒的時間。When the issuers do not map to an account, which is the typical case, the server might attempt to map the same issuer name repeatedly, hundreds of times per second.

若要避免這個問題,伺服器有錯誤的快取,讓快取項如果過去未對應發行者的名稱,新增到快取,並 Schannel SSP 地圖的發行者名稱,再試一次之前不會到期。To prevent this, the server has a negative cache, so if an issuer name does not map to an account, it is added to the cache and the Schannel SSP will not attempt to map the issuer name again until the cache entry expires. 這個登錄指定的快取的大小。This registry entry specifies the cache size. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 預設值為 100。The default value is 100.

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

IssuerCacheTimeIssuerCacheTime

此項目控制的快取逾時間隔(毫秒)。This entry controls the length of the cache timeout interval in milliseconds. 地圖中 client 的憑證鏈結發行者的所有嘗試 Schannel SSP-不僅直接 client 憑證的發行者。The Schannel SSP attempts to map all of the issuers in the client’s certificate chain—not only the direct issuer of the client certificate. 在何處發行者不會對應帳號,是常見原因,如此伺服器可能會嘗試地圖相同發行者名稱重複數百種秒的時間。In the case where the issuers do not map to an account, which is the typical case, the server might attempt to map the same issuer name repeatedly, hundreds of times per second.

若要避免這個問題,伺服器有錯誤的快取,讓快取項如果過去未對應發行者的名稱,新增到快取,並 Schannel SSP 地圖的發行者名稱,再試一次之前不會到期。To prevent this, the server has a negative cache, so if an issuer name does not map to an account, it is added to the cache and the Schannel SSP will not attempt to map the issuer name again until the cache entry expires. 此快取保留的效能,以便系統不會繼續嘗試地圖相同發行者。This cache is kept for performance reasons, so that the system does not continue trying to map the same issuers. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 預設值為 10 分鐘。The default value is 10 minutes.

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

KeyExchangeAlgorithm-Client RSA 鍵大小KeyExchangeAlgorithm - Client RSA key sizes

此項目控制 client RSA 金鑰大小。This entry controls the client RSA key sizes.

使用金鑰交換演算法應該控制設定密碼套件訂單。Use of key exchange algorithms should be controlled by configuring the cipher suite order.

Windows 10、1507 版和 Windows Server 2016 中新增了。Added in Windows 10, version 1507 and Windows Server 2016.

登錄路徑:HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCSRegistry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS

若要指定 TLS client 最低支援各種不同的 RSA 按鍵的位元長度,建立ClientMinKeyBitLength的項目。To specify a minimum supported range of RSA key bit length for the TLS client, create a ClientMinKeyBitLength entry. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,1024 位元將最小值。If not configured, 1024 bits will be the minimum.

若要指定 TLS client 最大支援各種不同的 RSA 按鍵的位元長度,建立ClientMaxKeyBitLength的項目。To specify a maximum supported range of RSA key bit length for the TLS client, create a ClientMaxKeyBitLength entry. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,然後不執行最大值。If not configured, then a maximum is not enforced.

KeyExchangeAlgorithm-時間時金鑰大小KeyExchangeAlgorithm - Diffie-Hellman key sizes

此項目控制的時間時金鑰大小。This entry controls the Diffie-Hellman key sizes.

使用金鑰交換演算法應該控制設定密碼套件訂單。Use of key exchange algorithms should be controlled by configuring the cipher suite order.

Windows 10、1507 版和 Windows Server 2016 中新增了。Added in Windows 10, version 1507 and Windows Server 2016.

登錄路徑:HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie 時Registry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

若要指定 TLS client 最低支援各種不同的時間-Helman 按鍵的位元長度,建立ClientMinKeyBitLength的項目。To specify a minimum supported range of Diffie-Helman key bit length for the TLS client, create a ClientMinKeyBitLength entry. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,1024 位元將最小值。If not configured, 1024 bits will be the minimum.

若要指定 TLS client 的最大支援各種不同的時間-Helman 金鑰元長度,建立ClientMaxKeyBitLength的項目。To specify a maximum supported range of Diffie-Helman key bit length for the TLS client, create a ClientMaxKeyBitLength entry. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,然後不執行最大值。If not configured, then a maximum is not enforced.

若要指定時間-Helman 金鑰元長度 TLS 伺服器的預設值,建立ServerMinKeyBitLength的項目。To specify the Diffie-Helman key bit length for the TLS server default, create a ServerMinKeyBitLength entry. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,2048 位元將會預設值。If not configured, 2048 bits will be the default.

MaximumCacheSizeMaximumCacheSize

此項目控制最大的快取的項目。This entry controls the maximum number of cache elements. 設定為 0 MaximumCacheSize 停用伺服器端工作階段快取,並會防止重新。Setting MaximumCacheSize to 0 disables the server-side session cache and prevents reconnection. 增加 MaximumCacheSize 上方的預設值,導致 Lsass.exe 消耗額外的記憶體。Increasing MaximumCacheSize above the default values causes Lsass.exe to consume additional memory. 每個工作階段快取的項目通常需要 2 至 4 KB 的記憶體。Each session-cache element typically requires 2 to 4 KB of memory. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 預設值是 20000 項目。The default value is 20,000 elements.

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

訊息中心 – 片段剖析Messaging – fragment parsing


此項目控制將接受分散 TLS 交換簡訊的大小上限。This entry controls the maximum allowed size of fragmented TLS handshake messages that will be accepted. 將不會接受大於允許的大小,並 TLS 交換將會失敗。Messages larger than the allowed size will not be accepted and the TLS handshake will fail. 這些項目不存在於登錄預設。These entries do not exist in the registry by default.

將值設定為 [0x0,分散的郵件不會處理,會導致 TLS 交換失敗。When you set the value to 0x0, fragmented messages are not processed and will cause the TLS handshake to fail. 這樣可 TLS 戶端或伺服器上目前的電腦不相容的 TLS Rfc。This makes TLS clients or servers on the current machine non-compliant with the TLS RFCs.

允許的最大大小可以增加最多 2 ^24-1 位元組。The maximum allowed size can be increased up to 2^24-1 bytes. Client 或伺服器朗讀大量的驗證資料與網路,並允許,最好立刻並不會消耗額外的記憶體的每個安全性操作。Allowing a client or server to read and store large amounts of unverified data from the network is not a good idea and will consume additional memory for each security context.

加入 Windows 7 和 Windows Server 2008 R2。Added in Windows 7 and Windows Server 2008 R2. 有可用的更新,可讓 Internet Explorer Windows XP、Windows Vista 或 Windows Server 2008 剖析分散的 TLS 日 SSL 交換訊息。An update that enables Internet Explorer in Windows XP, in Windows Vista, or in Windows Server 2008 to parse fragmented TLS/SSL handshake messages is available.

登錄路徑:HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\MessagingRegistry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Messaging

若要指定 TLS client 將接受分散 TLS 交換簡訊的大小上限,請建立MessageLimitClient的項目。To specify a maximum allowed size of fragmented TLS handshake messages that the TLS client will accept, create a MessageLimitClient entry. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,預設值會 0x8000 位元組。If not configured, the default value will be 0x8000 bytes.

若要指定 TLS 伺服器不 client 驗證時,將接受分散 TLS 交換簡訊的大小上限,請建立MessageLimitServer的項目。To specify a maximum allowed size of fragmented TLS handshake messages that the TLS server will accept when there is no client authentication, create a MessageLimitServer entry. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,預設值會 0x4000 位元組。If not configured, the default value will be 0x4000 bytes.

若要指定 TLS 伺服器 client 驗證時,將接受分散 TLS 交換簡訊的大小上限,請建立MessageLimitServerClientAuth的項目。To specify a maximum allowed size of fragmented TLS handshake messages that the TLS server will accept when there is client authentication, create a MessageLimitServerClientAuth entry. 您所建立的項目之後,您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length. 如果未設定,預設值會 0x8000 位元組。If not configured, the default value will be 0x8000 bytes.

SendTrustedIssuerListSendTrustedIssuerList

此項目控制旗標信任的發行者清單會在傳送時使用。This entry controls the flag that is used when the list of trusted issuers is sent. 在信任的憑證授權單位 client 驗證數百種的伺服器,有太多發行者伺服器,才能將它們傳送所有到 client 電腦要求 client 驗證時。In the case of servers that trust hundreds of certification authorities for client authentication, there are too many issuers for the server to be able to send them all to the client computer when requesting client authentication. 在這種情形時,可以設定此登錄金鑰,請而不傳送部分清單,Schannel SSP 將不會傳送任何清單 client。In this situation, this registry key can be set, and instead of sending a partial list, the Schannel SSP will not send any list to the client.

未傳送一份信任的發行者可能會影響項目 client 傳送要求 client 憑證。Not sending a list of trusted issuers might impact what the client sends when it is asked for a client certificate. 例如,當 Internet Explorer 收到的驗證 client 要求時,它只會顯示 client 的憑證鏈結其中一個最多的伺服器來傳送的憑證授權單位。For example, when Internet Explorer receives a request for client authentication, it only displays the client certificates that chain up to one of the certification authorities that is sent by the server. 如果伺服器並未傳送清單,Internet Explorer 會顯示的所有 client 憑證 client 上所安裝的。If the server did not send a list, Internet Explorer displays all of the client certificates that are installed on the client.

可能需要此行為。This behavior might be desirable. 例如時 PKI 環境包含跨憑證,, client 和伺服器的憑證並不會相同 ca;因此,Internet Explorer 無法選擇將最多的其中一個 Ca 伺服器的憑證。For example, when PKI environments include cross certificates, the client and server certificates will not have the same root CA; therefore, Internet Explorer cannot chose a certificate that chains up to one of the server’s CAs. 藉由設定不會傳送給受信任的發行者清單伺服器,Internet Explorer 將會傳送所有的憑證。By configuring the server to not send a trusted issuer list, Internet Explorer will send all its certificates.

此項目不存在於登錄預設。This entry does not exist in the registry by default.

預設傳送信任的發行者清單行為Default Send Trusted Issuer List behavior

Windows 版本Windows version 時間Time
Windows Server 2012 和 Windows 8 及更新版本Windows Server 2012 and Windows 8 and later FALSEFALSE
Windows Server 2008 R2 和 Windows 7 與更早Windows Server 2008 R2 and Windows 7 and earlier 為 TRUETRUE

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

ServerCacheTimeServerCacheTime

此項目控制的時間(毫秒),作業系統會到期伺服器端快取的項目。This entry controls the amount of time in milliseconds that the operating system takes to expire server-side cache entries. 設定為 0 停用伺服器端工作階段快取,並會防止重新。A value of 0 disables the server-side session cache and prevents reconnection. 增加 ServerCacheTime 上方的預設值,導致 Lsass.exe 消耗額外的記憶體。Increasing ServerCacheTime above the default values causes Lsass.exe to consume additional memory. 每個工作階段快取的項目通常需要 2 至 4 KB 的記憶體。Each session cache element typically requires 2 to 4 KB of memory. 此項目不存在於登錄預設。This entry does not exist in the registry by default.

適用版本:中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

快取預設伺服器的時間:10 小時Default server cache time: 10 hours

SSL 2.0SSL 2.0

此子控制 SSL 2.0 的使用。This subkey controls the use of SSL 2.0.

開始使用 Windows 10,版本 1607 年和 Windows Server 2016、SSL 2.0 已經移除,已不再支援。Beginning with Windows 10, version 1607 and Windows Server 2016, SSL 2.0 has been removed and is no longer supported. SSL 2.0 的預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For a SSL 2.0 default settings, see Protocols in the TLS/SSL (Schannel SSP).

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要讓 SSL 2.0 通訊協定,建立啟用中適當子項目。To enable the SSL 2.0 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目後,變更 1 DWORD 值。After you have created the entry, change the DWORD value to 1. 若要停用通訊協定,0 變更 DWORD 值。To disable the protocol, change the DWORD value to 0.

SSL 2.0 子表格SSL 2.0 subkey table

Subkey 描述Description
ClientClient 控制 SSL 2.0 SSL client 上的使用。Controls the use of SSL 2.0 on the SSL client.
伺服器Server 控制 SSL 2.0 使用 SSL 伺服器上。Controls the use of SSL 2.0 on the SSL server.
DisabledByDefaultDisabledByDefault 停用 SSL 2.0 旗標。Flag to disable SSL 2.0 by default.

SSL 3.0SSL 3.0

此子控制 SSL 3.0 使用。This subkey controls the use of SSL 3.0.

開始使用 Windows 10,版本 1607 年和 Windows Server 2016、SSL 3.0 已被停用預設值。Beginning with Windows 10, version 1607 and Windows Server 2016, SSL 3.0 has been disabled by default. SSL 3.0 預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For SSL 3.0 default settings, see Protocols in the TLS/SSL (Schannel SSP).

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要讓 SSL 3.0 通訊協定,建立 Enabled 項目中適當子。To enable the SSL 3.0 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目後,變更 1 DWORD 值。After you have created the entry, change the DWORD value to 1. 若要停用通訊協定,0 變更 DWORD 值。To disable the protocol, change the DWORD value to 0.

SSL 3.0 子表格SSL 3.0 subkey table

Subkey 描述Description
ClientClient 控制 SSL 3.0 SSL client 上的使用。Controls the use of SSL 3.0 on the SSL client.
伺服器Server 控制 SSL 3.0 使用 SSL 伺服器上。Controls the use of SSL 3.0 on the SSL server.
DisabledByDefaultDisabledByDefault 停用 SSL 3.0 旗標。Flag to disable SSL 3.0 by default.

TLS 1.0TLS 1.0

此子控制 TLS 1.0 使用。This subkey controls the use of TLS 1.0.

TLS 1.0 預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For TLS 1.0 default settings, see see Protocols in the TLS/SSL (Schannel SSP).

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要停用 TLS 1.0 通訊協定,建立啟用中適當子項目。To disable the TLS 1.0 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0. 若要讓通訊協定,變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

TLS 1.0 子表格TLS 1.0 subkey table

Subkey 描述Description
ClientClient 控制 TLS 1.0 TLS client 上的使用。Controls the use of TLS 1.0 on the TLS client.
伺服器Server 控制 TLS 1.0 使用 TLS 伺服器上。Controls the use of TLS 1.0 on the TLS server.
DisabledByDefaultDisabledByDefault 停用 TLS 1.0 旗標。Flag to disable TLS 1.0 by default.

TLS 1.1TLS 1.1

此子控制 TLS 1.1 使用。This subkey controls the use of TLS 1.1.

TLS 1.1 預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For TLS 1.1 default settings, see Protocols in the TLS/SSL (Schannel SSP).

注意

您必須建立 TLS 1.1 支援和交涉伺服器執行 Windows Server 2008 R2 上的DisabledByDefault適當子(Client,伺服器)中的項目並將它設為「0」。For TLS 1.1 to be enabled and negotiated on servers that run Windows Server 2008 R2, you MUST create the DisabledByDefault entry in the appropriate subkey (Client, Server) and set it to "0". 登錄中看不到的項目,它會預設為 [1]。The entry will not be seen in the registry and it is set to "1" by default.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要停用 TLS 1.1 通訊協定,建立啟用中適當子項目。To disable the TLS 1.1 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0. 若要讓通訊協定,變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

TLS 1.1 子表格TLS 1.1 subkey table

Subkey 描述Description
ClientClient 控制 TLS 1.1 TLS client 上的使用。Controls the use of TLS 1.1 on the TLS client.
伺服器Server 控制 TLS 1.1 使用 TLS 伺服器上。Controls the use of TLS 1.1 on the TLS server.
DisabledByDefaultDisabledByDefault 停用 TLS 1.1 旗標。Flag to disable TLS 1.1 by default.

TLS 1.2TLS 1.2

此子控制 TLS 1.2 使用。This subkey controls the use of TLS 1.2.

TLS 1.2 預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For TLS 1.2 default settings, see Protocols in the TLS/SSL (Schannel SSP).

注意

您必須建立 TLS 1.2 支援和交涉伺服器執行 Windows Server 2008 R2 上的DisabledByDefault(Client,伺服器)適當子中的項目並將它設為「0」。For TLS 1.2 to be enabled and negotiated on servers that run Windows Server 2008 R2, you MUST create the DisabledByDefault entry in the appropriate subkey (Client, Server) and set it to "0". 登錄中看不到的項目,它會預設為 [1]。The entry will not be seen in the registry and it is set to "1" by default.

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要停用 TLS 1.2 通訊協定,建立啟用中適當子項目。To disable the TLS 1.2 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0. 若要讓通訊協定,變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

TLS 1.2 子表格TLS 1.2 subkey table

Subkey 描述Description
ClientClient 控制 TLS 1.2 TLS client 上的使用。Controls the use of TLS 1.2 on the TLS client.
伺服器Server 控制 TLS 1.2 使用 TLS 伺服器上。Controls the use of TLS 1.2 on the TLS server.
DisabledByDefaultDisabledByDefault 停用 TLS 1.2 旗標。Flag to disable TLS 1.2 by default.

DTLS 1.0DTLS 1.0

此子控制 DTLS 1.0 使用。This subkey controls the use of DTLS 1.0.

DTLS 1.0 預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For DTLS 1.0 default settings, see Protocols in the TLS/SSL (Schannel SSP).

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要停用 DTLS 1.0 通訊協定,建立啟用中適當子項目。To disable the DTLS 1.0 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0. 若要讓通訊協定,變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

DTLS 1.0 子表格DTLS 1.0 subkey table

Subkey 描述Description
ClientClient 控制 DTLS 1.0 DTLS client 上的使用。Controls the use of DTLS 1.0 on the DTLS client.
伺服器Server 控制 DTLS 1.0 DTLS 伺服器上的使用。Controls the use of DTLS 1.0 on the DTLS server.
DisabledByDefaultDisabledByDefault 停用 DTLS 1.0 旗標。Flag to disable DTLS 1.0 by default.

DTLS 1.2DTLS 1.2

此子控制 DTLS 1.2 使用。This subkey controls the use of DTLS 1.2.

DTLS 1.2 預設設定,請查看中 TLS 日 SSL (Schannel SSP) 通訊協定For DTLS 1.2 default settings, see Protocols in the TLS/SSL (Schannel SSP).

登錄路徑:HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRegistry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

若要停用 DTLS 1.2 通訊協定,建立啟用中適當子項目。To disable the DTLS 1.2 protocol, create an Enabled entry in the appropriate subkey. 此項目不存在於登錄預設。This entry does not exist in the registry by default. 您所建立的項目之後,0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0. 若要讓通訊協定,變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

DTLS 1.2 子表格DTLS 1.2 subkey table

Subkey 描述Description
ClientClient 控制 DTLS 1.2 DTLS client 上的使用。Controls the use of DTLS 1.2 on the DTLS client.
伺服器Server 控制 DTLS 1.2 DTLS 伺服器上的使用。Controls the use of DTLS 1.2 on the DTLS server.
DisabledByDefaultDisabledByDefault 停用 DTLS 1.2 旗標。Flag to disable DTLS 1.2 by default.