问题:在服务器上使用某些证书时,Windows Server 2008 R2仅支持以下ssl密码套件:
这可以防止XP客户端连接到服务器,因为XP Cryptographic API默认情况下不支持任何AES密码. 因此,尝试使用Internet Explorer或远程桌面进行连接时,服务器日志中会显示以下错误. (因为他们使用微软的CAPI)
Schannel Error 36874 “An TLS 1.0 connection was recieved from a remote client application,but dodne of the cipher suites supported by the client are supported by the server. The SSL connection request has failed.” Schannel Error 36888 “The following fatal alert was generated: 40. The internal error state is 1204”
如果服务器上使用的证书是使用证书申请表中的Legacy Key选项生成的,则该证书的私钥将存储在Microsoft的旧版Cryptographic API框架中.
解: 使用自定义证书申请向导中的CNG密钥模板生成证书申请.
MMC | Local Computer Certificate Manager | Personal Certificates Folder | (right click) | All Tasks -> Advanced Operations | Create Custom Request | “Proceed without enrollment policy” | select “(no template) CNG key” | proceed to complete the certificate request according to your needs.
验证密钥是否在正确的位置: http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx http://www.jensign.com/KeyPal/index.html
用于验证正确密码套件的工具: http://pentestit.com/2010/05/16/ssltls-audit-audit-web-servers-ssl-ciphers/ https://www.ssllabs.com/
SSL密码套件设置: http://support.microsoft.com/kb/245030 http://blogs.technet.com/b/steriley/archive/2007/11/06/changing-the-ssl-cipher-order-in-internet-explorer-7-on-windows-vista.aspx