Windows Server 2016 密码套件不工作
Windows Server 2016 Cipher Suites not working
我正在尝试使用带有 ADO.NET 驱动程序的 Powershell 连接到 Exasol 数据库。
我可以从我的 Windows 10 PC 成功连接,但不能从 Windows Server 2016。
错误信息是:
Error: SSL authentication failed. AuthenticationException: A call to SSPI failed, see inner exception.
Error: Inner exception: The client and server cannot communicate, because they do not possess a common algorithm
Debug: Exasol.EXADataProvider.EXAClientException (0x80004005): TLS connection to host (exadb1) failed: A call to SSPI failed, see inner exception.
at Exasol.EXADataProvider.backend.BackendFactory.ConnectToServer(String hostIp, Int32 serverPort, String serverName, String userFingerprint)
at Exasol.EXADataProvider.backend.BackendFactory.PerformLogin(EXAConnectionStringBuilder connectString)
我检查了 Windows 服务器上是否启用了 TLS 1.2。
我想,也许 Windows 服务器没有 Exasol 接受的正确密码套件。
下面是我电脑上的Get-TlsCipherSuite命令returns。最后一列显示 Wireshark 日志中提到了哪些密码套件。
Name
Certificate
Cipher
CipherLength
Wireshark
TLS_AES_256_GCM_SHA384
AES
256
TLS_AES_128_GCM_SHA256
AES
128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
0
Client Hello
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDSA
AES
128
Client Hello
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
RSA
AES
256
Client & Server Hello
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
RSA
AES
128
Client Hello
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
RSA
AES
256
Client Hello
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
RSA
AES
128
Client Hello
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
0
Client Hello
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDSA
AES
128
Client Hello
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
RSA
AES
256
Client Hello
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
RSA
AES
128
Client Hello
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDSA
AES
256
Client Hello
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDSA
AES
128
Client Hello
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
RSA
AES
256
Client Hello
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
RSA
AES
128
Client Hello
TLS_RSA_WITH_AES_256_GCM_SHA384
RSA
AES
256
Client Hello
TLS_RSA_WITH_AES_128_GCM_SHA256
RSA
AES
128
Client Hello
TLS_RSA_WITH_AES_256_CBC_SHA256
RSA
AES
256
Client Hello
TLS_RSA_WITH_AES_128_CBC_SHA256
RSA
AES
128
Client Hello
TLS_RSA_WITH_AES_256_CBC_SHA
RSA
AES
256
Client Hello
TLS_RSA_WITH_AES_128_CBC_SHA
RSA
AES
128
Client Hello
TLS_RSA_WITH_3DES_EDE_CBC_SHA
RSA
3DES
168
Client Hello
TLS_RSA_WITH_NULL_SHA256
RSA
0
TLS_RSA_WITH_NULL_SHA
RSA
0
TLS_PSK_WITH_AES_256_GCM_SHA384
0
TLS_PSK_WITH_AES_128_GCM_SHA256
AES
128
TLS_PSK_WITH_AES_256_CBC_SHA384
AES
256
TLS_PSK_WITH_AES_128_CBC_SHA256
AES
128
TLS_PSK_WITH_NULL_SHA384
0
TLS_PSK_WITH_NULL_SHA256
0
这是在 Windows Server 2016 上执行 Get-TlsCipherSuite 命令的结果。最后一列显示了 Wireshark 日志中提到的密码套件。
Name
Certificate
Cipher
CipherLength
Wireshark
TLS_AES_256_GCM_SHA384
0
TLS_AES_128_GCM_SHA256
0
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDSA
AES
256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDSA
AES
128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
RSA
AES
256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
RSA
AES
128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
RSA
AES
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
RSA
AES
128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDSA
AES
128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
RSA
AES
256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
RSA
AES
128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
ECDSA
AES
256
Client Hello
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDSA
AES
128
Client Hello
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
RSA
AES
256
Client & Server Hello
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
RSA
AES
128
Client Hello
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
RSA
AES
256
Client Hello
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
RSA
AES
128
Client Hello
TLS_RSA_WITH_AES_256_GCM_SHA384
RSA
AES
256
TLS_RSA_WITH_AES_128_GCM_SHA256
RSA
AES
128
TLS_RSA_WITH_AES_256_CBC_SHA256
RSA
AES
256
TLS_RSA_WITH_AES_128_CBC_SHA256
RSA
AES
128
TLS_RSA_WITH_AES_256_CBC_SHA
RSA
AES
256
Client Hello
TLS_RSA_WITH_AES_128_CBC_SHA
RSA
AES
128
Client Hello
TLS_RSA_WITH_3DES_EDE_CBC_SHA
RSA
3DES
168
Client Hello
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
0
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
DSA
AES
128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
DSA
AES
256
Client Hello
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
DSA
AES
128
Client Hello
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
DSA
3DES
168
Client Hello
TLS_RSA_WITH_RC4_128_SHA
RSA
RC4
128
Client Hello
TLS_RSA_WITH_RC4_128_MD5
RSA
RC4
128
Client Hello
TLS_RSA_WITH_NULL_SHA256
RSA
0
TLS_RSA_WITH_NULL_SHA
RSA
0
TLS_PSK_WITH_AES_256_GCM_SHA384
0
TLS_PSK_WITH_AES_128_GCM_SHA256
AES
128
TLS_PSK_WITH_AES_256_CBC_SHA384
AES
256
TLS_PSK_WITH_AES_128_CBC_SHA256
AES
128
TLS_PSK_WITH_NULL_SHA384
0
TLS_PSK_WITH_NULL_SHA256
0
出于某种原因,Powershell 和 Wireshark 中的密码套件列表不匹配。
您知道如何在 Windows 服务器上“激活”密码套件吗?为什么其中一些没有被使用?看起来 Exasol 想使用 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,但 Windows 服务器出于某种原因无法使用它。
您可以使用 Enable-TlsCipherSuite 向您的服务器添加额外的密码。
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
以上在提升的 powershell 实例中应该让您了解下一步要去哪里
尝试在脚本开头强制执行 tls 协议:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls13
毕竟,设置 SystemDefaultTlsVersions 和 SchUseStrongCrypto 注册表项有帮助。
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
在此更改之前,[System.Net.ServicePointManager]::SecurityProtocol 是 returning Ssl3, Tls。更改后它开始 return SystemDefault。并且不再发生错误。
另外,我查了下,现在TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384现在使用密码套件。
感谢大家的帮助。
我正在尝试使用带有 ADO.NET 驱动程序的 Powershell 连接到 Exasol 数据库。 我可以从我的 Windows 10 PC 成功连接,但不能从 Windows Server 2016。 错误信息是:
Error: SSL authentication failed. AuthenticationException: A call to SSPI failed, see inner exception.
Error: Inner exception: The client and server cannot communicate, because they do not possess a common algorithm
Debug: Exasol.EXADataProvider.EXAClientException (0x80004005): TLS connection to host (exadb1) failed: A call to SSPI failed, see inner exception.
at Exasol.EXADataProvider.backend.BackendFactory.ConnectToServer(String hostIp, Int32 serverPort, String serverName, String userFingerprint)
at Exasol.EXADataProvider.backend.BackendFactory.PerformLogin(EXAConnectionStringBuilder connectString)
我检查了 Windows 服务器上是否启用了 TLS 1.2。 我想,也许 Windows 服务器没有 Exasol 接受的正确密码套件。
下面是我电脑上的Get-TlsCipherSuite命令returns。最后一列显示 Wireshark 日志中提到了哪些密码套件。
| Name | Certificate | Cipher | CipherLength | Wireshark |
|---|---|---|---|---|
| TLS_AES_256_GCM_SHA384 | AES | 256 | ||
| TLS_AES_128_GCM_SHA256 | AES | 128 | ||
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0 | Client Hello | ||
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDSA | AES | 128 | Client Hello |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | RSA | AES | 256 | Client & Server Hello |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | RSA | AES | 128 | Client Hello |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | RSA | AES | 256 | Client Hello |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | RSA | AES | 128 | Client Hello |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0 | Client Hello | ||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDSA | AES | 128 | Client Hello |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | RSA | AES | 256 | Client Hello |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | RSA | AES | 128 | Client Hello |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDSA | AES | 256 | Client Hello |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDSA | AES | 128 | Client Hello |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | RSA | AES | 256 | Client Hello |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | RSA | AES | 128 | Client Hello |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | RSA | AES | 256 | Client Hello |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | RSA | AES | 128 | Client Hello |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | RSA | AES | 256 | Client Hello |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | RSA | AES | 128 | Client Hello |
| TLS_RSA_WITH_AES_256_CBC_SHA | RSA | AES | 256 | Client Hello |
| TLS_RSA_WITH_AES_128_CBC_SHA | RSA | AES | 128 | Client Hello |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | RSA | 3DES | 168 | Client Hello |
| TLS_RSA_WITH_NULL_SHA256 | RSA | 0 | ||
| TLS_RSA_WITH_NULL_SHA | RSA | 0 | ||
| TLS_PSK_WITH_AES_256_GCM_SHA384 | 0 | |||
| TLS_PSK_WITH_AES_128_GCM_SHA256 | AES | 128 | ||
| TLS_PSK_WITH_AES_256_CBC_SHA384 | AES | 256 | ||
| TLS_PSK_WITH_AES_128_CBC_SHA256 | AES | 128 | ||
| TLS_PSK_WITH_NULL_SHA384 | 0 | |||
| TLS_PSK_WITH_NULL_SHA256 | 0 |
这是在 Windows Server 2016 上执行 Get-TlsCipherSuite 命令的结果。最后一列显示了 Wireshark 日志中提到的密码套件。
| Name | Certificate | Cipher | CipherLength | Wireshark |
|---|---|---|---|---|
| TLS_AES_256_GCM_SHA384 | 0 | |||
| TLS_AES_128_GCM_SHA256 | 0 | |||
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDSA | AES | 256 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDSA | AES | 128 | |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | RSA | AES | 256 | |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | RSA | AES | 128 | |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | RSA | AES | 256 | |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | RSA | AES | 128 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0 | |||
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDSA | AES | 128 | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | RSA | AES | 256 | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | RSA | AES | 128 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | ECDSA | AES | 256 | Client Hello |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | ECDSA | AES | 128 | Client Hello |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | RSA | AES | 256 | Client & Server Hello |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | RSA | AES | 128 | Client Hello |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | RSA | AES | 256 | Client Hello |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | RSA | AES | 128 | Client Hello |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | RSA | AES | 256 | |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | RSA | AES | 128 | |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | RSA | AES | 256 | |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | RSA | AES | 128 | |
| TLS_RSA_WITH_AES_256_CBC_SHA | RSA | AES | 256 | Client Hello |
| TLS_RSA_WITH_AES_128_CBC_SHA | RSA | AES | 128 | Client Hello |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | RSA | 3DES | 168 | Client Hello |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 0 | |||
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | DSA | AES | 128 | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | DSA | AES | 256 | Client Hello |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | DSA | AES | 128 | Client Hello |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | DSA | 3DES | 168 | Client Hello |
| TLS_RSA_WITH_RC4_128_SHA | RSA | RC4 | 128 | Client Hello |
| TLS_RSA_WITH_RC4_128_MD5 | RSA | RC4 | 128 | Client Hello |
| TLS_RSA_WITH_NULL_SHA256 | RSA | 0 | ||
| TLS_RSA_WITH_NULL_SHA | RSA | 0 | ||
| TLS_PSK_WITH_AES_256_GCM_SHA384 | 0 | |||
| TLS_PSK_WITH_AES_128_GCM_SHA256 | AES | 128 | ||
| TLS_PSK_WITH_AES_256_CBC_SHA384 | AES | 256 | ||
| TLS_PSK_WITH_AES_128_CBC_SHA256 | AES | 128 | ||
| TLS_PSK_WITH_NULL_SHA384 | 0 | |||
| TLS_PSK_WITH_NULL_SHA256 | 0 |
出于某种原因,Powershell 和 Wireshark 中的密码套件列表不匹配。
您知道如何在 Windows 服务器上“激活”密码套件吗?为什么其中一些没有被使用?看起来 Exasol 想使用 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,但 Windows 服务器出于某种原因无法使用它。
您可以使用 Enable-TlsCipherSuite 向您的服务器添加额外的密码。
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
以上在提升的 powershell 实例中应该让您了解下一步要去哪里
尝试在脚本开头强制执行 tls 协议:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls13
毕竟,设置 SystemDefaultTlsVersions 和 SchUseStrongCrypto 注册表项有帮助。
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
在此更改之前,[System.Net.ServicePointManager]::SecurityProtocol 是 returning Ssl3, Tls。更改后它开始 return SystemDefault。并且不再发生错误。
另外,我查了下,现在TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384现在使用密码套件。
感谢大家的帮助。