c# - 在 ASP.Net 中定义自己的 TlsCipherSuite

Question

我正在使用 ASP.Net 构建一个 WebService。目前服务正在本地运行，我使用 NMAP 检查了允许的 TLS 版本和密码。我的结果是这样的

| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers:     
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A    
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A    
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A    
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A    
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A    
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A    
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A    
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A    
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A    
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A    
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A    
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A    
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A    
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A    
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C    
|     compressors:     
|       NULL    
|     cipher preference: server    
|     warnings:     
|       64-bit block cipher 3DES vulnerable to SWEET32 attack    
|_  least strength: C

我现在想在 ASP.Net 中定义自己的 CipherSet
我尝试将 Microsoft 文档中的示例用于 kestrel https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1#listenoptionsprotocols
我的代码如下所示:

 webBuilder.UseKestrel(kestrelOptions =>
                {
                    kestrelOptions.ConfigureHttpsDefaults(httpsOptions =>
                    {
                        httpsOptions.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;

                        httpsOptions.OnAuthenticate = (connectionContext, authenticationOptions) =>
                        {
                            var ciphers = new List<TlsCipherSuite>()
                            {
                                TlsCipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                                TlsCipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
                                TlsCipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
                                TlsCipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
                                TlsCipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256,
                                TlsCipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM,
                                TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM,
                                TlsCipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8,
                                TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8,
                                TlsCipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                                TlsCipherSuite.TLS_PSK_WITH_AES_128_CCM,
                                TlsCipherSuite.TLS_PSK_WITH_AES_256_CCM,
                                TlsCipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM,
                                TlsCipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM,
                                TlsCipherSuite.TLS_PSK_WITH_AES_128_CCM_8,
                                TlsCipherSuite.TLS_PSK_WITH_AES_256_CCM_8,
                                TlsCipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8,
                                TlsCipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
                                TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
                            };
                            authenticationOptions.EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
                            authenticationOptions.CipherSuitesPolicy = new CipherSuitesPolicy(ciphers);
                        };
                    });
                });

一旦我启动 WebService，我就会得到这个异常:

System.PlatformNotSupportedException: "CipherSuitesPolicy is not supported on this platform."

我需要导入一些东西来完成这项工作吗？

Answer 1

我想我有一个解决方案。
CipherSuitesPolicy 似乎仅适用于 Linux 和 MacOS。
对于 Windows，我必须停用注册表中的某些密码

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v Enabled /d 0 /t REG_DWORD /f

这个解决方案对我有用。 WebService 现在只使用强密码