2008R2 powershell启用tls1.2安装chocolatey

2024-08-20 14:51:24 浏览数 (2)

关于低版本系统tls1.2,这篇文档是我看到整理最好的文档:https://www.xftsoft.com/news/jiaocheng/Could-not-create-SSL-TLS-secure-channel.html

首先把2008R2的powershell升级到5.1版本,https://www.microsoft.com/en-us/download/details.aspx?id=54616

然后就按下面步骤操作就能成功安装上chocolatey

一、从系统级别启用tls1.2

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

代码语言:javascript复制
New-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Name 'DefaultSecureProtocols'  -value '0x00000800' –PropertyType 'DWORD' -Force
New-ItemProperty -Path 'HKLM:SOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Name 'DefaultSecureProtocols'  -value '0x00000800' –PropertyType 'DWORD' -Force

代码语言:javascript复制
Set-ItemProperty -Path 'HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv2.0.50727' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoft.NetFrameworkv2.0.50727' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoft.NetFrameworkv4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv2.0.50727' -Name 'AspNetEnforceViewStateMac' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREWow6432NodeMicrosoft.NetFrameworkv4.0.30319' -Name 'AspNetEnforceViewStateMac' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoft.NetFrameworkv2.0.50727' -Name 'AspNetEnforceViewStateMac' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoft.NetFrameworkv4.0.30319' -Name 'AspNetEnforceViewStateMac' -Value '1' -Type DWord

New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -Force
New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -Force

Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -Name 'DisabledByDefault' -Value '0' -Type DWord
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -Name 'Enabled' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -Name 'DisabledByDefault' -Value '0' -Type DWord
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -Name 'Enabled' -Value '1' -Type DWord
代码语言:javascript复制
function disable-ssl-2.0
{
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server' -name 'Enabled' -value '0' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client' -name 'Enabled' -value '0' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD' -Force
    Write-Host 'Disabling SSLv2'
}
function disable-ssl-3.0
{
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server' -name 'Enabled' -value '0' –PropertyType 'DWORD' -Force
    Write-Host 'Disabling SSLv3'
}
function disable-tls-1.0
{
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server' -Force
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server' -name 'Enabled' -value '0' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client' -name 'Enabled' -value '0' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client' -name 'DisabledByDefault' -value '1' –PropertyType 'DWORD' -Force
    Write-Host 'Disabling TLSv1.0'
}
function enable-tls-1.1
{
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server' -Force
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server' -name 'Enabled' -value '1' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client' -name 'Enabled' -value '1' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' -Force
    Write-Host 'Enabling TLSv1.1'
}
function enable-tls-1.2
{
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -Force
    New-Item 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -name 'Enabled' -value '1' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -name 'Enabled' -value '1' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client' -name 'DisabledByDefault' -value '0' –PropertyType 'DWORD' -Force
    Write-Host 'Enabling TLSv1.2'
}


function enable-winhttp-1.2
{
    New-Item 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Force
    New-Item 'HKLM:SOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Force
    New-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Name 'DefaultSecureProtocols'  -value '0x00000800' –PropertyType 'DWORD' -Force
    New-ItemProperty -Path 'HKLM:SOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionInternet SettingsWinHttp' -Name 'DefaultSecureProtocols'  -value '0x00000800' –PropertyType 'DWORD' -Force
    Write-Host 'Enabling WinHttp TLSv1.2'
}

disable-ssl-2.0
disable-ssl-3.0
disable-tls-1.0
enable-tls-1.1
enable-tls-1.2
enable-winhttp-1.2

或者用IIS Crypto点鼠标设置:https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe

设置完以后重启机器生效

二、从powershell配置文件级别启用tls1.2

https://learn.microsoft.com/zh-cn/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-5.1

查看$PROFILE变量,我们搞全局设置,因此要选$PROFILE.AllUsersAllHosts(C:WindowsSystem32WindowsPowerShellv1.0profile.ps1

代码语言:javascript复制
$PROFILE | Get-Member -Type NoteProperty|ft -AutoSize

检查配置文件是否存

代码语言:javascript复制
Test-Path -Path $PROFILE.AllUsersAllHosts

如果不存在则创建

代码语言:javascript复制
Set-ExecutionPolicy Unrestricted -force
if (!(Test-Path -Path $PROFILE.AllUsersAllHosts)) {
New-Item -ItemType File -Path $PROFILE.AllUsersAllHosts -Force
}

创建后打开

代码语言:javascript复制
notepad $PROFILE.AllUsersAllHosts

打开后添加这句命令并保存

代码语言:javascript复制
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

以上就设置好powershell配置文件级别的tls1.2了,然后就可以参考chocolatey官网文档安装chocolatey了。

三、安装chocolatey

check tls1.2

代码语言:javascript复制
https://blog.chocolatey.org/2020/01/remove-support-for-old-tls-versions/

powershell执行这2句都是True才行

[Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12'

[System.Net.ServicePointManager]::SecurityProtocol.HasFlag([Net.SecurityProtocolType]::Tls12)

setup chocolatey steps:

代码语言:javascript复制
官网文档:https://chocolatey.org/install

假如执行这2句都是True

[Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12'

[System.Net.ServicePointManager]::SecurityProtocol.HasFlag([Net.SecurityProtocolType]::Tls12)

然后执行这3句

Set-ExecutionPolicy Bypass -Scope Process -Force

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072

iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

四、使用chocolatey

https://blog.csdn.net/penguinyao/article/details/124613774

0 人点赞