如何在 Windows Azure(操作系统或网站)中配置完美前向保密 [英] How do I configure Perfect Forward Secrecy in Windows Azure (OS, or Websites)

问题描述

我想将我的网站移动到 Windows Azure，但需要确保我在所有实例和角色上都使用 PFS.(常规网络角色和网站也是如此)

I want to move my website to Windows Azure, but need to make sure that I'm using PFS on all my instances and roles. (regular web roles and Websites as well)

我该如何配置，以便每个部署都以这种方式自动配置?

How do I configure this so that each deployment is automatically configured this way?

推荐答案

André N. Klingsheim 撰写的nofollow noreferrer">这篇出色的文章解释了用于强化Windows Server 和 Windows Azure 上的 SSL/TLS 配置.这包括

This excellent article by André N. Klingsheim explains detailed options for hardening the SSL/TLS configuration on Windows Server and Windows Azure. This includes

• 禁用 SSL
• 启用 TLS
• 更改密码套件优先级

作者另外提供了一个NuGet包以及相关源代码，用于在 Azure 角色启动期间处理这些更新.

The author additionally provides a NuGet package as well as related source code for handling these updates during Azure role startup.

如果您想强制(完美) 前向保密 而不是启用它，您可能会想要禁用所有不支持它的密码套件.查看相关的 powershell 脚本 需要从 $preferredCipherSuites 中删除所有 TLS_RSA_*-suites.请注意，这将降低与某些(主要是旧版)浏览器/客户端的兼容性.

If you want to enforce (perfect) forward secrecy over just enabling it you will probably want to disable all cipher suites not supporting that. Looking at the relevant powershell script all TLS_RSA_*-suites need to be removed from $preferredCipherSuites. Note that this will drop compatibility with some (mostly legacy) browsers/clients.

另请参阅此答案，其中包含有关密码套件建议的多个资源.

Please also see this answer that contains several resources on cipher suite recommendations.

这篇关于如何在 Windows Azure(操作系统或网站)中配置完美前向保密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！