如何配置完全正向保密Windows Azure中（OS，或者网站） [英] How do I configure Perfect Forward Secrecy in Windows Azure (OS, or Websites)

问题描述

我想搬到我的网站到Windows Azure，但需要确保我用我所有的实例和角色PFS。 （常规的网络角色和网站也一样）

I want to move my website to Windows Azure, but need to make sure that I'm using PFS on all my instances and roles. (regular web roles and Websites as well)

我如何配置这让每一个部署这种方式自动配置？

How do I configure this so that each deployment is automatically configured this way?

推荐答案

的 安德烈N. Klingsheim 这优秀的文章解释了硬化SSL详细的选项/ Windows Server和Windows Azure的上TLS配置。这包括

This excellent article by André N. Klingsheim explains detailed options for hardening the SSL/TLS configuration on Windows Server and Windows Azure. This includes

• 禁用SSL


• 启用TLS


• 更改密码套件的优先

笔者还提供了的NuGet包还有的相关来源$ C ​​$ C 了解Azure角色在启动过程中处理这些更新

The author additionally provides a NuGet package as well as related source code for handling these updates during Azure role startup.

如果要强制执行（完美的）向前保密在刚刚启用它，你可能会想禁用所有加密套件不支持这一点。综观相关的<一个href=\"https://nwebsec.$c$cplex.com/SourceControl/latest#NWebsec.AzureStartupTasks/NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/scripts/TLS_hardening.ps1\"相对=nofollow> PowerShell脚本的所有 TLS_RSA _ * -suites需要从 $preferredCipherSuites 。请注意，这会掉落一些（主要是旧版）浏览器/客户端的兼容性。

If you want to enforce (perfect) forward secrecy over just enabling it you will probably want to disable all cipher suites not supporting that. Looking at the relevant powershell script all TLS_RSA_*-suites need to be removed from $preferredCipherSuites. Note that this will drop compatibility with some (mostly legacy) browsers/clients.

请参见这个答案包含的密码组建议几个资源。

Please also see this answer that contains several resources on cipher suite recommendations.

这篇关于如何配置完全正向保密Windows Azure中（OS，或者网站）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！