在Windows Server 2012中,Microsoft Windows(KB4486081)的更新是
在控制面板中显示在安装更新下。在Windows RT 8.1中,
Windows 8.1或Windows Server 2012 R2,更新Microsoft Windows
(KB4486105)在控制面板中的安装更新下显示。
您也可以尝试仅安装这些更新,但我根本不确定。
idk, if it may help you, but I installed .Net framework 4.8 on 2012 R2 server.
Then I was able to use tls13 in my .net application.
In Windows Server 2012, Update for Microsoft Windows (KB4486081) is
displayed under Installed Updates in Control Panel. In Windows RT 8.1,
Windows 8.1 or Windows Server 2012 R2, Update for Microsoft Windows
(KB4486105) is displayed under Installed Updates in Control Panel.
You also may try to install these updates only, but I am not sure about that at all.
尽管如此,Stunnel是我针对Windows Server 2012 R2找到的解决方案,该解决方案需要使用现代SSL Cyphers访问API主机,使用 Client 选项上述涵盖的选项,需要对我使用的软件进行最小的更改。
While there's no way to simply "native TLS 1.3" support in windows server 2012 R2, it is possible to "wrap" support for it using a tool called STunnel.
We recently faced an issue where our ASP Application stopped communicating to a API server (zenvios.com) which upgraded its SSL certificates to TLS 1.3.
Similarly to how installing .NET 4.8 helped the issue for .NET applications (it uses its own SSL subsystem), STunnel comes with its own OpenSSL bindings, which would make it future-proof as it's an old late-90's tool still maintained to this day thanks for its simplistic implementation.
How exactly to use it will depend on your library and tool but, basically you instruct the tool to listen to a given port in the local computer (accept config option), could be different protocols but HTTP/HTTPS supported, and forward anything received to the specified endpoint (connect).
It can act as a client, thus enabling, say, your old server to connect to remote servers using modern SSL encryption, which was my case. This basically "enables TLS 1.3 support" on Windows server. Of course, a few things will change.
Suppose your HTTP client/library connects to https://apiserver.example.org/ but it lacks TLS 1.3 support to negotiate the SSL connection. Then a config like this for stunnel:
Will enable you to access that server from your clients by changing your client/library to access http://localhost:8443
Caveat 1: It's likely the remote server needs to match it's Host HTTP Header in order to serve requests as if you were connecting to it. STunnel doesn't touch anything in the communication so you'll be sending Host: localhost in the request. In this case, you need to set your client to manually provide this HTTP Header as Host: apiserver.example.org
Caveat 2: It's also likely your client librady doesn't allow you to simply specify the Host header. In that case, I could circumvent the issue by keeping the client URL http://apiserver.example.org/ (notice I switched the URL from HTTPS to HTTP), and set up its proxy server to http://localhost:8443. This way it naturally used the proxy server to connect and passed the Host header the way it was necessary.
This so far covered accessing, as a client, to a remote host under a modern SSL suite.
It is possible also though, to host modern secure connections while using it as a server. I didn't really use this side of the feature, but basically you will have your IIS server listening, say, to a 18443 port (could be in localhost IP), and make STunnel actually listen to the public 443 port and forward connections to your local IIS site under the bleeding-edge SSL certificate you may possess. The configuration would then likely change into:
Then anyone connecting to https://www.example.com/ (assuming that's the site you host in IIS), and IIS listening for non-secure (or weaker-secure) SSL port 18443 will serve the requests.
Caveat 1: Something lost in this "map" would be the connecting IP address. IIS is going to see all clients as if they were coming from localhost. STunnel has its own log though that will show the actual IP address. STunnel also has a 'transparent' option that rewrites the source IP to pretend the connection was straight from remote host but that's not only not for Windows, but would also require systematic packet capture from the OS.
This is a super simplistic way to put it. During install STunnel helps you make a self-signed certificate, but making actual SSL certificates is a whole new topic. The full list of config possibilities of the tool is documented on its manual page and there are also useful links on their documentation page.
General Caveat: One would like to just "make this proxy anything", that is, you configure STunnel to act as a proxy server so that it would forward anything sent to it to the remote corresponding host. But I think this is not really the purpose and for that ends maybe an actual proxy server would be required.
Nevertheless STunnel was the solution I found for a Windows Server 2012 R2 that required access to a API host using modern SSL cyphers, using the client option covered above requiring minimal changes to the software I was using.
发布评论
评论(3)
IDK,如果它可以帮助您,但是我在2012 R2服务器上安装了.NET Framework 4.8。
然后,我能够在.NET应用程序中使用TLS13。
它包括系统更新:
您也可以尝试仅安装这些更新,但我根本不确定。
idk, if it may help you, but I installed .Net framework 4.8 on 2012 R2 server.
Then I was able to use tls13 in my .net application.
https://support.microsoft.com/en-us/help/4503548/microsoft-net-framework-4-8-offline-installer-for-windows
It includes system updates:
You also may try to install these updates only, but I am not sure about that at all.
截至2020年10月,Windows Server 2012 R2无法在Windows Server 2012 R2上启用TLS 1.3。Windows Server 2012 R2不支持TLS 1.3。
There is no way to enable TLS 1.3 on Windows Server 2012 R2 as of October 2020. Windows Server 2012 R2 does not support TLS 1.3.
虽然无法简单地在Windows Server 2012 R2中简单地“本机TLS 1.3”支持,但可以使用称为Stunnel的工具对其进行“包装”支持。
最近,我们遇到了一个问题,即我们的ASP应用程序停止通信与API服务器(Zenvios.com),该服务器将其SSL证书升级为TLS 1.3。
类似于安装.NET 4.8如何帮助.NET应用程序(使用其自己的SSL子系统)的问题,Stunnel带有其自己的OpenSSL绑定,这将使它变得适合未来,因为它是一个旧的90年代旧工具,但仍在此维护。一天感谢其简单的实施。
如何确切使用它取决于您的库和工具,但是,基本上,您指示该工具在本地计算机中收听给定端口(
Acceptconfig选项)可能是不同的协议,但是HTTP/HTTPS支持,并将收到的任何内容转发到指定的端点(Connect)。它可以充当 client ,因此,我的旧服务器可以使用现代SSL加密连接到远程服务器,这是我的情况。这基本上是在Windows Server上“启用TLS 1.3支持”。当然,一些事情会改变。
假设您的http客户端/库连接到
https://apiserver.example.org/,但缺乏TLS 1.3支持来协商SSL连接。然后,将像这样的配置用于Stunnel:将使您通过更改客户端/库访问
http:// localHost:8443caveat 1: 来使您可以从客户端访问该服务器。远程服务器可能需要匹配它的
hosthttp标头,以便将请求提供,就好像您要连接到它一样。 Stunnel不会触摸通信中的任何内容,因此您将在请求中发送主机:localhost。在这种情况下,您需要将客户设置为主机手动提供此HTTP标头:apiserver.example.orgcaveat 2:也可能是您的客户librady允许您简单地指定
主机标题。在这种情况下,我可以通过将客户端URLhttp://apiserver.example.org/(请注意,我将URL从https转换为http)来避免问题,并设置其代理服务器 <代码> http:// localhost:8443 。这样,它自然使用代理服务器来连接和将主机按必要方式传递。到目前为止,这涵盖了客户端的访问权限,访问了现代SSL套件下的远程主机。
但是,在将其用作 server 的同时,也有可能对现代安全连接进行 host 。我并没有真正使用该功能的这一侧,但是基本上,您会让您的IIS服务器收听18443端口(可能在Localhost IP中),并使Stunnel实际上听到公共443端口并向前连接到您的本地IIS网站在您可能拥有的出血边缘SSL证书下。然后,配置可能会更改为:
然后任何连接到
警告1:在此“地图”中丢失的东西将是连接的IP地址。 IIS将看到所有客户,就像他们来自Localhost一样。 Stunnel有自己的日志,可以显示实际的IP地址。 Stunnel还具有“透明”选项,该选项重写源IP以假装连接直接从远程主机,但不仅适用于Windows,而且还需要从OS中捕获系统的数据包。
这是一种超级简单的方法。在安装期间,Stunnel可帮助您制作自签名证书,但是进行实际的SSL证书是一个全新的主题。该工具的配置可能性的完整列表为在其手动页面上记录还有用的链接在其文档页面上。
一般警告:一个人只想“使此代理任何东西”,也就是说,您配置 stunnel 充当代理服务器,以便它可以转发任何发送给它的东西到远程对应的主机。但是我认为这并不是真正的目的,因此可能需要使用实际的代理服务器。
尽管如此,Stunnel是我针对Windows Server 2012 R2找到的解决方案,该解决方案需要使用现代SSL Cyphers访问API主机,使用 Client 选项上述涵盖的选项,需要对我使用的软件进行最小的更改。
While there's no way to simply "native TLS 1.3" support in windows server 2012 R2, it is possible to "wrap" support for it using a tool called STunnel.
We recently faced an issue where our ASP Application stopped communicating to a API server (zenvios.com) which upgraded its SSL certificates to TLS 1.3.
Similarly to how installing .NET 4.8 helped the issue for .NET applications (it uses its own SSL subsystem), STunnel comes with its own OpenSSL bindings, which would make it future-proof as it's an old late-90's tool still maintained to this day thanks for its simplistic implementation.
How exactly to use it will depend on your library and tool but, basically you instruct the tool to listen to a given port in the local computer (
acceptconfig option), could be different protocols but HTTP/HTTPS supported, and forward anything received to the specified endpoint (connect).It can act as a client, thus enabling, say, your old server to connect to remote servers using modern SSL encryption, which was my case. This basically "enables TLS 1.3 support" on Windows server. Of course, a few things will change.
Suppose your HTTP client/library connects to
https://apiserver.example.org/but it lacks TLS 1.3 support to negotiate the SSL connection. Then a config like this for stunnel:Will enable you to access that server from your clients by changing your client/library to access
http://localhost:8443Caveat 1: It's likely the remote server needs to match it's
HostHTTP Header in order to serve requests as if you were connecting to it. STunnel doesn't touch anything in the communication so you'll be sendingHost: localhostin the request. In this case, you need to set your client to manually provide this HTTP Header asHost: apiserver.example.orgCaveat 2: It's also likely your client librady doesn't allow you to simply specify the
Hostheader. In that case, I could circumvent the issue by keeping the client URLhttp://apiserver.example.org/(notice I switched the URL from HTTPS to HTTP), and set up its proxy server tohttp://localhost:8443. This way it naturally used the proxy server to connect and passed theHostheader the way it was necessary.This so far covered accessing, as a client, to a remote host under a modern SSL suite.
It is possible also though, to host modern secure connections while using it as a server. I didn't really use this side of the feature, but basically you will have your IIS server listening, say, to a 18443 port (could be in localhost IP), and make STunnel actually listen to the public 443 port and forward connections to your local IIS site under the bleeding-edge SSL certificate you may possess. The configuration would then likely change into:
Then anyone connecting to https://www.example.com/ (assuming that's the site you host in IIS), and IIS listening for non-secure (or weaker-secure) SSL port 18443 will serve the requests.
Caveat 1: Something lost in this "map" would be the connecting IP address. IIS is going to see all clients as if they were coming from localhost. STunnel has its own log though that will show the actual IP address. STunnel also has a 'transparent' option that rewrites the source IP to pretend the connection was straight from remote host but that's not only not for Windows, but would also require systematic packet capture from the OS.
This is a super simplistic way to put it. During install STunnel helps you make a self-signed certificate, but making actual SSL certificates is a whole new topic. The full list of config possibilities of the tool is documented on its manual page and there are also useful links on their documentation page.
General Caveat: One would like to just "make this proxy anything", that is, you configure STunnel to act as a proxy server so that it would forward anything sent to it to the remote corresponding host. But I think this is not really the purpose and for that ends maybe an actual proxy server would be required.
Nevertheless STunnel was the solution I found for a Windows Server 2012 R2 that required access to a API host using modern SSL cyphers, using the client option covered above requiring minimal changes to the software I was using.