我想使用 SSPI(Schannel) 建立安全连接。
我不能用作 AES256 来加密套件。正如我在这里看到的,我必须定义自己的算法列表来禁用 AES256 密码套件,我将 ALG_ID 参数设置为 CALG_RSA_KEYX 芯片,但我在 Wireshark 捕获中看到我的应用程序仍然选择“TLS_RSA_WITH_AES_256_CBC_SHA”。
下面的代码片段显示了如何创建安全上下文。此代码取自此处,我将其更改为采用算法列表,而不是使用默认的操作系统算法:
TimeStamp tsExpiry;
SECURITY_STATUS Status;
DWORD cSupportedAlgs = 0;
ALG_ID rgbSupportedAlgs[16];
PCCERT_CONTEXT pCertContext = NULL;
certEnhkeyUsage.rgpszUsageIdentifier = usages;
// Build Schannel credential structure. Currently, this sample only
// specifies the protocol to be used (and optionally the certificate,
// of course). Real applications may wish to specify other parameters as well.
ZeroMemory( &SchannelCred, sizeof(SchannelCred) );
SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
SchannelCred.grbitEnabledProtocols = dwProtocol;
rgbSupportedAlgs[0] = CALG_RSA_KEYX;
cSupportedAlgs++;
SchannelCred.cSupportedAlgs = cSupportedAlgs;
SchannelCred.palgSupportedAlgs = rgbSupportedAlgs;
// Flags indicate the context behaviour.
SchannelCred.dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
SchannelCred.dwFlags |= SCH_CRED_AUTO_CRED_VALIDATION;
// Create an SSPI credential.
Status = g_pSSPI->AcquireCredentialsHandleA( NULL, // Name of principal
UNISP_NAME_A, // Name of package
SECPKG_CRED_OUTBOUND, // Flags indicating use
NULL, // Pointer to logon ID
&SchannelCred, // Package specific data
NULL, // Pointer to GetKey() func
NULL, // Value to pass to GetKey()
phCreds, // (out) Cred Handle
&tsExpiry ); // (out) Lifetime (optional)
if(Status != SEC_E_OK) printf("**** Error 0x%x returned by AcquireCredentialsHandle\n", Status);
return Status;
有人可以解释一下为什么吗?为了禁用 AES_256,我该怎么做?
提前致谢。