From 082bf925ad5eaf6bd0789d16d3c45c448340e355 Mon Sep 17 00:00:00 2001 From: Tommy Holen <37346345+holentommy@users.noreply.github.com> Date: Thu, 28 Sep 2023 23:12:17 +0200 Subject: [PATCH 1/6] Update MSFT_CipherSuites.psm1 Attempting to resolve issue 'CipherSuites: Using 'Absent' for named CipherSuites on default installations does not work. #33' --- .../MSFT_CipherSuites/MSFT_CipherSuites.psm1 | 64 +++++++++++++------ 1 file changed, 46 insertions(+), 18 deletions(-) diff --git a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 index 9072bcf..08e3893 100644 --- a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 +++ b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 @@ -32,14 +32,22 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for cipher suites order" - $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' - $item = Get-ItemProperty -Path $itemKey -Name 'Functions' -ErrorAction SilentlyContinue + If (([System.Environment]::OSVersion.Version).Major -lt 10) { + $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' + $item = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions + If (-Not ($item)) { + $item = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions + } + } + Else { + $item = (Get-TlsCipherSuite).Name + } $order = $null if ($null -ne $item) { $Ensure = 'Present' - $order = (Get-ItemPropertyValue -Path $itemKey -Name 'Functions' -ErrorAction SilentlyContinue).Split(',') + $order = $item } else { @@ -78,22 +86,39 @@ function Set-TargetResource $RebootWhenRequired = $false ) - Write-Verbose -Message "Setting configuration for cipher suites order" - - $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' - - if ($Ensure -eq 'Present') - { - Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) + If ($Ensure -ne 'Absent') { + Write-Verbose -Message "Setting configuration for cipher suites order" + } + If (([System.Environment]::OSVersion.Version).Major -ge 10) { + if ($Ensure -eq 'Present') + { + Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) + $Posision = 0 + Foreach ($CipherSuite in $CipherSuitesOrder) { + Enable-TlsCipherSuite -Name $CipherSuite -Position ($Posision++) + } + } + else + { + Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) + Foreach ($CipherSuite in $CipherSuitesOrder) { + Write-Verbose -Message "Disabeling cipher suite $($CipherSuite)" + Disable-TlsCipherSuite -Name $CipherSuite + } + } + } + Else { + If ($Ensure -eq 'Present') { + Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) + } + Else { + Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) + } + $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) New-Item $itemKey -Force New-ItemProperty -Path $itemKey -Name 'Functions' -Value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null } - else - { - Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) - Remove-ItemProperty -Path $itemKey -Name 'Functions' -Force - } if ($RebootWhenRequired) { @@ -154,10 +179,13 @@ function Test-TargetResource $Compliant = $true } - if ($Ensure -eq "Absent" -and ` - $null -eq $currentSuitesOrderAsString) + if ($Ensure -eq "Absent") { - $Compliant = $true + Foreach ($CipherSuite in $currentSuitesOrderAsString) { + If (($currentSuitesOrderAsString).Contains($CipherSuite)) { + $Compliant = $true + } + } } if ($Compliant -eq $true) From 08daf877056f37e1918758b8e354e7ff3586d747 Mon Sep 17 00:00:00 2001 From: Tommy Holen <37346345+holentommy@users.noreply.github.com> Date: Thu, 28 Sep 2023 23:22:11 +0200 Subject: [PATCH 2/6] Update CHANGELOG.md --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f96934..ceb5d48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on and uses the types of changes according to [Keep a Change and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Fixed + +- SChannelDsc + - Using Native commands for enabeling/disabeling and ordering cipher suites for Windows Server 2016 and newer (TLS module) + - Ensuring disabeling and ordering of named cipher suites for older OS' than Windows Server 2016. + ([issue #33](https://github.com/dsccommunity/SChannelDsc/issues/33)). ## [1.4.0] - 2022-05-17 From 9487d53b41300d200771f80ebd20d3cf07ffe73a Mon Sep 17 00:00:00 2001 From: Tommy Holen <37346345+holentommy@users.noreply.github.com> Date: Mon, 2 Oct 2023 09:24:52 +0200 Subject: [PATCH 3/6] Update MSFT_CipherSuites.psm1 Including 'Absent' for Windows Server 2012 R2 and older. --- .../MSFT_CipherSuites/MSFT_CipherSuites.psm1 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 index 08e3893..393494a 100644 --- a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 +++ b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 @@ -113,6 +113,18 @@ function Set-TargetResource } Else { Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) + $item = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions + If (-Not ($item)) { + $item = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions + } + [System.Collections.ArrayList]$array = @($item) + + foreach ($CipherSuite in $CipherSuitesOrder){ + while ($array -contains "$CipherSuite") { + $array.Remove("$CipherSuite") + } + } + $CipherSuitesOrder = $array } $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder) From 11edb7d8aa918ab5f51b9e88b9fb95360e215808 Mon Sep 17 00:00:00 2001 From: Tommy Holen <37346345+holentommy@users.noreply.github.com> Date: Mon, 2 Oct 2023 10:41:43 +0200 Subject: [PATCH 4/6] Update MSFT_CipherSuites.psm1 --- .../MSFT_CipherSuites/MSFT_CipherSuites.psm1 | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 index 393494a..99049a3 100644 --- a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 +++ b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 @@ -32,14 +32,14 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for cipher suites order" - If (([System.Environment]::OSVersion.Version).Major -lt 10) { + if (([System.Environment]::OSVersion.Version).Major -lt 10) { $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' $item = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions - If (-Not ($item)) { + if (-Not ($item)) { $item = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions } } - Else { + else { $item = (Get-TlsCipherSuite).Name } @@ -86,35 +86,35 @@ function Set-TargetResource $RebootWhenRequired = $false ) - If ($Ensure -ne 'Absent') { + if ($Ensure -ne 'Absent') { Write-Verbose -Message "Setting configuration for cipher suites order" } - If (([System.Environment]::OSVersion.Version).Major -ge 10) { + if (([System.Environment]::OSVersion.Version).Major -ge 10) { if ($Ensure -eq 'Present') { Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) $Posision = 0 - Foreach ($CipherSuite in $CipherSuitesOrder) { + foreach ($CipherSuite in $CipherSuitesOrder) { Enable-TlsCipherSuite -Name $CipherSuite -Position ($Posision++) } } else { Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) - Foreach ($CipherSuite in $CipherSuitesOrder) { + foreach ($CipherSuite in $CipherSuitesOrder) { Write-Verbose -Message "Disabeling cipher suite $($CipherSuite)" Disable-TlsCipherSuite -Name $CipherSuite } } } - Else { - If ($Ensure -eq 'Present') { + else { + if ($Ensure -eq 'Present') { Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) } - Else { + else { Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) $item = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions - If (-Not ($item)) { + if (-Not ($item)) { $item = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions } [System.Collections.ArrayList]$array = @($item) @@ -193,8 +193,8 @@ function Test-TargetResource if ($Ensure -eq "Absent") { - Foreach ($CipherSuite in $currentSuitesOrderAsString) { - If (($currentSuitesOrderAsString).Contains($CipherSuite)) { + foreach ($CipherSuite in $currentSuitesOrderAsString) { + if (($currentSuitesOrderAsString).Contains($CipherSuite)) { $Compliant = $true } } From dd751c114376eff6b1ad760e71add0b43bce3959 Mon Sep 17 00:00:00 2001 From: Tommy Holen <37346345+holentommy@users.noreply.github.com> Date: Tue, 3 Oct 2023 13:55:53 +0200 Subject: [PATCH 5/6] Update MSFT_CipherSuites.psm1 --- .../MSFT_CipherSuites/MSFT_CipherSuites.psm1 | 45 ++++++++++++------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 index 99049a3..f2ebfd4 100644 --- a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 +++ b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 @@ -32,14 +32,17 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for cipher suites order" - if (([System.Environment]::OSVersion.Version).Major -lt 10) { + if (([System.Environment]::OSVersion.Version).Major -lt 10) + { $itemKey = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' $item = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions - if (-Not ($item)) { + if (-Not ($item)) + { $item = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions } } - else { + else + { $item = (Get-TlsCipherSuite).Name } @@ -86,41 +89,51 @@ function Set-TargetResource $RebootWhenRequired = $false ) - if ($Ensure -ne 'Absent') { + if ($Ensure -ne 'Absent') + { Write-Verbose -Message "Setting configuration for cipher suites order" } - if (([System.Environment]::OSVersion.Version).Major -ge 10) { + if (([System.Environment]::OSVersion.Version).Major -ge 10) + { if ($Ensure -eq 'Present') { Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) $Posision = 0 - foreach ($CipherSuite in $CipherSuitesOrder) { + foreach ($CipherSuite in $CipherSuitesOrder) + { Enable-TlsCipherSuite -Name $CipherSuite -Position ($Posision++) } } else { Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) - foreach ($CipherSuite in $CipherSuitesOrder) { + foreach ($CipherSuite in $CipherSuitesOrder) + { Write-Verbose -Message "Disabeling cipher suite $($CipherSuite)" Disable-TlsCipherSuite -Name $CipherSuite } } } - else { - if ($Ensure -eq 'Present') { + else + { + if ($Ensure -eq 'Present') + { Write-Verbose -Message ($script:localizedData.ItemEnable -f 'CipherSuites' , $Ensure) } - else { + else + { Write-Verbose -Message ($script:localizedData.ItemDisable -f 'CipherSuites' , $Ensure) $item = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions - if (-Not ($item)) { + if (-Not ($item)) + { $item = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'Functions' -ErrorAction SilentlyContinue).Functions } [System.Collections.ArrayList]$array = @($item) - foreach ($CipherSuite in $CipherSuitesOrder){ - while ($array -contains "$CipherSuite") { + foreach ($CipherSuite in $CipherSuitesOrder) + { + while ($array -contains "$CipherSuite") + { $array.Remove("$CipherSuite") } } @@ -193,8 +206,10 @@ function Test-TargetResource if ($Ensure -eq "Absent") { - foreach ($CipherSuite in $currentSuitesOrderAsString) { - if (($currentSuitesOrderAsString).Contains($CipherSuite)) { + foreach ($CipherSuite in $currentSuitesOrderAsString) + { + if (($currentSuitesOrderAsString).Contains($CipherSuite)) + { $Compliant = $true } } From 7faabf6a0901f8a5fbfb1971dd5451e71bfaa61d Mon Sep 17 00:00:00 2001 From: Tommy Holen <37346345+holentommy@users.noreply.github.com> Date: Tue, 3 Oct 2023 14:19:54 +0200 Subject: [PATCH 6/6] Update MSFT_CipherSuites.psm1 --- .../DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 index f2ebfd4..b773a95 100644 --- a/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 +++ b/source/DSCResources/MSFT_CipherSuites/MSFT_CipherSuites.psm1 @@ -206,12 +206,12 @@ function Test-TargetResource if ($Ensure -eq "Absent") { - foreach ($CipherSuite in $currentSuitesOrderAsString) - { + foreach ($CipherSuite in $currentSuitesOrderAsString) + { if (($currentSuitesOrderAsString).Contains($CipherSuite)) { $Compliant = $true - } + } } }