public TlsResults( bool failed, BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelected, BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedFromReverseList, BouncyCastleTlsTestResult tls12AvailableWithSha2HashFunctionSelected, BouncyCastleTlsTestResult tls12AvailableWithWeakCipherSuiteNotSelected, BouncyCastleTlsTestResult tls11AvailableWithBestCipherSuiteSelected, BouncyCastleTlsTestResult tls11AvailableWithWeakCipherSuiteNotSelected, BouncyCastleTlsTestResult tls10AvailableWithBestCipherSuiteSelected, BouncyCastleTlsTestResult tls10AvailableWithWeakCipherSuiteNotSelected, BouncyCastleTlsTestResult ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult tlsSecureEllipticCurveSelected, BouncyCastleTlsTestResult tlsSecureDiffieHellmanGroupSelected, BouncyCastleTlsTestResult tlsWeakCipherSuitesRejected) { Failed = failed; Tls12AvailableWithBestCipherSuiteSelected = tls12AvailableWithBestCipherSuiteSelected; Tls12AvailableWithBestCipherSuiteSelectedFromReverseList = tls12AvailableWithBestCipherSuiteSelectedFromReverseList; Tls12AvailableWithSha2HashFunctionSelected = tls12AvailableWithSha2HashFunctionSelected; Tls12AvailableWithWeakCipherSuiteNotSelected = tls12AvailableWithWeakCipherSuiteNotSelected; Tls11AvailableWithBestCipherSuiteSelected = tls11AvailableWithBestCipherSuiteSelected; Tls11AvailableWithWeakCipherSuiteNotSelected = tls11AvailableWithWeakCipherSuiteNotSelected; Tls10AvailableWithBestCipherSuiteSelected = tls10AvailableWithBestCipherSuiteSelected; Tls10AvailableWithWeakCipherSuiteNotSelected = tls10AvailableWithWeakCipherSuiteNotSelected; Ssl3FailsWithBadCipherSuite = ssl3FailsWithBadCipherSuite; TlsSecureEllipticCurveSelected = tlsSecureEllipticCurveSelected; TlsSecureDiffieHellmanGroupSelected = tlsSecureDiffieHellmanGroupSelected; TlsWeakCipherSuitesRejected = tlsWeakCipherSuitesRejected; }
public async Task <List <TlsTestResult> > Test(string host) { List <TlsTestResult> testResults = new List <TlsTestResult>(); var sw = new Stopwatch(); _log.LogDebug($"Beginning test run of {_tests.Count} tests for {host ?? "null"}"); foreach (ITlsTest test in _tests) { sw.Restart(); _log.LogDebug($"Running test {test.Id} - {test.Name} for {host ?? "null"}"); ITlsClient tlsClient = _tlsClientFactory.Create(); try { BouncyCastleTlsTestResult result = await tlsClient.Connect(host, Port, test.Version, test.CipherSuites); _log.LogDebug($"Result of test {test.Id} - {test.Name} for {host ?? "null"}:{ Environment.NewLine}{JsonConvert.SerializeObject(result, JsonSerializerSettings)}"); testResults.Add(new TlsTestResult(test, result)); } finally { _log.LogDebug($"TLS test {test.Id} - {test.Name} for host {host ?? "null"} completed in {sw.ElapsedMilliseconds}ms"); tlsClient.Disconnect(); } } return(testResults); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tls11Available = tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected; TlsTestType tlsTestType = TlsTestType.Tls11Available; if (!tls11Available.Supported()) { //inconclusive if (tls11Available.IsInconclusive()) { return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tls11Available.ErrorDescription}\".")) .ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure() ? EvaluatorResult.INFORMATIONAL : EvaluatorResult.WARNING, tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure() ? "This server refused to negotiate using TLS 1.1" : string.Format(intro, $"the server responded with the error \"{tls11Available.ErrorDescription}\".")) .ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsWeakCipherSuitesRejected; TlsTestType tlsTestType = TlsTestType.TlsWeakCipherSuitesRejected; switch (tlsConnectionResult.TlsError) { case TlsError.HANDSHAKE_FAILURE: case TlsError.PROTOCOL_VERSION: case TlsError.INSUFFICIENT_SECURITY: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, $"{intro} we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList()); case null: break; default: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE, $"{intro} the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList()); } if (tlsConnectionResult.CipherSuite != null) { return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId3, EvaluatorResult.FAIL, $"{intro} the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}.")).ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId4, EvaluatorResult.INCONCLUSIVE, $"{intro} there was a problem and we are unable to provide additional information.")).ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithWeakCipherSuiteNotSelected; BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedResult = tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected; TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected; switch (tlsConnectionResult.TlsError) { case TlsError.HANDSHAKE_FAILURE: case TlsError.PROTOCOL_VERSION: case TlsError.INSUFFICIENT_SECURITY: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList()); case null: break; default: return(tls12AvailableWithBestCipherSuiteSelectedResult.TlsError == null ? new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING, string.Format(intro, $"the server responded with an error. This may be because you do not support TLS 1.1. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList() : new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList()); } switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()} which is insecure")).ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected; string introWithCipherSuite = string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}"); TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithBestCipherSuiteSelected; switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS). {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses 3DES. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses RC4. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, $"{introWithCipherSuite} which is insecure. {advice}").ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList()); }
public async Task ConnectionRefusedErrorsShouldResultInPass(TlsError tlsError) { BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(tlsError, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult); var evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS); }
public async Task InsecureCipherSuitesShouldResultInFail(CipherSuite cipherSuite) { BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL); }
public async Task UnaccountedForCipherSuiteResponseShouldResultInInconclusive() { BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(null, CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); }
public async Task GoodCurveGroupsShouldResultInAPass(CurveGroup curveGroup) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, curveGroup, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS); }
public async Task TcpErrorsShouldResultInInconclusive(TlsError tlsError) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); }
public async Task Unknown1024GroupShouldResultInAWarn() { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, CurveGroup.UnknownGroup1024, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING); }
public async Task UnaccountedForCurveShouldResultInInconclusive() { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); }
public async Task CurvesWithCurveNumberLessThan256ShouldResultInAFail(CurveGroup curveGroup) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, curveGroup, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL); }
public async Task GoodCiphersShouldResultInAPass(CipherSuite cipherSuite) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS); }
public async Task OtherErrorsShouldResultInInconclusive() { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(TlsError.INTERNAL_ERROR, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); }
public async Task AnErrorShouldResultInAFail() { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(TlsError.INSUFFICIENT_SECURITY, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL); }
public static TlsTestResults CreateMxHostTlsResults(TlsTestType testType, BouncyCastleTlsTestResult data) { return(new TlsTestResults("abc.def.gov.uk", false, false, SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithSha2HashFunctionSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls11AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls10AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Ssl3FailsWithBadCipherSuite), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.TlsSecureEllipticCurveSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.TlsSecureDiffieHellmanGroupSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.TlsWeakCipherSuitesRejected), null)); }
public async Task ConnectionRefusedErrorsShouldResultInPass(TlsError tlsError) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS); }
public async Task CipherSuitesWithNoPfsShouldResultInAWarning(CipherSuite cipherSuite) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING); }
public async Task NoCipherSuiteResponseShouldResultInInconclusive() { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsWeakCipherSuitesRejected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); }
public async Task ErrorsShouldHaveErrorDescriptionInResult(TlsError tlsError, string description) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, description, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); StringAssert.Contains($"Error description \"{description}\".", evaluatorResults[0].TlsEvaluatedResult.Description); }
public async Task TcpErrorsShouldResultInInconclusive(TlsError tlsError) { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); }
public async Task OtherErrorsShouldResultInInconclusive() { string errorDescription = "Something went wrong!"; BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(TlsError.INTERNAL_ERROR, errorDescription, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE); StringAssert.Contains($"Error description \"{errorDescription}\".", evaluatorResults[0].TlsEvaluatedResult.Description); }
public async Task PreviousTestBeingInconclusiveShouldResultInPass() { BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null, null, null, null, null, null); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults( TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults); Assert.That(evaluatorResults.Count, Is.EqualTo(1)); Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS); }
public async Task Test(TlsError?tlsError, EvaluatorResult expectedEvaluatorResult, string expectedDescription) { Tls10Available tls10Available = new Tls10Available(); BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, tlsError, null, new List <string>()); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults( TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults = await tls10Available.Evaluate(connectionTestResults); Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1)); Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(expectedEvaluatorResult)); StringAssert.StartsWith(expectedDescription, ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description); }
public async Task NoErrorReturnsPass() { Tls12Available tls12Available = new Tls12Available(); BouncyCastleTlsTestResult tls12ConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, new List <string>()); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { TlsTestType.Tls12AvailableWithBestCipherSuiteSelected, tls12ConnectionResult }, }); List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults = await tls12Available.Evaluate(connectionTestResults); Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1)); Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(EvaluatorResult.PASS)); Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description, Is.Null); }
public async Task Tls12ErrorAndNoOtherTlsSupportedReturnsError() { Tls12Available tls11Available = new Tls12Available(); BouncyCastleTlsTestResult tls12ConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, TlsError.HANDSHAKE_FAILURE, null, new List <string>()); TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { TlsTestType.Tls12AvailableWithBestCipherSuiteSelected, tls12ConnectionResult } }); List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults = await tls11Available.Evaluate(connectionTestResults); Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1)); Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(EvaluatorResult.FAIL)); StringAssert.StartsWith("This server refused to negotiate using TLS 1.2", ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description); }
private async Task <BouncyCastleTlsTestResult> DoConnect(string host, int port, TlsVersion version, List <CipherSuite> cipherSuites) { _tcpClient = new TcpClient { NoDelay = true, SendTimeout = _timeOut.Milliseconds, ReceiveTimeout = _timeOut.Milliseconds, }; _log.LogDebug($"Starting TCP connection to {host ?? "<null>"}:{port}"); await _tcpClient.ConnectAsync(host, port).ConfigureAwait(false); _log.LogDebug($"Successfully started TCP connection to {host ?? "<null>"}:{port}"); _log.LogDebug("Initializing session"); StartTlsResult sessionInitialized = await TryInitializeSession(_tcpClient.GetStream()).ConfigureAwait(false); if (!sessionInitialized.Success) { _log.LogDebug("Failed to initialize session"); return(new BouncyCastleTlsTestResult(TlsError.SESSION_INITIALIZATION_FAILED, sessionInitialized.Error, sessionInitialized.SmtpSession)); } _log.LogDebug("Successfully initialized session"); TestTlsClientProtocol clientProtocol = new TestTlsClientProtocol(_tcpClient.GetStream()); TestTlsClient testSuiteTlsClient = new TestTlsClient(version, cipherSuites); _log.LogDebug("Starting TLS session"); BouncyCastleTlsTestResult connectionResult = clientProtocol.ConnectWithResults(testSuiteTlsClient); _log.LogDebug("Successfully started TLS session"); return(connectionResult); }
public TlsTestResults(string id, bool failed, bool hostNotFound, BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelected, BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedFromReverseList, BouncyCastleTlsTestResult tls12AvailableWithSha2HashFunctionSelected, BouncyCastleTlsTestResult tls12AvailableWithWeakCipherSuiteNotSelected, BouncyCastleTlsTestResult tls11AvailableWithBestCipherSuiteSelected, BouncyCastleTlsTestResult tls11AvailableWithWeakCipherSuiteNotSelected, BouncyCastleTlsTestResult tls10AvailableWithBestCipherSuiteSelected, BouncyCastleTlsTestResult tls10AvailableWithWeakCipherSuiteNotSelected, BouncyCastleTlsTestResult ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult tlsSecureEllipticCurveSelected, BouncyCastleTlsTestResult tlsSecureDiffieHellmanGroupSelected, BouncyCastleTlsTestResult tlsWeakCipherSuitesRejected, List <string> certificates, List <SelectedCipherSuite> selectedCipherSuites = null) : base(id) { Failed = failed; HostNotFound = hostNotFound; Tls12AvailableWithBestCipherSuiteSelected = tls12AvailableWithBestCipherSuiteSelected; Tls12AvailableWithBestCipherSuiteSelectedFromReverseList = tls12AvailableWithBestCipherSuiteSelectedFromReverseList; Tls12AvailableWithSha2HashFunctionSelected = tls12AvailableWithSha2HashFunctionSelected; Tls12AvailableWithWeakCipherSuiteNotSelected = tls12AvailableWithWeakCipherSuiteNotSelected; Tls11AvailableWithBestCipherSuiteSelected = tls11AvailableWithBestCipherSuiteSelected; Tls11AvailableWithWeakCipherSuiteNotSelected = tls11AvailableWithWeakCipherSuiteNotSelected; Tls10AvailableWithBestCipherSuiteSelected = tls10AvailableWithBestCipherSuiteSelected; Tls10AvailableWithWeakCipherSuiteNotSelected = tls10AvailableWithWeakCipherSuiteNotSelected; Ssl3FailsWithBadCipherSuite = ssl3FailsWithBadCipherSuite; TlsSecureEllipticCurveSelected = tlsSecureEllipticCurveSelected; TlsSecureDiffieHellmanGroupSelected = tlsSecureDiffieHellmanGroupSelected; TlsWeakCipherSuitesRejected = tlsWeakCipherSuitesRejected; SelectedCipherSuites = selectedCipherSuites; Certificates = certificates ?? new List <string>(); }