public async Task WhenAllTestAreTcpConnectionFailedShouldReturnOneError()
{
EvaluatorResult expectedResult = EvaluatorResult.INCONCLUSIVE;
string expectedMessage =
"We were unable to create a TLS connection with this server. This could be because the server does not support TLS "
+ "or because Mail Check servers have been blocked. We will keep trying to test TLS with this server, so please check back later or get in touch "
+ "if you think there's a problem.";
var mxHostTlsResults = new TlsTestResults("abc.def.gov.uk", false, false, new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null),
new BouncyCastleTlsTestResult(TlsError.TCP_CONNECTION_FAILED, "", null), null);
IMxSecurityEvaluator mxSecurityEvaluator = A.Fake <IMxSecurityEvaluator>();
ILogger <EvaluationProcessor> log = A.Fake <ILogger <EvaluationProcessor> >();
IEvaluationProcessor processor = new EvaluationProcessor(mxSecurityEvaluator, log);
TlsResultsEvaluated results = await processor.Process(mxHostTlsResults);
Assert.AreEqual(expectedResult, results.TlsRecords.Tls12AvailableWithBestCipherSuiteSelected.TlsEvaluatedResult.Result.Value);
Assert.AreEqual(expectedMessage, results.TlsRecords.Tls12AvailableWithBestCipherSuiteSelected.TlsEvaluatedResult.Description);
}
public async Task <MxRecordTlsSecurityProfile> Test(MxRecordTlsSecurityProfile mxRecordTlsSecurityProfile)
{
if (_config.CachingEnabled)
{
string cachedStringResult = await _cache.GetString($"{KeyPrefix}-{mxRecordTlsSecurityProfile.MxRecord.Hostname?.ToLower()}");
if (cachedStringResult != null)
{
_log.Debug($"Successfully retrieved TLSSecurityProfile from cache for host {mxRecordTlsSecurityProfile.MxRecord.Hostname}");
TlsTestResults cachedResults = JsonConvert.DeserializeObject <TlsTestResults>(cachedStringResult);
return(new MxRecordTlsSecurityProfile(mxRecordTlsSecurityProfile.MxRecord,
new TlsSecurityProfile(mxRecordTlsSecurityProfile.TlsSecurityProfile.Id, null, cachedResults)));
}
}
MxRecordTlsSecurityProfile result = await _tlsSecurityTesterAdaptor.Test(mxRecordTlsSecurityProfile);
_log.Debug($"Successfully retrieved TLSSecurityProfile from tls tester for host {mxRecordTlsSecurityProfile.MxRecord.Hostname}");
if (_config.CachingEnabled && (result.TlsSecurityProfile.TlsResults.FailureCount == 0 || result.TlsSecurityProfile.TlsResults.FailureCount >= FailureCountBeforeCaching))
{
string resultToCache = JsonConvert.SerializeObject(result.TlsSecurityProfile.TlsResults);
await _cache.SetString($"{KeyPrefix}-{mxRecordTlsSecurityProfile.MxRecord.Hostname}", resultToCache,
TimeSpan.FromSeconds(_config.RefreshIntervalSeconds *RefreshIntervalSecondsMultiplier));
_log.Debug($"Successfully set TLSSecurityProfile to cache for host {mxRecordTlsSecurityProfile.MxRecord.Hostname}");
}
return(result);
}
public static HostCertificates MapToHostCertificates(this TlsTestResults tlsTestResults)
{
return(new HostCertificates(tlsTestResults.Id,
tlsTestResults.HostNotFound,
tlsTestResults.Certificates.MapToX509Certificates(),
tlsTestResults.SelectedCipherSuites
));
}
public async Task <TlsResultsEvaluated> Process(TlsTestResults tlsTestRptRecords)
{
Stopwatch stopwatch = Stopwatch.StartNew();
TlsResultsEvaluated result = await EvaluateMxRecordProfile(tlsTestRptRecords);
stopwatch.Stop();
_log.LogDebug($"Processed domain with ID {tlsTestRptRecords.Id}. Took {stopwatch.Elapsed.TotalSeconds} seconds.");
return(result);
}
public async Task ConnectionRefusedErrorsShouldResultInPass(TlsError tlsError)
{
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
var evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task InsecureCipherSuitesShouldResultInFail(CipherSuite cipherSuite)
{
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL);
}
public async Task UnaccountedForCipherSuiteResponseShouldResultInInconclusive()
{
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(null, CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task AnErrorShouldResultInInconslusive()
{
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected,
new BouncyCastleTlsTestResult(TlsError.CERTIFICATE_UNOBTAINABLE, null, null));
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task GoodCurveGroupsShouldResultInAPass(CurveGroup curveGroup)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, curveGroup, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task TcpErrorsShouldResultInInconclusive(TlsError tlsError)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task Unknown1024GroupShouldResultInAWarn()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, CurveGroup.UnknownGroup1024, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING);
}
public async Task UnaccountedForCurveShouldResultInInconclusive()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task CurvesWithCurveNumberLessThan256ShouldResultInAFail(CurveGroup curveGroup)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, curveGroup, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL);
}
public async Task OtherErrorsShouldResultInInconclusive()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(TlsError.INTERNAL_ERROR, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task AnErrorShouldResultInAFail()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(TlsError.INSUFFICIENT_SECURITY, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL);
}
public async Task CipherSuitesWithNoPfsShouldResultInAWarning(CipherSuite cipherSuite)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING);
}
public async Task ConnectionRefusedErrorsShouldResultInPass(TlsError tlsError)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task AnErrorShouldResultInAWarning()
{
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(
TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
new BouncyCastleTlsTestResult(TlsError.BAD_CERTIFICATE, null, null));
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING);
}
public async Task NoCipherSuiteResponseShouldResultInInconclusive()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsWeakCipherSuitesRejected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task GoodCiphersShouldResultInAPass(CipherSuite cipherSuite)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task ErrorsShouldHaveErrorDescriptionInResult(TlsError tlsError, string description)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, description, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
StringAssert.Contains($"Error description \"{description}\".", evaluatorResults[0].TlsEvaluatedResult.Description);
}
public async Task TcpErrorsShouldResultInInconclusive(TlsError tlsError)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task OtherErrorsShouldResultInInconclusive()
{
string errorDescription = "Something went wrong!";
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(TlsError.INTERNAL_ERROR, errorDescription, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
StringAssert.Contains($"Error description \"{errorDescription}\".", evaluatorResults[0].TlsEvaluatedResult.Description);
}
public async Task <TlsResultsEvaluated> Evaluate(TlsTestResults tlsTestResults)
{
EvaluationResult <TlsTestResults, RuleTypedTlsEvaluationResult> evaluationResult =
await _evaluator.Evaluate(tlsTestResults, tlsEvaluatedResult =>
tlsEvaluatedResult.Any(_ => _.TlsEvaluatedResult.Result != EvaluatorResult.PASS));
Dictionary <TlsTestType, RuleTypedTlsEvaluationResult> evaluationResultsByType =
evaluationResult.Messages.ToDictionary(_ => _.Type);
return(new TlsResultsEvaluated(tlsTestResults.Id, tlsTestResults.Failed, new TlsRecords(
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls12AvailableWithBestCipherSuiteSelected,
evaluationResultsByType), tlsTestResults.Tls12AvailableWithBestCipherSuiteSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
evaluationResultsByType),
tlsTestResults.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected,
evaluationResultsByType), tlsTestResults.Tls12AvailableWithSha2HashFunctionSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected,
evaluationResultsByType), tlsTestResults.Tls12AvailableWithWeakCipherSuiteNotSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls11AvailableWithBestCipherSuiteSelected,
evaluationResultsByType), tlsTestResults.Tls11AvailableWithBestCipherSuiteSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected,
evaluationResultsByType), tlsTestResults.Tls11AvailableWithWeakCipherSuiteNotSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected,
evaluationResultsByType), tlsTestResults.Tls10AvailableWithBestCipherSuiteSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected,
evaluationResultsByType), tlsTestResults.Tls10AvailableWithWeakCipherSuiteNotSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.Ssl3FailsWithBadCipherSuite, evaluationResultsByType),
tlsTestResults.Ssl3FailsWithBadCipherSuite),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.TlsSecureEllipticCurveSelected, evaluationResultsByType),
tlsTestResults.TlsSecureEllipticCurveSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.TlsSecureDiffieHellmanGroupSelected,
evaluationResultsByType), tlsTestResults.TlsSecureDiffieHellmanGroupSelected),
new TlsRecord(
GetEvaluatorResultOrDefault(TlsTestType.TlsWeakCipherSuitesRejected, evaluationResultsByType),
tlsTestResults.TlsWeakCipherSuitesRejected),
new TlsRecord(GetEvaluatorResultOrDefault(TlsTestType.Tls12Available, evaluationResultsByType)),
new TlsRecord(GetEvaluatorResultOrDefault(TlsTestType.Tls11Available, evaluationResultsByType)),
new TlsRecord(GetEvaluatorResultOrDefault(TlsTestType.Tls10Available, evaluationResultsByType)))));
}
public async Task PreviousTestBeingInconclusiveShouldResultInPass()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(
TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
protected async Task <TlsResultsEvaluated> EvaluateMxRecordProfile(TlsTestResults tlsTestResults)
{
List <BouncyCastleTlsTestResult> bouncyCastleTlsTestResults = new List <BouncyCastleTlsTestResult> {
tlsTestResults.Ssl3FailsWithBadCipherSuite,
tlsTestResults.Tls10AvailableWithBestCipherSuiteSelected,
tlsTestResults.Tls10AvailableWithWeakCipherSuiteNotSelected,
tlsTestResults.Tls11AvailableWithBestCipherSuiteSelected,
tlsTestResults.Tls11AvailableWithWeakCipherSuiteNotSelected,
tlsTestResults.Tls12AvailableWithBestCipherSuiteSelected,
tlsTestResults.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
tlsTestResults.Tls12AvailableWithSha2HashFunctionSelected,
tlsTestResults.Tls12AvailableWithWeakCipherSuiteNotSelected,
tlsTestResults.TlsSecureDiffieHellmanGroupSelected,
tlsTestResults.TlsSecureEllipticCurveSelected,
tlsTestResults.TlsWeakCipherSuitesRejected
};
bool hasFailedConnection = bouncyCastleTlsTestResults.All(_ =>
_.TlsError == TlsError.SESSION_INITIALIZATION_FAILED ||
_.TlsError == TlsError.TCP_CONNECTION_FAILED);
if (hasFailedConnection)
{
_log.LogDebug($"TLS connection failed for host {tlsTestResults.Id}");
string failedConnectionErrors = string.Join(", ", bouncyCastleTlsTestResults
.Select(_ => _.ErrorDescription)
.Distinct()
.ToList());
return(GetConnectionFailedResults(tlsTestResults.Id, failedConnectionErrors, tlsTestResults.ToTlsResult()));
}
bool hostNotFound = bouncyCastleTlsTestResults.All(_ => _.TlsError == TlsError.HOST_NOT_FOUND);
if (hostNotFound)
{
_log.LogDebug($"Host not found for {tlsTestResults.Id}");
return(GetHostNotFoundResults(tlsTestResults.Id, tlsTestResults.ToTlsResult()));
}
_log.LogDebug($"Evaluating TLS connection results for {tlsTestResults.Id}.");
TlsResultsEvaluated tlsEvaluatedResults = await _mxSecurityEvaluator.Evaluate(tlsTestResults);
return(tlsEvaluatedResults);
}
public static TlsResults ToTlsResult(this TlsTestResults tlsTestResults)
{
return(new TlsResults(tlsTestResults.Failed,
tlsTestResults.Tls12AvailableWithBestCipherSuiteSelected,
tlsTestResults.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
tlsTestResults.Tls12AvailableWithSha2HashFunctionSelected,
tlsTestResults.Tls10AvailableWithWeakCipherSuiteNotSelected,
tlsTestResults.Tls11AvailableWithBestCipherSuiteSelected,
tlsTestResults.Tls11AvailableWithWeakCipherSuiteNotSelected,
tlsTestResults.Tls10AvailableWithBestCipherSuiteSelected,
tlsTestResults.Tls10AvailableWithWeakCipherSuiteNotSelected,
tlsTestResults.Ssl3FailsWithBadCipherSuite,
tlsTestResults.TlsSecureEllipticCurveSelected,
tlsTestResults.TlsSecureDiffieHellmanGroupSelected,
tlsTestResults.TlsWeakCipherSuitesRejected));
}
public async Task Test(TlsError?tlsError, EvaluatorResult expectedEvaluatorResult, string expectedDescription)
{
Tls10Available tls10Available = new Tls10Available();
BouncyCastleTlsTestResult tlsConnectionResult =
new BouncyCastleTlsTestResult(null, null, null, null, tlsError, null, new List <string>());
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(
TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults =
await tls10Available.Evaluate(connectionTestResults);
Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(expectedEvaluatorResult));
StringAssert.StartsWith(expectedDescription, ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description);
}
public async Task NoErrorReturnsPass()
{
Tls12Available tls12Available = new Tls12Available();
BouncyCastleTlsTestResult tls12ConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, new List <string>());
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(new Dictionary <TlsTestType, BouncyCastleTlsTestResult>
{
{ TlsTestType.Tls12AvailableWithBestCipherSuiteSelected, tls12ConnectionResult },
});
List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults =
await tls12Available.Evaluate(connectionTestResults);
Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(EvaluatorResult.PASS));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description, Is.Null);
}
public async Task Tls12ErrorAndNoOtherTlsSupportedReturnsError()
{
Tls12Available tls11Available = new Tls12Available();
BouncyCastleTlsTestResult tls12ConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, TlsError.HANDSHAKE_FAILURE, null, new List <string>());
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(new Dictionary <TlsTestType, BouncyCastleTlsTestResult>
{
{ TlsTestType.Tls12AvailableWithBestCipherSuiteSelected, tls12ConnectionResult }
});
List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults =
await tls11Available.Evaluate(connectionTestResults);
Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(EvaluatorResult.FAIL));
StringAssert.StartsWith("This server refused to negotiate using TLS 1.2", ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description);
}
