private void AddErrorToList(List <string> errors, TlsConnectionResult result) { if (!errors.Contains(result.ErrorDescription)) { errors.Add(result.ErrorDescription); } }
public void NoPfsCipherSuiteShouldResultInWarning(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public void ConnectionRefusedErrorsShouldResultInPass(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void InsecureCipherSuitesShouldResultInFail(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.TlsSecureDiffieHellmanGroupSelected; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); case null: break; default: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); } switch (tlsConnectionResult.CurveGroup) { case CurveGroup.Ffdhe2048: case CurveGroup.Ffdhe3072: case CurveGroup.Ffdhe4096: case CurveGroup.Ffdhe6144: case CurveGroup.Ffdhe8192: case CurveGroup.UnknownGroup2048: case CurveGroup.UnknownGroup3072: case CurveGroup.UnknownGroup4096: case CurveGroup.UnknownGroup6144: case CurveGroup.UnknownGroup8192: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case CurveGroup.UnknownGroup1024: return(new TlsEvaluatorResult(EvaluatorResult.WARNING, string.Format(intro, $"the server selected an unknown 1024 bit group. {advice}"))); case CurveGroup.Java1024: case CurveGroup.Rfc2409_1024: case CurveGroup.Rfc5114_1024: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CurveGroup.GetEnumAsString()} which is an insecure 1024 bit (or less) group. {advice}"))); case CurveGroup.Unknown: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, string.Format(intro, $"the server selected an unknown group which is potentially insecure. {advice}"))); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information."))); }
public void UnaccountedForCipherSuiteResponseShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public ConnectionResults(TlsConnectionResult tls12AvailableWithBestCipherSuiteSelected, TlsConnectionResult tls12AvailableWithBestCipherSuiteSelectedFromReverseList, TlsConnectionResult tls12AvailableWithSha2HashFunctionSelected, TlsConnectionResult tls12AvailableWithWeakCipherSuiteNotSelected, TlsConnectionResult tls11AvailableWithBestCipherSuiteSelected, TlsConnectionResult tls11AvailableWithWeakCipherSuiteNotSelected, TlsConnectionResult tls10AvailableWithBestCipherSuiteSelected, TlsConnectionResult tls10AvailableWithWeakCipherSuiteNotSelected, TlsConnectionResult ssl3FailsWithBadCipherSuite, TlsConnectionResult tlsSecureEllipticCurveSelected, TlsConnectionResult tlsSecureDiffieHellmanGroupSelected, TlsConnectionResult tlsWeakCipherSuitesRejected) { _results = new List <TlsConnectionResult> { tls12AvailableWithBestCipherSuiteSelected, tls12AvailableWithBestCipherSuiteSelectedFromReverseList, tls12AvailableWithSha2HashFunctionSelected, tls12AvailableWithWeakCipherSuiteNotSelected, tls11AvailableWithBestCipherSuiteSelected, tls11AvailableWithWeakCipherSuiteNotSelected, tls10AvailableWithBestCipherSuiteSelected, tls10AvailableWithWeakCipherSuiteNotSelected, ssl3FailsWithBadCipherSuite, tlsSecureEllipticCurveSelected, tlsSecureDiffieHellmanGroupSelected, tlsWeakCipherSuitesRejected }; }
public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.TlsWeakCipherSuitesRejected; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, $"{intro} we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")); case null: break; default: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, $"{intro} the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")); } if (tlsConnectionResult.CipherSuite != null) { return(new TlsEvaluatorResult(EvaluatorResult.FAIL, $"{intro} the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}.")); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, $"{intro} there was a problem and we are unable to provide additional information.")); }
public ConnectionResults(TlsConnectionResult tls12AvailableWithBestCipherSuiteSelected, TlsConnectionResult tls12AvailableWithBestCipherSuiteSelectedFromReverseList, TlsConnectionResult tls12AvailableWithSha2HashFunctionSelected, TlsConnectionResult tls12AvailableWithWeakCipherSuiteNotSelected, TlsConnectionResult tls11AvailableWithBestCipherSuiteSelected, TlsConnectionResult tls11AvailableWithWeakCipherSuiteNotSelected, TlsConnectionResult tls10AvailableWithBestCipherSuiteSelected, TlsConnectionResult tls10AvailableWithWeakCipherSuiteNotSelected, TlsConnectionResult ssl3FailsWithBadCipherSuite, TlsConnectionResult tlsSecureEllipticCurveSelected, TlsConnectionResult tlsSecureDiffieHellmanGroupSelected, TlsConnectionResult tlsWeakCipherSuitesRejected) { Tls12AvailableWithBestCipherSuiteSelected = tls12AvailableWithBestCipherSuiteSelected; Tls12AvailableWithBestCipherSuiteSelectedFromReverseList = tls12AvailableWithBestCipherSuiteSelectedFromReverseList; Tls12AvailableWithSha2HashFunctionSelected = tls12AvailableWithSha2HashFunctionSelected; Tls12AvailableWithWeakCipherSuiteNotSelected = tls12AvailableWithWeakCipherSuiteNotSelected; Tls11AvailableWithBestCipherSuiteSelected = tls11AvailableWithBestCipherSuiteSelected; Tls11AvailableWithWeakCipherSuiteNotSelected = tls11AvailableWithWeakCipherSuiteNotSelected; Tls10AvailableWithBestCipherSuiteSelected = tls10AvailableWithBestCipherSuiteSelected; Tls10AvailableWithWeakCipherSuiteNotSelected = tls10AvailableWithWeakCipherSuiteNotSelected; Ssl3FailsWithBadCipherSuite = ssl3FailsWithBadCipherSuite; TlsSecureEllipticCurveSelected = tlsSecureEllipticCurveSelected; TlsSecureDiffieHellmanGroupSelected = tlsSecureDiffieHellmanGroupSelected; TlsWeakCipherSuitesRejected = tlsWeakCipherSuitesRejected; }
public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.Tls11AvailableWithWeakCipherSuiteNotSelected; TlsConnectionResult tls12AvailableWithBestCipherSuiteSelectedResult = tlsConnectionResults.Tls12AvailableWithBestCipherSuiteSelected; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); case null: break; default: return(tls12AvailableWithBestCipherSuiteSelectedResult.Error == null ? new TlsEvaluatorResult(EvaluatorResult.WARNING, string.Format(intro, $"the server responded with an error. This may be because you do not support TLS 1.0. Error description \"{tlsConnectionResult.ErrorDescription}\".")) : new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); } switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetName()} which is insecure"))); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information."))); }
public void AnErrorShouldResultInAFail() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INSUFFICIENT_SECURITY, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void AnErrorShouldResultInAFail() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INSUFFICIENT_SECURITY, "Insufficient security", null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls11AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void TcpErrorsShouldResultInInconclusive(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void OtherErrorsShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INTERNAL_ERROR, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void ConnectionRefusedErrorsShouldResultInPass(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void OtherErrorsShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INTERNAL_ERROR, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void ConnectionRefusedErrorsShouldResultInPass(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void GoodCurveGroupsShouldResultInAPass(CurveGroup curveGroup) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, curveGroup, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void GoodCiphersShouldResultInAPass(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void Unknown1024GroupShouldResultInAWarn() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, CurveGroup.UnknownGroup1024, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public void NoCipherSuiteResponseShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsWeakCipherSuitesRejected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void InsecureCiphersShouldResultInAFail(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void CipherSuitesWithNoPfsShouldResultInAWarning(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public void AnErrorShouldResultInAFail() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.ACCESS_DENIED, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void CurvesWithCurveNumberLessThan256ShouldResultInAFail(CurveGroup curveGroup) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, curveGroup, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void UnaccountedForCurveShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void ErrorsShouldHaveErrorDescriptionInResult(Error error, string description) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, description, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); StringAssert.Contains($"Error description \"{description}\".", _sut.Test(connectionResults).Description); }
public void ConnectionRefusedErrorsShouldResultInPassWithoutErrorDescription(Error error, string description) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); TlsEvaluatorResult result = _sut.Test(connectionResults); Assert.AreEqual(result.Result, EvaluatorResult.PASS); Assert.That(result.Description, Is.Null); }
public void OtherErrorsShouldResultInInconclusive() { string errorDescription = "Something went wrong!"; TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INTERNAL_ERROR, errorDescription, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); TlsEvaluatorResult result = _sut.Test(connectionResults); Assert.AreEqual(result.Result, EvaluatorResult.INCONCLUSIVE); StringAssert.Contains($"Error description \"{errorDescription}\".", result.Description); }
public void PreviousTestBeingInconclusiveShouldResultInPass() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults( TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }