public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tls11Available = tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected; TlsTestType tlsTestType = TlsTestType.Tls11Available; if (!tls11Available.Supported()) { //inconclusive if (tls11Available.IsInconclusive()) { return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tls11Available.ErrorDescription}\".")) .ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure() ? EvaluatorResult.INFORMATIONAL : EvaluatorResult.WARNING, tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure() ? "This server refused to negotiate using TLS 1.1" : string.Format(intro, $"the server responded with the error \"{tls11Available.ErrorDescription}\".")) .ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsWeakCipherSuitesRejected; TlsTestType tlsTestType = TlsTestType.TlsWeakCipherSuitesRejected; switch (tlsConnectionResult.TlsError) { case TlsError.HANDSHAKE_FAILURE: case TlsError.PROTOCOL_VERSION: case TlsError.INSUFFICIENT_SECURITY: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, $"{intro} we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList()); case null: break; default: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE, $"{intro} the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList()); } if (tlsConnectionResult.CipherSuite != null) { return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId3, EvaluatorResult.FAIL, $"{intro} the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}.")).ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId4, EvaluatorResult.INCONCLUSIVE, $"{intro} there was a problem and we are unable to provide additional information.")).ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithWeakCipherSuiteNotSelected; BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedResult = tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected; TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected; switch (tlsConnectionResult.TlsError) { case TlsError.HANDSHAKE_FAILURE: case TlsError.PROTOCOL_VERSION: case TlsError.INSUFFICIENT_SECURITY: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList()); case null: break; default: return(tls12AvailableWithBestCipherSuiteSelectedResult.TlsError == null ? new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING, string.Format(intro, $"the server responded with an error. This may be because you do not support TLS 1.1. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList() : new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList()); } switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()} which is insecure")).ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected; string introWithCipherSuite = string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}"); TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithBestCipherSuiteSelected; switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS). {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses 3DES. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses RC4. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, $"{introWithCipherSuite} which is insecure. {advice}").ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList()); }
public static TlsTestResults CreateMxHostTlsResults(TlsTestType testType, BouncyCastleTlsTestResult data) { return(new TlsTestResults("abc.def.gov.uk", false, false, SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithSha2HashFunctionSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls11AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls10AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.Ssl3FailsWithBadCipherSuite), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.TlsSecureEllipticCurveSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.TlsSecureDiffieHellmanGroupSelected), SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> { { testType, data } }, TlsTestType.TlsWeakCipherSuitesRejected), null)); }
public static ConnectionResults CreateConnectionResults(TlsTestType testType, TlsConnectionResult data) { return(new ConnectionResults( SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls12AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls12AvailableWithSha2HashFunctionSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls11AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls10AvailableWithBestCipherSuiteSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.Ssl3FailsWithBadCipherSuite), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.TlsSecureEllipticCurveSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.TlsSecureDiffieHellmanGroupSelected), SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>() { { testType, data } }, TlsTestType.TlsWeakCipherSuitesRejected))); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls12AvailableWithSha2HashFunctionSelected; TlsTestType tlsTestType = TlsTestType.Tls12AvailableWithSha2HashFunctionSelected; if (tlsConnectionResult.TlsError == TlsError.HANDSHAKE_FAILURE || tlsConnectionResult.TlsError == TlsError.INSUFFICIENT_SECURITY || tlsConnectionResult.TlsError == TlsError.PROTOCOL_VERSION) { List <CipherSuite> tls12AvailableWithBestCipherSuiteSelectedPassingCipherSuites = new List <CipherSuite> { CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 }; if (tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected.CipherSuite != null && tls12AvailableWithBestCipherSuiteSelectedPassingCipherSuites.Contains(tlsTestConnectionResults .Tls12AvailableWithBestCipherSuiteSelected.CipherSuite.Value)) { return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS) .ToTaskList()); } } switch (tlsConnectionResult.TlsError) { case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")) .ToTaskList()); case null: break; default: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.FAIL, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")) .ToTaskList()); } string introWithCipherSuite = string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}"); switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS) .ToTaskList()); case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING, $"{introWithCipherSuite} which uses SHA-1. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.WARNING, $"{introWithCipherSuite} which uses 3DES and SHA-1. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.WARNING, $"{introWithCipherSuite} which uses RC4 and SHA-1. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_DES_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId6, EvaluatorResult.FAIL, $"{introWithCipherSuite} which is insecure. {advice}").ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId7, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")) .ToTaskList()); }
private static BouncyCastleTlsTestResult SetupConnectionResult(IDictionary <TlsTestType, BouncyCastleTlsTestResult> data, TlsTestType testType) { return(data.ContainsKey(testType) ? data[testType] : new BouncyCastleTlsTestResult(TlsError.BAD_CERTIFICATE, "Bad certificate found", null)); }
public RuleTypedTlsEvaluationResult(TlsTestType type, Guid id, EvaluatorResult?result = null, string description = null) : this(type, new TlsEvaluatedResult(id, result, description)) { }
public RuleTypedTlsEvaluationResult(TlsTestType type, TlsEvaluatedResult tlsEvaluatedResult) { Type = type; TlsEvaluatedResult = tlsEvaluatedResult; }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsSecureDiffieHellmanGroupSelected; TlsTestType tlsTestType = TlsTestType.TlsSecureDiffieHellmanGroupSelected; switch (tlsConnectionResult.TlsError) { case TlsError.HANDSHAKE_FAILURE: case TlsError.PROTOCOL_VERSION: case TlsError.INSUFFICIENT_SECURITY: return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(Guid.NewGuid(), EvaluatorResult.PASS)).ToTaskList()); case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))) .ToTaskList()); case null: break; default: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")) .ToTaskList()); } switch (tlsConnectionResult.CurveGroup) { case CurveGroup.Ffdhe2048: case CurveGroup.Ffdhe3072: case CurveGroup.Ffdhe4096: case CurveGroup.Ffdhe6144: case CurveGroup.Ffdhe8192: case CurveGroup.UnknownGroup2048: case CurveGroup.UnknownGroup3072: case CurveGroup.UnknownGroup4096: case CurveGroup.UnknownGroup6144: case CurveGroup.UnknownGroup8192: return(new RuleTypedTlsEvaluationResult(tlsTestType, new Guid(), EvaluatorResult.PASS).ToTaskList()); case CurveGroup.UnknownGroup1024: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING, string.Format(intro, $"the server selected an unknown 1024 bit group. {advice}")).ToTaskList()); case CurveGroup.Java1024: case CurveGroup.Rfc2409_1024: case CurveGroup.Rfc5114_1024: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CurveGroup.GetEnumAsString()} which is an insecure 1024 bit (or less) group. {advice}")) .ToTaskList()); case CurveGroup.Unknown: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.FAIL, string.Format(intro, $"the server selected an unknown group which is potentially insecure. {advice}")) .ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId6, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")) .ToTaskList()); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsSecureEllipticCurveSelected; TlsTestType tlsTestType = TlsTestType.TlsSecureEllipticCurveSelected; switch (tlsConnectionResult.TlsError) { case TlsError.HANDSHAKE_FAILURE: case TlsError.PROTOCOL_VERSION: case TlsError.INSUFFICIENT_SECURITY: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS) .ToTaskList()); case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")) .ToTaskList()); case null: break; default: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")) .ToTaskList()); } switch (tlsConnectionResult.CurveGroup) { case CurveGroup.Unknown: case CurveGroup.Secp160k1: case CurveGroup.Secp160r1: case CurveGroup.Secp160r2: case CurveGroup.Secp192k1: case CurveGroup.Secp192r1: case CurveGroup.Secp224k1: case CurveGroup.Secp224r1: case CurveGroup.Sect163k1: case CurveGroup.Sect163r1: case CurveGroup.Sect163r2: case CurveGroup.Sect193r1: case CurveGroup.Sect193r2: case CurveGroup.Sect233k1: case CurveGroup.Sect233r1: case CurveGroup.Sect239k1: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CurveGroup.GetEnumAsString()} which has a curve length of less than 256 bits.")) .ToTaskList()); case CurveGroup.Secp256k1: case CurveGroup.Secp256r1: case CurveGroup.Secp384r1: case CurveGroup.Secp521r1: case CurveGroup.Sect283k1: case CurveGroup.Sect283r1: case CurveGroup.Sect409k1: case CurveGroup.Sect409r1: case CurveGroup.Sect571k1: case CurveGroup.Sect571r1: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS) .ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")) .ToTaskList()); }
private TlsEvaluatedResult GetEvaluatorResultOrDefault(TlsTestType tlsTestType, Dictionary <TlsTestType, RuleTypedTlsEvaluationResult> evaluationResultsByType) { return(evaluationResultsByType.TryGetValue(tlsTestType, out RuleTypedTlsEvaluationResult ruleTypedTlsEvaluationResult) ? ruleTypedTlsEvaluationResult.TlsEvaluatedResult : new TlsEvaluatedResult(Guid.NewGuid())); }
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults) { BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList; CipherSuite?previousCipherSuite = tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected.CipherSuite; TlsTestType tlsTestType = TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList; switch (tlsConnectionResult.TlsError) { case TlsError.TCP_CONNECTION_FAILED: case TlsError.SESSION_INITIALIZATION_FAILED: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")) .ToTaskList()); case null: break; default: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING, string.Format(intro, $"the server responded with an error. Error description - {tlsConnectionResult.ErrorDescription}. {advice}")) .ToTaskList()); } if (tlsConnectionResult.CipherSuite == previousCipherSuite) { return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList()); } string introWithCipherSuite = string.Format(intro, $"the server selected a different cipher suite ({tlsConnectionResult.CipherSuite.GetEnumAsString()})"); switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS) .ToTaskList()); case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING, $"{introWithCipherSuite} which uses SHA-1. {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384: case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256: case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256: case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS). {advice}").ToTaskList()); case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA: case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses SHA-1. {advice}") .ToTaskList()); case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId6, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses 3DES and SHA-1. {advice}") .ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId7, EvaluatorResult.WARNING, $"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses RC4 and SHA-1. {advice}") .ToTaskList()); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_RSA_WITH_DES_CBC_SHA: return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId8, EvaluatorResult.FAIL, $"{introWithCipherSuite} which is insecure. {advice}").ToTaskList()); } return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId9, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")) .ToTaskList()); }