public TlsResults(
bool failed,
BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelected,
BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
BouncyCastleTlsTestResult tls12AvailableWithSha2HashFunctionSelected,
BouncyCastleTlsTestResult tls12AvailableWithWeakCipherSuiteNotSelected,
BouncyCastleTlsTestResult tls11AvailableWithBestCipherSuiteSelected,
BouncyCastleTlsTestResult tls11AvailableWithWeakCipherSuiteNotSelected,
BouncyCastleTlsTestResult tls10AvailableWithBestCipherSuiteSelected,
BouncyCastleTlsTestResult tls10AvailableWithWeakCipherSuiteNotSelected,
BouncyCastleTlsTestResult ssl3FailsWithBadCipherSuite,
BouncyCastleTlsTestResult tlsSecureEllipticCurveSelected,
BouncyCastleTlsTestResult tlsSecureDiffieHellmanGroupSelected,
BouncyCastleTlsTestResult tlsWeakCipherSuitesRejected)
{
Failed = failed;
Tls12AvailableWithBestCipherSuiteSelected = tls12AvailableWithBestCipherSuiteSelected;
Tls12AvailableWithBestCipherSuiteSelectedFromReverseList =
tls12AvailableWithBestCipherSuiteSelectedFromReverseList;
Tls12AvailableWithSha2HashFunctionSelected = tls12AvailableWithSha2HashFunctionSelected;
Tls12AvailableWithWeakCipherSuiteNotSelected = tls12AvailableWithWeakCipherSuiteNotSelected;
Tls11AvailableWithBestCipherSuiteSelected = tls11AvailableWithBestCipherSuiteSelected;
Tls11AvailableWithWeakCipherSuiteNotSelected = tls11AvailableWithWeakCipherSuiteNotSelected;
Tls10AvailableWithBestCipherSuiteSelected = tls10AvailableWithBestCipherSuiteSelected;
Tls10AvailableWithWeakCipherSuiteNotSelected = tls10AvailableWithWeakCipherSuiteNotSelected;
Ssl3FailsWithBadCipherSuite = ssl3FailsWithBadCipherSuite;
TlsSecureEllipticCurveSelected = tlsSecureEllipticCurveSelected;
TlsSecureDiffieHellmanGroupSelected = tlsSecureDiffieHellmanGroupSelected;
TlsWeakCipherSuitesRejected = tlsWeakCipherSuitesRejected;
}
public async Task <List <TlsTestResult> > Test(string host)
{
List <TlsTestResult> testResults = new List <TlsTestResult>();
var sw = new Stopwatch();
_log.LogDebug($"Beginning test run of {_tests.Count} tests for {host ?? "null"}");
foreach (ITlsTest test in _tests)
{
sw.Restart();
_log.LogDebug($"Running test {test.Id} - {test.Name} for {host ?? "null"}");
ITlsClient tlsClient = _tlsClientFactory.Create();
try
{
BouncyCastleTlsTestResult result = await tlsClient.Connect(host, Port, test.Version, test.CipherSuites);
_log.LogDebug($"Result of test {test.Id} - {test.Name} for {host ?? "null"}:{ Environment.NewLine}{JsonConvert.SerializeObject(result, JsonSerializerSettings)}");
testResults.Add(new TlsTestResult(test, result));
}
finally
{
_log.LogDebug($"TLS test {test.Id} - {test.Name} for host {host ?? "null"} completed in {sw.ElapsedMilliseconds}ms");
tlsClient.Disconnect();
}
}
return(testResults);
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tls11Available =
tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected;
TlsTestType tlsTestType = TlsTestType.Tls11Available;
if (!tls11Available.Supported())
{
//inconclusive
if (tls11Available.IsInconclusive())
{
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tls11Available.ErrorDescription}\"."))
.ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2,
tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure()
? EvaluatorResult.INFORMATIONAL
: EvaluatorResult.WARNING,
tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure()
? "This server refused to negotiate using TLS 1.1"
: string.Format(intro,
$"the server responded with the error \"{tls11Available.ErrorDescription}\"."))
.ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsWeakCipherSuitesRejected;
TlsTestType tlsTestType = TlsTestType.TlsWeakCipherSuitesRejected;
switch (tlsConnectionResult.TlsError)
{
case TlsError.HANDSHAKE_FAILURE:
case TlsError.PROTOCOL_VERSION:
case TlsError.INSUFFICIENT_SECURITY:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
$"{intro} we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList());
case null:
break;
default:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE,
$"{intro} the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList());
}
if (tlsConnectionResult.CipherSuite != null)
{
return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId3, EvaluatorResult.FAIL, $"{intro} the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}.")).ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId4, EvaluatorResult.INCONCLUSIVE, $"{intro} there was a problem and we are unable to provide additional information.")).ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithWeakCipherSuiteNotSelected;
BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedResult = tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected;
TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected;
switch (tlsConnectionResult.TlsError)
{
case TlsError.HANDSHAKE_FAILURE:
case TlsError.PROTOCOL_VERSION:
case TlsError.INSUFFICIENT_SECURITY:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList());
case null:
break;
default:
return(tls12AvailableWithBestCipherSuiteSelectedResult.TlsError == null
? new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING,
string.Format(intro, $"the server responded with an error. This may be because you do not support TLS 1.1. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList()
: new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList());
}
switch (tlsConnectionResult.CipherSuite)
{
case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_RC4_128_SHA:
case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_MD5:
case CipherSuite.TLS_NULL_WITH_NULL_NULL:
case CipherSuite.TLS_RSA_WITH_NULL_MD5:
case CipherSuite.TLS_RSA_WITH_NULL_SHA:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()} which is insecure")).ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected;
string introWithCipherSuite =
string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}");
TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithBestCipherSuiteSelected;
switch (tlsConnectionResult.CipherSuite)
{
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS). {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses 3DES. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses RC4. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_MD5:
case CipherSuite.TLS_NULL_WITH_NULL_NULL:
case CipherSuite.TLS_RSA_WITH_NULL_MD5:
case CipherSuite.TLS_RSA_WITH_NULL_SHA:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL,
$"{introWithCipherSuite} which is insecure. {advice}").ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList());
}
public async Task ConnectionRefusedErrorsShouldResultInPass(TlsError tlsError)
{
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
var evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task InsecureCipherSuitesShouldResultInFail(CipherSuite cipherSuite)
{
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL);
}
public async Task UnaccountedForCipherSuiteResponseShouldResultInInconclusive()
{
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(null, CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task GoodCurveGroupsShouldResultInAPass(CurveGroup curveGroup)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, curveGroup, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task TcpErrorsShouldResultInInconclusive(TlsError tlsError)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task Unknown1024GroupShouldResultInAWarn()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, CurveGroup.UnknownGroup1024, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING);
}
public async Task UnaccountedForCurveShouldResultInInconclusive()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task CurvesWithCurveNumberLessThan256ShouldResultInAFail(CurveGroup curveGroup)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, curveGroup, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL);
}
public async Task GoodCiphersShouldResultInAPass(CipherSuite cipherSuite)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task OtherErrorsShouldResultInInconclusive()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(TlsError.INTERNAL_ERROR, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task AnErrorShouldResultInAFail()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(TlsError.INSUFFICIENT_SECURITY, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.FAIL);
}
public static TlsTestResults CreateMxHostTlsResults(TlsTestType testType, BouncyCastleTlsTestResult data)
{
return(new TlsTestResults("abc.def.gov.uk", false, false,
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithSha2HashFunctionSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls11AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls10AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Ssl3FailsWithBadCipherSuite),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.TlsSecureEllipticCurveSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.TlsSecureDiffieHellmanGroupSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.TlsWeakCipherSuitesRejected),
null));
}
public async Task ConnectionRefusedErrorsShouldResultInPass(TlsError tlsError)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task CipherSuitesWithNoPfsShouldResultInAWarning(CipherSuite cipherSuite)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, cipherSuite, null, null, null, null, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.WARNING);
}
public async Task NoCipherSuiteResponseShouldResultInInconclusive()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.TlsWeakCipherSuitesRejected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task ErrorsShouldHaveErrorDescriptionInResult(TlsError tlsError, string description)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, description, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
StringAssert.Contains($"Error description \"{description}\".", evaluatorResults[0].TlsEvaluatedResult.Description);
}
public async Task TcpErrorsShouldResultInInconclusive(TlsError tlsError)
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(tlsError, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
}
public async Task OtherErrorsShouldResultInInconclusive()
{
string errorDescription = "Something went wrong!";
BouncyCastleTlsTestResult BouncyCastleTlsTestResult = new BouncyCastleTlsTestResult(TlsError.INTERNAL_ERROR, errorDescription, null);
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(TlsTestType.Ssl3FailsWithBadCipherSuite, BouncyCastleTlsTestResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.INCONCLUSIVE);
StringAssert.Contains($"Error description \"{errorDescription}\".", evaluatorResults[0].TlsEvaluatedResult.Description);
}
public async Task PreviousTestBeingInconclusiveShouldResultInPass()
{
BouncyCastleTlsTestResult tlsConnectionResult = new BouncyCastleTlsTestResult(null,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null, null, null, null, null, null);
TlsTestResults connectionTestResults =
TlsTestDataUtil.CreateMxHostTlsResults(
TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> evaluatorResults = await _sut.Evaluate(connectionTestResults);
Assert.That(evaluatorResults.Count, Is.EqualTo(1));
Assert.AreEqual(evaluatorResults[0].TlsEvaluatedResult.Result, EvaluatorResult.PASS);
}
public async Task Test(TlsError?tlsError, EvaluatorResult expectedEvaluatorResult, string expectedDescription)
{
Tls10Available tls10Available = new Tls10Available();
BouncyCastleTlsTestResult tlsConnectionResult =
new BouncyCastleTlsTestResult(null, null, null, null, tlsError, null, new List <string>());
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(
TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult);
List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults =
await tls10Available.Evaluate(connectionTestResults);
Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(expectedEvaluatorResult));
StringAssert.StartsWith(expectedDescription, ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description);
}
public async Task NoErrorReturnsPass()
{
Tls12Available tls12Available = new Tls12Available();
BouncyCastleTlsTestResult tls12ConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, null, null, new List <string>());
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(new Dictionary <TlsTestType, BouncyCastleTlsTestResult>
{
{ TlsTestType.Tls12AvailableWithBestCipherSuiteSelected, tls12ConnectionResult },
});
List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults =
await tls12Available.Evaluate(connectionTestResults);
Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(EvaluatorResult.PASS));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description, Is.Null);
}
public async Task Tls12ErrorAndNoOtherTlsSupportedReturnsError()
{
Tls12Available tls11Available = new Tls12Available();
BouncyCastleTlsTestResult tls12ConnectionResult = new BouncyCastleTlsTestResult(null, null, null, null, TlsError.HANDSHAKE_FAILURE, null, new List <string>());
TlsTestResults connectionTestResults = TlsTestDataUtil.CreateMxHostTlsResults(new Dictionary <TlsTestType, BouncyCastleTlsTestResult>
{
{ TlsTestType.Tls12AvailableWithBestCipherSuiteSelected, tls12ConnectionResult }
});
List <RuleTypedTlsEvaluationResult> ruleTypedTlsEvaluationResults =
await tls11Available.Evaluate(connectionTestResults);
Assert.That(ruleTypedTlsEvaluationResults.Count, Is.EqualTo(1));
Assert.That(ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Result, Is.EqualTo(EvaluatorResult.FAIL));
StringAssert.StartsWith("This server refused to negotiate using TLS 1.2", ruleTypedTlsEvaluationResults[0].TlsEvaluatedResult.Description);
}
private async Task <BouncyCastleTlsTestResult> DoConnect(string host, int port, TlsVersion version, List <CipherSuite> cipherSuites)
{
_tcpClient = new TcpClient
{
NoDelay = true,
SendTimeout = _timeOut.Milliseconds,
ReceiveTimeout = _timeOut.Milliseconds,
};
_log.LogDebug($"Starting TCP connection to {host ?? "<null>"}:{port}");
await _tcpClient.ConnectAsync(host, port).ConfigureAwait(false);
_log.LogDebug($"Successfully started TCP connection to {host ?? "<null>"}:{port}");
_log.LogDebug("Initializing session");
StartTlsResult sessionInitialized = await TryInitializeSession(_tcpClient.GetStream()).ConfigureAwait(false);
if (!sessionInitialized.Success)
{
_log.LogDebug("Failed to initialize session");
return(new BouncyCastleTlsTestResult(TlsError.SESSION_INITIALIZATION_FAILED, sessionInitialized.Error,
sessionInitialized.SmtpSession));
}
_log.LogDebug("Successfully initialized session");
TestTlsClientProtocol clientProtocol = new TestTlsClientProtocol(_tcpClient.GetStream());
TestTlsClient testSuiteTlsClient = new TestTlsClient(version, cipherSuites);
_log.LogDebug("Starting TLS session");
BouncyCastleTlsTestResult connectionResult = clientProtocol.ConnectWithResults(testSuiteTlsClient);
_log.LogDebug("Successfully started TLS session");
return(connectionResult);
}
public TlsTestResults(string id,
bool failed,
bool hostNotFound,
BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelected,
BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedFromReverseList,
BouncyCastleTlsTestResult tls12AvailableWithSha2HashFunctionSelected,
BouncyCastleTlsTestResult tls12AvailableWithWeakCipherSuiteNotSelected,
BouncyCastleTlsTestResult tls11AvailableWithBestCipherSuiteSelected,
BouncyCastleTlsTestResult tls11AvailableWithWeakCipherSuiteNotSelected,
BouncyCastleTlsTestResult tls10AvailableWithBestCipherSuiteSelected,
BouncyCastleTlsTestResult tls10AvailableWithWeakCipherSuiteNotSelected,
BouncyCastleTlsTestResult ssl3FailsWithBadCipherSuite,
BouncyCastleTlsTestResult tlsSecureEllipticCurveSelected,
BouncyCastleTlsTestResult tlsSecureDiffieHellmanGroupSelected,
BouncyCastleTlsTestResult tlsWeakCipherSuitesRejected,
List <string> certificates,
List <SelectedCipherSuite> selectedCipherSuites = null) : base(id)
{
Failed = failed;
HostNotFound = hostNotFound;
Tls12AvailableWithBestCipherSuiteSelected = tls12AvailableWithBestCipherSuiteSelected;
Tls12AvailableWithBestCipherSuiteSelectedFromReverseList =
tls12AvailableWithBestCipherSuiteSelectedFromReverseList;
Tls12AvailableWithSha2HashFunctionSelected = tls12AvailableWithSha2HashFunctionSelected;
Tls12AvailableWithWeakCipherSuiteNotSelected = tls12AvailableWithWeakCipherSuiteNotSelected;
Tls11AvailableWithBestCipherSuiteSelected = tls11AvailableWithBestCipherSuiteSelected;
Tls11AvailableWithWeakCipherSuiteNotSelected = tls11AvailableWithWeakCipherSuiteNotSelected;
Tls10AvailableWithBestCipherSuiteSelected = tls10AvailableWithBestCipherSuiteSelected;
Tls10AvailableWithWeakCipherSuiteNotSelected = tls10AvailableWithWeakCipherSuiteNotSelected;
Ssl3FailsWithBadCipherSuite = ssl3FailsWithBadCipherSuite;
TlsSecureEllipticCurveSelected = tlsSecureEllipticCurveSelected;
TlsSecureDiffieHellmanGroupSelected = tlsSecureDiffieHellmanGroupSelected;
TlsWeakCipherSuitesRejected = tlsWeakCipherSuitesRejected;
SelectedCipherSuites = selectedCipherSuites;
Certificates = certificates ?? new List <string>();
}
