public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.TlsSecureDiffieHellmanGroupSelected; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); case null: break; default: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); } switch (tlsConnectionResult.CurveGroup) { case CurveGroup.Ffdhe2048: case CurveGroup.Ffdhe3072: case CurveGroup.Ffdhe4096: case CurveGroup.Ffdhe6144: case CurveGroup.Ffdhe8192: case CurveGroup.UnknownGroup2048: case CurveGroup.UnknownGroup3072: case CurveGroup.UnknownGroup4096: case CurveGroup.UnknownGroup6144: case CurveGroup.UnknownGroup8192: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case CurveGroup.UnknownGroup1024: return(new TlsEvaluatorResult(EvaluatorResult.WARNING, string.Format(intro, $"the server selected an unknown 1024 bit group. {advice}"))); case CurveGroup.Java1024: case CurveGroup.Rfc2409_1024: case CurveGroup.Rfc5114_1024: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CurveGroup.GetEnumAsString()} which is an insecure 1024 bit (or less) group. {advice}"))); case CurveGroup.Unknown: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, string.Format(intro, $"the server selected an unknown group which is potentially insecure. {advice}"))); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information."))); }
public void UnaccountedForCipherSuiteResponseShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, CipherSuite.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void ConnectionRefusedErrorsShouldResultInPass(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void AnErrorShouldResultInInconslusive() { ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureEllipticCurveSelected, new TlsConnectionResult(Error.CERTIFICATE_UNOBTAINABLE, null, null)); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void InsecureCipherSuitesShouldResultInFail(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void NoPfsCipherSuiteShouldResultInWarning(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.TlsWeakCipherSuitesRejected; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, $"{intro} we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")); case null: break; default: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, $"{intro} the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")); } if (tlsConnectionResult.CipherSuite != null) { return(new TlsEvaluatorResult(EvaluatorResult.FAIL, $"{intro} the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}.")); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, $"{intro} there was a problem and we are unable to provide additional information.")); }
public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.Tls11AvailableWithWeakCipherSuiteNotSelected; TlsConnectionResult tls12AvailableWithBestCipherSuiteSelectedResult = tlsConnectionResults.Tls12AvailableWithBestCipherSuiteSelected; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); case null: break; default: return(tls12AvailableWithBestCipherSuiteSelectedResult.Error == null ? new TlsEvaluatorResult(EvaluatorResult.WARNING, string.Format(intro, $"the server responded with an error. This may be because you do not support TLS 1.0. Error description \"{tlsConnectionResult.ErrorDescription}\".")) : new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); } switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetName()} which is insecure"))); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information."))); }
public void ConnectionRefusedErrorsShouldResultInPass(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void InsecureCiphersShouldResultInAFail(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void Unknown1024GroupShouldResultInAWarn() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, CurveGroup.UnknownGroup1024, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public void NoCipherSuiteResponseShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsWeakCipherSuitesRejected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void AnErrorShouldResultInAFail() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INSUFFICIENT_SECURITY, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void AnErrorShouldResultInAWarning() { ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults( TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList, new TlsConnectionResult(Error.BAD_CERTIFICATE, null, null)); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public void AnErrorShouldResultInAFail() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INSUFFICIENT_SECURITY, "Insufficient security", null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls11AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void ConnectionRefusedErrorsShouldResultInPass(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void OtherErrorsShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INTERNAL_ERROR, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void TcpErrorsShouldResultInInconclusive(Error error) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void GoodCurveGroupsShouldResultInAPass(CurveGroup curveGroup) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, curveGroup, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureDiffieHellmanGroupSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void GoodCiphersShouldResultInAPass(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithSha2HashFunctionSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }
public void OtherErrorsShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INTERNAL_ERROR, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void CipherSuitesWithNoPfsShouldResultInAWarning(CipherSuite cipherSuite) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, cipherSuite, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.WARNING); }
public void CurvesWithCurveNumberLessThan256ShouldResultInAFail(CurveGroup curveGroup) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, curveGroup, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void AnErrorShouldResultInAFail() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.ACCESS_DENIED, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.FAIL); }
public void UnaccountedForCurveShouldResultInInconclusive() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, null, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.TlsSecureEllipticCurveSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); }
public void ErrorsShouldHaveErrorDescriptionInResult(Error error, string description) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, description, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Tls10AvailableWithBestCipherSuiteSelected, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.INCONCLUSIVE); StringAssert.Contains($"Error description \"{description}\".", _sut.Test(connectionResults).Description); }
public void ConnectionRefusedErrorsShouldResultInPassWithoutErrorDescription(Error error, string description) { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(error, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); TlsEvaluatorResult result = _sut.Test(connectionResults); Assert.AreEqual(result.Result, EvaluatorResult.PASS); Assert.That(result.Description, Is.Null); }
public void OtherErrorsShouldResultInInconclusive() { string errorDescription = "Something went wrong!"; TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(Error.INTERNAL_ERROR, errorDescription, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults(TlsTestType.Ssl3FailsWithBadCipherSuite, tlsConnectionResult); TlsEvaluatorResult result = _sut.Test(connectionResults); Assert.AreEqual(result.Result, EvaluatorResult.INCONCLUSIVE); StringAssert.Contains($"Error description \"{errorDescription}\".", result.Description); }
public TlsEvaluatorResult Test(ConnectionResults tlsConnectionResults) { TlsConnectionResult tlsConnectionResult = tlsConnectionResults.Ssl3FailsWithBadCipherSuite; switch (tlsConnectionResult.Error) { case Error.HANDSHAKE_FAILURE: case Error.PROTOCOL_VERSION: case Error.INSUFFICIENT_SECURITY: return(new TlsEvaluatorResult(EvaluatorResult.PASS)); case Error.TCP_CONNECTION_FAILED: case Error.SESSION_INITIALIZATION_FAILED: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); case null: break; default: return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))); } string introWithCipherSuite = string.Format(intro, $"the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}"); switch (tlsConnectionResult.CipherSuite) { case CipherSuite.TLS_RSA_WITH_RC4_128_SHA: case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return(new TlsEvaluatorResult(EvaluatorResult.WARNING, $"{introWithCipherSuite}. {advice}")); case CipherSuite.TLS_RSA_WITH_RC4_128_MD5: case CipherSuite.TLS_NULL_WITH_NULL_NULL: case CipherSuite.TLS_RSA_WITH_NULL_MD5: case CipherSuite.TLS_RSA_WITH_NULL_SHA: case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA: case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return(new TlsEvaluatorResult(EvaluatorResult.FAIL, $"{introWithCipherSuite} which is insecure. {advice}")); } return(new TlsEvaluatorResult(EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information."))); }
public void PreviousTestBeingInconclusiveShouldResultInPass() { TlsConnectionResult tlsConnectionResult = new TlsConnectionResult(null, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, null, null, null, null, null, null); ConnectionResults connectionResults = TlsTestDataUtil.CreateConnectionResults( TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList, tlsConnectionResult); Assert.AreEqual(_sut.Test(connectionResults).Result, EvaluatorResult.PASS); }