public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tls11Available =
tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected;
TlsTestType tlsTestType = TlsTestType.Tls11Available;
if (!tls11Available.Supported())
{
//inconclusive
if (tls11Available.IsInconclusive())
{
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tls11Available.ErrorDescription}\"."))
.ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2,
tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure()
? EvaluatorResult.INFORMATIONAL
: EvaluatorResult.WARNING,
tls11Available.ExplicitlyUnsupported() || tls11Available.HandshakeFailure()
? "This server refused to negotiate using TLS 1.1"
: string.Format(intro,
$"the server responded with the error \"{tls11Available.ErrorDescription}\"."))
.ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsWeakCipherSuitesRejected;
TlsTestType tlsTestType = TlsTestType.TlsWeakCipherSuitesRejected;
switch (tlsConnectionResult.TlsError)
{
case TlsError.HANDSHAKE_FAILURE:
case TlsError.PROTOCOL_VERSION:
case TlsError.INSUFFICIENT_SECURITY:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
$"{intro} we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList());
case null:
break;
default:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE,
$"{intro} the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".").ToTaskList());
}
if (tlsConnectionResult.CipherSuite != null)
{
return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId3, EvaluatorResult.FAIL, $"{intro} the server accepted the connection and selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}.")).ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId4, EvaluatorResult.INCONCLUSIVE, $"{intro} there was a problem and we are unable to provide additional information.")).ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithWeakCipherSuiteNotSelected;
BouncyCastleTlsTestResult tls12AvailableWithBestCipherSuiteSelectedResult = tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected;
TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected;
switch (tlsConnectionResult.TlsError)
{
case TlsError.HANDSHAKE_FAILURE:
case TlsError.PROTOCOL_VERSION:
case TlsError.INSUFFICIENT_SECURITY:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, $"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList());
case null:
break;
default:
return(tls12AvailableWithBestCipherSuiteSelectedResult.TlsError == null
? new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING,
string.Format(intro, $"the server responded with an error. This may be because you do not support TLS 1.1. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList()
: new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, $"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\".")).ToTaskList());
}
switch (tlsConnectionResult.CipherSuite)
{
case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_RC4_128_SHA:
case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_MD5:
case CipherSuite.TLS_NULL_WITH_NULL_NULL:
case CipherSuite.TLS_RSA_WITH_NULL_MD5:
case CipherSuite.TLS_RSA_WITH_NULL_SHA:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL, string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()} which is insecure")).ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE, string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.Tls11AvailableWithBestCipherSuiteSelected;
string introWithCipherSuite =
string.Format(intro, $"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}");
TlsTestType tlsTestType = TlsTestType.Tls11AvailableWithBestCipherSuiteSelected;
switch (tlsConnectionResult.CipherSuite)
{
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS). {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses 3DES. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses RC4. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_MD5:
case CipherSuite.TLS_NULL_WITH_NULL_NULL:
case CipherSuite.TLS_RSA_WITH_NULL_MD5:
case CipherSuite.TLS_RSA_WITH_NULL_SHA:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL,
$"{introWithCipherSuite} which is insecure. {advice}").ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, "there was a problem and we are unable to provide additional information.")).ToTaskList());
}
public static TlsTestResults CreateMxHostTlsResults(TlsTestType testType, BouncyCastleTlsTestResult data)
{
return(new TlsTestResults("abc.def.gov.uk", false, false,
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithSha2HashFunctionSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls11AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls10AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.Ssl3FailsWithBadCipherSuite),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.TlsSecureEllipticCurveSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.TlsSecureDiffieHellmanGroupSelected),
SetupConnectionResult(new Dictionary <TlsTestType, BouncyCastleTlsTestResult> {
{ testType, data }
},
TlsTestType.TlsWeakCipherSuitesRejected),
null));
}
public static ConnectionResults CreateConnectionResults(TlsTestType testType, TlsConnectionResult data)
{
return(new ConnectionResults(
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls12AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls12AvailableWithSha2HashFunctionSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls12AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls11AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls11AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls10AvailableWithBestCipherSuiteSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Tls10AvailableWithWeakCipherSuiteNotSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.Ssl3FailsWithBadCipherSuite),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.TlsSecureEllipticCurveSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.TlsSecureDiffieHellmanGroupSelected),
SetupConnectionResult(new Dictionary <TlsTestType, TlsConnectionResult>()
{
{ testType, data }
}, TlsTestType.TlsWeakCipherSuitesRejected)));
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult =
tlsTestConnectionResults.Tls12AvailableWithSha2HashFunctionSelected;
TlsTestType tlsTestType = TlsTestType.Tls12AvailableWithSha2HashFunctionSelected;
if (tlsConnectionResult.TlsError == TlsError.HANDSHAKE_FAILURE ||
tlsConnectionResult.TlsError == TlsError.INSUFFICIENT_SECURITY ||
tlsConnectionResult.TlsError == TlsError.PROTOCOL_VERSION)
{
List <CipherSuite> tls12AvailableWithBestCipherSuiteSelectedPassingCipherSuites = new List <CipherSuite>
{
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
};
if (tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected.CipherSuite != null &&
tls12AvailableWithBestCipherSuiteSelectedPassingCipherSuites.Contains(tlsTestConnectionResults
.Tls12AvailableWithBestCipherSuiteSelected.CipherSuite.Value))
{
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS)
.ToTaskList());
}
}
switch (tlsConnectionResult.TlsError)
{
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))
.ToTaskList());
case null:
break;
default:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.FAIL,
string.Format(intro,
$"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))
.ToTaskList());
}
string introWithCipherSuite = string.Format(intro,
$"the server selected {tlsConnectionResult.CipherSuite.GetEnumAsString()}");
switch (tlsConnectionResult.CipherSuite)
{
case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384:
case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256:
case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256:
case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS)
.ToTaskList());
case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which uses SHA-1. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which uses 3DES and SHA-1. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which uses RC4 and SHA-1. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_MD5:
case CipherSuite.TLS_NULL_WITH_NULL_NULL:
case CipherSuite.TLS_RSA_WITH_NULL_MD5:
case CipherSuite.TLS_RSA_WITH_NULL_SHA:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_DES_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId6, EvaluatorResult.FAIL,
$"{introWithCipherSuite} which is insecure. {advice}").ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId7, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, "there was a problem and we are unable to provide additional information."))
.ToTaskList());
}
private static BouncyCastleTlsTestResult SetupConnectionResult(IDictionary <TlsTestType, BouncyCastleTlsTestResult> data, TlsTestType testType)
{
return(data.ContainsKey(testType)
? data[testType]
: new BouncyCastleTlsTestResult(TlsError.BAD_CERTIFICATE, "Bad certificate found", null));
}
public RuleTypedTlsEvaluationResult(TlsTestType type, Guid id, EvaluatorResult?result = null, string description = null)
: this(type, new TlsEvaluatedResult(id, result, description))
{
}
public RuleTypedTlsEvaluationResult(TlsTestType type, TlsEvaluatedResult tlsEvaluatedResult)
{
Type = type;
TlsEvaluatedResult = tlsEvaluatedResult;
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult =
tlsTestConnectionResults.TlsSecureDiffieHellmanGroupSelected;
TlsTestType tlsTestType = TlsTestType.TlsSecureDiffieHellmanGroupSelected;
switch (tlsConnectionResult.TlsError)
{
case TlsError.HANDSHAKE_FAILURE:
case TlsError.PROTOCOL_VERSION:
case TlsError.INSUFFICIENT_SECURITY:
return(new RuleTypedTlsEvaluationResult(tlsTestType,
new TlsEvaluatedResult(Guid.NewGuid(), EvaluatorResult.PASS)).ToTaskList());
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, new TlsEvaluatedResult(ErrorId1,
EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\".")))
.ToTaskList());
case null:
break;
default:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))
.ToTaskList());
}
switch (tlsConnectionResult.CurveGroup)
{
case CurveGroup.Ffdhe2048:
case CurveGroup.Ffdhe3072:
case CurveGroup.Ffdhe4096:
case CurveGroup.Ffdhe6144:
case CurveGroup.Ffdhe8192:
case CurveGroup.UnknownGroup2048:
case CurveGroup.UnknownGroup3072:
case CurveGroup.UnknownGroup4096:
case CurveGroup.UnknownGroup6144:
case CurveGroup.UnknownGroup8192:
return(new RuleTypedTlsEvaluationResult(tlsTestType, new Guid(), EvaluatorResult.PASS).ToTaskList());
case CurveGroup.UnknownGroup1024:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING,
string.Format(intro, $"the server selected an unknown 1024 bit group. {advice}")).ToTaskList());
case CurveGroup.Java1024:
case CurveGroup.Rfc2409_1024:
case CurveGroup.Rfc5114_1024:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.FAIL,
string.Format(intro,
$"the server selected {tlsConnectionResult.CurveGroup.GetEnumAsString()} which is an insecure 1024 bit (or less) group. {advice}"))
.ToTaskList());
case CurveGroup.Unknown:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.FAIL,
string.Format(intro,
$"the server selected an unknown group which is potentially insecure. {advice}"))
.ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId6, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, "there was a problem and we are unable to provide additional information."))
.ToTaskList());
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult = tlsTestConnectionResults.TlsSecureEllipticCurveSelected;
TlsTestType tlsTestType = TlsTestType.TlsSecureEllipticCurveSelected;
switch (tlsConnectionResult.TlsError)
{
case TlsError.HANDSHAKE_FAILURE:
case TlsError.PROTOCOL_VERSION:
case TlsError.INSUFFICIENT_SECURITY:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS)
.ToTaskList());
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))
.ToTaskList());
case null:
break;
default:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"the server responded with an error. Error description \"{tlsConnectionResult.ErrorDescription}\"."))
.ToTaskList());
}
switch (tlsConnectionResult.CurveGroup)
{
case CurveGroup.Unknown:
case CurveGroup.Secp160k1:
case CurveGroup.Secp160r1:
case CurveGroup.Secp160r2:
case CurveGroup.Secp192k1:
case CurveGroup.Secp192r1:
case CurveGroup.Secp224k1:
case CurveGroup.Secp224r1:
case CurveGroup.Sect163k1:
case CurveGroup.Sect163r1:
case CurveGroup.Sect163r2:
case CurveGroup.Sect193r1:
case CurveGroup.Sect193r2:
case CurveGroup.Sect233k1:
case CurveGroup.Sect233r1:
case CurveGroup.Sect239k1:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.FAIL,
string.Format(intro,
$"the server selected {tlsConnectionResult.CurveGroup.GetEnumAsString()} which has a curve length of less than 256 bits."))
.ToTaskList());
case CurveGroup.Secp256k1:
case CurveGroup.Secp256r1:
case CurveGroup.Secp384r1:
case CurveGroup.Secp521r1:
case CurveGroup.Sect283k1:
case CurveGroup.Sect283r1:
case CurveGroup.Sect409k1:
case CurveGroup.Sect409r1:
case CurveGroup.Sect571k1:
case CurveGroup.Sect571r1:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS)
.ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, "there was a problem and we are unable to provide additional information."))
.ToTaskList());
}
private TlsEvaluatedResult GetEvaluatorResultOrDefault(TlsTestType tlsTestType, Dictionary <TlsTestType, RuleTypedTlsEvaluationResult> evaluationResultsByType)
{
return(evaluationResultsByType.TryGetValue(tlsTestType, out RuleTypedTlsEvaluationResult ruleTypedTlsEvaluationResult)
? ruleTypedTlsEvaluationResult.TlsEvaluatedResult
: new TlsEvaluatedResult(Guid.NewGuid()));
}
public Task <List <RuleTypedTlsEvaluationResult> > Evaluate(TlsTestResults tlsTestConnectionResults)
{
BouncyCastleTlsTestResult tlsConnectionResult =
tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList;
CipherSuite?previousCipherSuite =
tlsTestConnectionResults.Tls12AvailableWithBestCipherSuiteSelected.CipherSuite;
TlsTestType tlsTestType = TlsTestType.Tls12AvailableWithBestCipherSuiteSelectedFromReverseList;
switch (tlsConnectionResult.TlsError)
{
case TlsError.TCP_CONNECTION_FAILED:
case TlsError.SESSION_INITIALIZATION_FAILED:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId1, EvaluatorResult.INCONCLUSIVE,
string.Format(intro,
$"we were unable to create a connection to the mail server. We will keep trying, so please check back later. Error description \"{tlsConnectionResult.ErrorDescription}\"."))
.ToTaskList());
case null:
break;
default:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId2, EvaluatorResult.WARNING,
string.Format(intro,
$"the server responded with an error. Error description - {tlsConnectionResult.ErrorDescription}. {advice}"))
.ToTaskList());
}
if (tlsConnectionResult.CipherSuite == previousCipherSuite)
{
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS).ToTaskList());
}
string introWithCipherSuite = string.Format(intro,
$"the server selected a different cipher suite ({tlsConnectionResult.CipherSuite.GetEnumAsString()})");
switch (tlsConnectionResult.CipherSuite)
{
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
case CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
case CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
return(new RuleTypedTlsEvaluationResult(tlsTestType, Guid.NewGuid(), EvaluatorResult.PASS)
.ToTaskList());
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId3, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which uses SHA-1. {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_AES_256_GCM_SHA384:
case CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256:
case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA256:
case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA256:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId4, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS). {advice}").ToTaskList());
case CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId5, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses SHA-1. {advice}")
.ToTaskList());
case CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId6, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses 3DES and SHA-1. {advice}")
.ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId7, EvaluatorResult.WARNING,
$"{introWithCipherSuite} which has no Perfect Forward Secrecy (PFS) and uses RC4 and SHA-1. {advice}")
.ToTaskList());
case CipherSuite.TLS_RSA_WITH_RC4_128_MD5:
case CipherSuite.TLS_NULL_WITH_NULL_NULL:
case CipherSuite.TLS_RSA_WITH_NULL_MD5:
case CipherSuite.TLS_RSA_WITH_NULL_SHA:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC4_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
case CipherSuite.TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DH_RSA_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_DSS_WITH_DES_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
case CipherSuite.TLS_DHE_RSA_WITH_DES_CBC_SHA:
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId8, EvaluatorResult.FAIL,
$"{introWithCipherSuite} which is insecure. {advice}").ToTaskList());
}
return(new RuleTypedTlsEvaluationResult(tlsTestType, ErrorId9, EvaluatorResult.INCONCLUSIVE,
string.Format(intro, "there was a problem and we are unable to provide additional information."))
.ToTaskList());
}
