Notes

Sysadmins LV


CPS


Projects











Former blog


Main blog


Documentation







We use cookies to provide and improve our services. By using our site, you consent to cookies. Learn more
x





About


Vadims Podāns
Vadims Podāns


I work at

PKI Solutions


Categories

PowerShell
CertificatesCertEnroll

CryptoAPI
PowerShell PKI Module
Active Directory


CryptoAPI


PKI


ASN.1


Quest PKI


OpsMgr


Security
PKIOCSP
AD CS
Certificate Autoenrollment
Certutil

SRP
Applocker


Public


Networking



Links

 Archive


 Comments


 Subscribe to RSS



Blogroll OPML

 Windows PKI team


 My Nuggets


 The Old New Thing


 PowerShell Team Blog


 Ask the Directory Services team


 Decrypt my World


Microsoft Most Valuable Professional: Windows PowerShell

Protected by Copyscape DMCA Takedown Notice Search Tool


Home /
Main blog /
Test web server SSL/TLS protocol support with PowerShell







Test web server SSL/TLS protocol support with PowerShell



Recently I was tasked to configure SSL/TLS protocols and cipher suites for internal web servers via Group Policy. At first, we collected a list of web server and web client applications to determine the weakest possible SSL/TLS protocols. Once the list was complete, we deployed sample policy in test OU and finally applied them to the rest domain.

Now I was tasked to scan web servers to determine if they match new security policy. In order to minimize my effort in testing, I wrote a simple PowerShell script that accepts a list of web URLs and tests each host with a list of SSL protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. Here is a sample code:
function Test-ServerSSLSupport {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[string]$HostName,
[UInt16]$Port = 443
)
process {
$RetValue = New-Object psobject -Property @{
Host = $HostName
Port = $Port
SSLv2 = $false
SSLv3 = $false
TLSv1_0 = $false
TLSv1_1 = $false
TLSv1_2 = $false
KeyExhange = $null
HashAlgorithm = $null
}
"ssl2", "ssl3", "tls", "tls11", "tls12" | %{
$TcpClient = New-Object Net.Sockets.TcpClient
$TcpClient.Connect($RetValue.Host, $RetValue.Port)
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream(),
$true,
([System.Net.Security.RemoteCertificateValidationCallback]{ $true })
$SslStream.ReadTimeout = 15000
$SslStream.WriteTimeout = 15000
try {
$SslStream.AuthenticateAsClient($RetValue.Host,$null,$_,$false)
$RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
$RetValue.HashAlgorithm = $SslStream.HashAlgorithm
$status = $true
} catch {
$status = $false
}
switch ($_) {
"ssl2" {$RetValue.SSLv2 = $status}
"ssl3" {$RetValue.SSLv3 = $status}
"tls" {$RetValue.TLSv1_0 = $status}
"tls11" {$RetValue.TLSv1_1 = $status}
"tls12" {$RetValue.TLSv1_2 = $status}
}
# dispose objects to prevent memory leaks
$TcpClient.Dispose()
$SslStream.Dispose()
}
$RetValue
}
}

and the usage is pretty simple:
[↓] [vPodans] "www.inbox.lv","www.paypal.com","ib.dnb.lv" | Test-ServerSSLSupport


HashAlgorithm : 32781
KeyExhange : 44550
TLSv1_1 : True
SSLv3 : True
Host : www.inbox.lv
SSLv2 : False
Port : 443
TLSv1_0 : True
TLSv1_2 : True

HashAlgorithm : 32781
KeyExhange : RsaKeyX
TLSv1_1 : True
SSLv3 : False
Host : www.paypal.com
SSLv2 : False
Port : 443
TLSv1_0 : True
TLSv1_2 : True

HashAlgorithm : Sha1
KeyExhange : RsaKeyX
TLSv1_1 : False
SSLv3 : False
Host : ib.dnb.lv
SSLv2 : False
Port : 443
TLSv1_0 : True
TLSv1_2 : False



[↓] [vPodans]

By using this script I can easily generate the report and run it on a regular basis from scheduled task. There are places to improve, but it is already a good start.

HTH


Share this article:          

Categories: PowerShell | Security | PKI
Posted at: 01.08.2015 21:26 (GMT+3) by Vadims Podāns | Permalink | Comments (22)


Comments:




Carl Reid

Carl Reid • 18.12.2015 19:37 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



This looks very useful indeed! Thanks.



Why do we see the hash algorithm come back as 32781 when it is SHA256 rather than text?

Is there some enum that does not have a descriptor for SHA256 somewhere in .NET?






Harm ter Veer

Harm ter Veer • 09.03.2016 09:34 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Very usefull, thanks!

I added an extra try / catch on line 23 ( $TcpClient.Connect statement) on my local copy, to prevent PS from blassting errors if the server does not support HTTPS :)




Sanjay Kumar

Sanjay Kumar • 05.12.2016 19:47 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Hi,
I am trying to install Microsoft NDES with customized templates:
1. CEP Encryption
2. Exchange Enrollment Agent (Offline Request).

I have already created required users accounts in Active Directory and assigned them the required permissions as per the Microsoft’s article:
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

Though I am able to install the NDES role but it is not using the templates that I customized. It is using the default templates. I’ll really appreciate if you can help me fix this issue. I want to install the NDES using the Customized templates.




Kirt Carson

Kirt Carson • 24.01.2017 20:34 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



I needed additional information so I added the lines below to the function.

"From "+ $TcpClient.client.LocalEndPoint.address.IPAddressToString +" to $hostname "+ $TcpClient.client.RemoteEndPoint.address.IPAddressToString +':'+$TcpClient.client.RemoteEndPoint.port
$SslStream |gm |?{$_.MemberType -match 'Property'}|Select-Object Name |%{$_.Name +': '+ $sslStream.($_.name)}


From 172.16.129.204 to apps.oakgov.com 192.168.12.27:443
CanRead: True
CanSeek: False
CanTimeout: True
CanWrite: True
CheckCertRevocationStatus: False
CipherAlgorithm: Aes256
CipherStrength: 256
HashAlgorithm: 32781
HashStrength: 384
IsAuthenticated: True
IsEncrypted: True
IsMutuallyAuthenticated: False
IsServer: False
IsSigned: True
KeyExchangeAlgorithm: 44550
KeyExchangeStrength: 256
LeaveInnerStreamOpen: False
Length:
LocalCertificate:
Position:
ReadTimeout: 15000
RemoteCertificate: System.Security.Cryptography.X509Certificates.X509Certificate
SslProtocol: Tls12
TransportContext: System.Net.SslStreamContext
WriteTimeout: 15000






Joel Newton

Joel Newton • 28.02.2017 18:25 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Cheers, Vadim. Thanks for sharing!

-Joel




tony

tony • 16.08.2017 00:03 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



added the folowing to handle newer Key exchange algorithm

switch ($retvalue.KeyExhange) {
"44550" {$RetValue.KeyExhange = "ECDH_Ephem"}
}




Helen

Helen • 31.08.2017 00:50 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Thanks for the handy script. I had a small issue, just mentioning it in case this helps someone else... I was getting TLS 1.0 reporting true and TLS 1.1 and 1.2 reporting false, despite being sure I had the settings right for TLS 1.2... then I removed the catch{} and discovered the enumeration values weren't quite right for my server (Windows Server 2008 R2).

Cannot convert argument "2", with value: "tls12", for "AuthenticateAsClient" to type "System.Security.Authentication.SslProtocols": "Cannot convert value "tls12" to type "System.Security.Authentication.SslProtocols" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "None, Ssl2, Ssl3, Tls, Default"."

So, "tls11" and "tls12" aren't an option. I haven't yet figured out how to find out about support for the specific versions of TLS.






Rich Johnson

Rich Johnson • 05.02.2019 18:39 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Was having an issue with "The remote certtificate is invalid accrding to the validation procedure" as the server I want to test as the certificate does not match.
using the article at: https://newspaint.wordpress.com/2017/04/05/checking-ssl-certificate-expiry-on-remote-server-using-powershell/
May be usefull to someone else (or me when I next search for the same thing)

replaced:
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream()

with:

$SslStream = New-Object System.Net.Security.SslStream(
$TcpClient.GetStream(),
$True,
[System.Net.Security.RemoteCertificateValidationCallback]{ $true }
)




Vadims Podāns

Vadims Podāns • 05.02.2019 18:58 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



@Rich Johnson

thanks!




Verb

Verb • 05.06.2019 04:36 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



@helen

Make sure that the installed version of .NET you're running this from is 4.5 or greater. The SSLProtocols Enum from previous versions don't have support for TLS 1.1 and above:

See 4.0 Support:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netframework-4.0
vs. 4.5 Support:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netframework-4.5




Simon Cornwell

Simon Cornwell • 01.07.2019 15:30 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Just in case anyone else gets an error when they run this function, I found I had to make the followuintg change:

Original:
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream(), $true, [System.Net.Security.RemoteCertificateValidationCallback]{ $true }

Changed:

$SslStream = New-Object -TypeName Net.Security.SslStream -ArgumentList $TcpClient.GetStream(), $true,([System.Net.Security.RemoteCertificateValidationCallback]{$true})




Alex

Alex • 09.07.2019 23:40 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Just to summarize, might be helpfull for otehrs :-)



function Test-ServerSSLSupport {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[string]$HostName,
[UInt16]$Port = 443,
[boolean]$MoreInfo = $false
)
process {
$RetValue = New-Object psobject -Property ([ordered]@{
Host = $HostName
Port = $Port
KeyExhange = $null
HashAlgorithm = $null
SSLv2 = $false
SSLv3 = $false
TLSv1_0 = $false
TLSv1_1 = $false
TLSv1_2 = $false
})
"ssl2", "ssl3", "tls", "tls11", "tls12" | %{
$TcpClient = New-Object Net.Sockets.TcpClient
try {$TcpClient.Connect($RetValue.Host, $RetValue.Port)}
catch {Write-Host "`nThe host $HostName does not exist or not responding on port $Port `n" -ForegroundColor RED; break}
$SslStream = New-Object -TypeName Net.Security.SslStream -ArgumentList $TcpClient.GetStream(), $true,([System.Net.Security.RemoteCertificateValidationCallback]{$true})
$SslStream.ReadTimeout = 15000
$SslStream.WriteTimeout = 15000
try {
$SslStream.AuthenticateAsClient($RetValue.Host,$null,$_,$false)
$RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
$RetValue.HashAlgorithm = $SslStream.HashAlgorithm
$status = $true
} catch {
$status = $false
}
switch ($_) {
"ssl2" {$RetValue.SSLv2 = $status}
"ssl3" {$RetValue.SSLv3 = $status}
"tls" {$RetValue.TLSv1_0 = $status}
"tls11" {$RetValue.TLSv1_1 = $status}
"tls12" {$RetValue.TLSv1_2 = $status}
}
switch ($retvalue.KeyExhange) {
"44550" {$RetValue.KeyExhange = "ECDH_Ephem"}
}
If ($MoreInfo -eq $true) {
"From "+ $TcpClient.client.LocalEndPoint.address.IPAddressToString +" to $hostname "+ $TcpClient.client.RemoteEndPoint.address.IPAddressToString +':'+$TcpClient.client.RemoteEndPoint.port
$SslStream |gm |?{$_.MemberType -match 'Property'}|Select-Object Name |%{$_.Name +': '+ $sslStream.($_.name)}
}
# dispose objects to prevent memory leaks
$TcpClient.Dispose()
$SslStream.Dispose()
}
$RetValue
}
}




Chris Braley

Chris Braley • 12.08.2019 20:26 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



I'm new to Powershell and have a newbie question..

Am I doing something wrong?

I created the file Test-ServerSSLSupport.ps1 with the script data provided

I am running powershell it the directory of the file.

When I run the following it does not return anything.

"www.inbox.lv","www.paypal.com","ib.dnb.lv" | .Test-ServerSSLSupport

PS C:temppowershell> "www.inbox.lv","www.paypal.com","ib.dnb.lv" | .Test-ServerSSLSupport
PS C:temppowershell>

I have also tried "www.inbox.lv","www.paypal.com","ib.dnb.lv" | Test-ServerSSLSupport but get the following error

Suggestion [3,General]: The command Test-ServerSSLSupport was not found, but does exist in the current location. Windows PowerShell does not l
oad commands from the current location by default. If you trust this command, instead type: ".Test-ServerSSLSupport". See "get-help about_Com
mand_Precedence" for more details.


Thanks for your help




Vadims Podāns

Vadims Podāns • 12.08.2019 20:31 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



you need to dot-source (load) the script first:
. .Test-ServerSSLSupport.ps1

Type dot, space and path to a file. Then you can call the command like this: "www.inbox.lv","www.paypal.com","ib.dnb.lv" | Test-ServerSSLSupport




Christopher Braley

Christopher Braley • 14.08.2019 15:29 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Thanks Vadims Podāns !!!

That did the trick !!




Chris N

Chris N • 30.10.2019 14:39 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Im a super novice, I have a list of 20 servers in a csv, I want to run Test-ServerSSLSuport against all of them. How do I get that and get the results for each and save in a another csv or send in an email.

Thank you in advance




Piotr Latusek

Piotr Latusek • 20.11.2019 16:06 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Thanks a lot Vadims and others who contributed in comments!




Daniel Benway

Daniel Benway • 30.05.2020 00:11 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Very useful! Thank you!




Jim

Jim • 27.06.2020 23:42 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



This is very useful. I needed to test a few websites but found it difficult because DNS was pointing to the WAF and firewall was blocking any external IPs but the WAF, so any online testing i was doing (e.g. SSL Labs) was hitting the proxy and giving false reports. Testing internally using this script helped.




Shan

Shan • 22.07.2020 17:21 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



Is there any way to include the proxy address in the script. For any urls that are hosted in DMZ is accessible only via http proxy from the internal server. Hence, is there any possibility to pass/ include the proxy address https://<proxyaddress>:<port> for fetching the sslstream data?




Vadims Podāns

Vadims Podāns • 22.07.2020 18:55 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



No, TcpClient does not support proxy settings.




nonya

nonya • 03.05.2021 19:25 (GMT+3) • Test web server SSL/TLS protocol support with PowerShell



does absolutely NOTHING!



Post your comment:















◢


Please, solve this little equation and enter result below. Captcha






© 2008 - 2021 - Sysadmins LV. All rights reserved

About | Privacy | Disclaimer | Contact