2021-01-27 18:48:11 spawnshow

powershell_Check_TLS_Version

powershell 範例

收件匣

Linus Liu - 劉益和

下午3:21 (3 小時前)
寄給

#######################################################################

1 - 檔名:  Test-ServerSSLSupport.ps1

內容:

function Test-ServerSSLSupport {

[CmdletBinding()]

    param(

        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

        [ValidateNotNullOrEmpty()]

        [string]$HostName,

        [UInt16]$Port = 443

    )

    process {

        $RetValue = New-Object psobject -Property @{

            Host = $HostName

            Port = $Port

            TLSv1_0 = $false

            TLSv1_1 = $false

            TLSv1_2 = $false

            TLSv1_3 = $false

            SSLv2 = $false

            SSLv3 = $false

            KeyExhange = $null

            HashAlgorithm = $null

        }

        "tls", "tls11", "tls12", "tls13", "ssl2", "ssl3" | %{

            $TcpClient = New-Object Net.Sockets.TcpClient

            $TcpClient.Connect($RetValue.Host, $RetValue.Port)

            $SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream(),

                $true,

                ([System.Net.Security.RemoteCertificateValidationCallback]{ $true })

            $SslStream.ReadTimeout = 15000

            $SslStream.WriteTimeout = 15000

            try {

                $SslStream.AuthenticateAsClient($RetValue.Host,$null,$_,$false)

                $RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm

                $RetValue.HashAlgorithm = $SslStream.HashAlgorithm

                $status = $true

            } catch {

                $status = $false

            }

            switch ($_) {

                "tls" {$RetValue.TLSv1_0 = $status}

                "tls11" {$RetValue.TLSv1_1 = $status}

                "tls12" {$RetValue.TLSv1_2 = $status}

                "tls13" {$RetValue.TLSv1_3 = $status}

                "ssl2" {$RetValue.SSLv2 = $status}

                "ssl3" {$RetValue.SSLv3 = $status}

            }

            # dispose objects to prevent memory leaks

            $TcpClient.Dispose()

            $SslStream.Dispose()

        }

        $RetValue

    }

}

 

#######################################################################

 

#######################################################################

2 - 檔名:  Test-SslProtocols.ps1

內容:

<#

.DESCRIPTION

   Outputs the SSL protocols that the client is able to successfully use to connect to a server.

 .NOTES

   Copyright 2014 Chris Duck

   http://blog.whatsupduck.net

   Licensed under the Apache License, Version 2.0 (the "License");

   you may not use this file except in compliance with the License.

   You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software

   distributed under the License is distributed on an "AS IS" BASIS,

   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

   See the License for the specific language governing permissions and

   limitations under the License.

 .PARAMETER ComputerName

   The name of the remote computer to connect to.

 .PARAMETER Port

   The remote port to connect to. The default is 443.

 .EXAMPLE

   Test-SslProtocols -ComputerName "www.google.com"

  

   ComputerName       : www.google.com

   Port               : 443

   KeyLength          : 2048

   SignatureAlgorithm : rsa-sha1

   Ssl2               : False

   Ssl3               : True

   Tls                : True

   Tls11              : True

   Tls12              : True

#>

function Test-SslProtocols {

   param(

     [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]

     $ComputerName,

    

     [Parameter(ValueFromPipelineByPropertyName=$true)]

     [int]$Port = 443

   )

   begin {

     $ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | ?{$_.Name -notin @("Default","None")} | %{$_.Name}

   }

   process {

     $ProtocolStatus = [Ordered]@{}

     $ProtocolStatus.Add("ComputerName", $ComputerName)

     $ProtocolStatus.Add("Port", $Port)

     $ProtocolStatus.Add("KeyLength", $null)

     $ProtocolStatus.Add("SignatureAlgorithm", $null)

    

     $ProtocolNames | %{

       $ProtocolName = $_

       $Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)

       $Socket.Connect($ComputerName, $Port)

       try {

         $NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)

         $SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)

         $SslStream.AuthenticateAsClient($ComputerName,  $null, $ProtocolName, $false )

         $RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate

         $ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize

         $ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName

         $ProtocolStatus["Certificate"] = $RemoteCertificate

         $ProtocolStatus.Add($ProtocolName, $true)

       } catch  {

         $ProtocolStatus.Add($ProtocolName, $false)

       } finally {

         $SslStream.Close()

       }

     }

     [PSCustomObject]$ProtocolStatus

   }

}

 

#######################################################################

 

#######################################################################

3 - 檔名:  tls_check.ps1

內容:

function Test-SslProtocol {

    param(

        [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]

        $ComputerName,

 

        [Parameter(ValueFromPipelineByPropertyName=$true)]

        [int]$Port = 443

    )

    begin {

        $ProtocolNames = [System.Security.Authentication.SslProtocols] |

            Get-Member -Static -MemberType Property |

            Where-Object -Filter { $_.Name -notin @("Default","None") } |

            Foreach-Object { $_.Name }

    }

    process {

        $ProtocolStatus = [Ordered]@{}

        $ProtocolStatus.Add("ComputerName", $ComputerName)

        $ProtocolStatus.Add("Port", $Port)

        $ProtocolStatus.Add("KeyLength", $null)

        $ProtocolStatus.Add("SignatureAlgorithm", $null)

 

        $ProtocolNames | %{

            $ProtocolName = $_

            $Socket = New-Object System.Net.Sockets.Socket( `

                [System.Net.Sockets.SocketType]::Stream,

                [System.Net.Sockets.ProtocolType]::Tcp)

            $Socket.Connect($ComputerName, $Port)

            try {

                $NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)

                $SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)

                $SslStream.AuthenticateAsClient($ComputerName,  $null, $ProtocolName, $false )

                $RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate

                $ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize

                $ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName

                $ProtocolStatus["Certificate"] = $RemoteCertificate

                $ProtocolStatus.Add($ProtocolName, $true)

            } catch  {

                $ProtocolStatus.Add($ProtocolName, $false)

            } finally {

                $SslStream.Close()

            }

        }

        [PSCustomObject]$ProtocolStatus

    }

} # function Test-SslProtocol

 

# List of Web sites that we want to check the SSL on

$WebSitesToTest = @(

    'ec.skit.com.tw'  

)

 

# Number of days out to warn about certificate expiration

$WarningThreshold = 14

 

Describe 'SSL endpoints' {

    foreach ($WebSite in $WebSitesToTest) {

        Context $WebSite {

            $script:SSLResult = Test-SslProtocol -ComputerName $WebSite -Port 443

           

            It 'Should have Signature Algorithm of sha256RSA' {

                $script:SSLResult.SignatureAlgorithm | Should -Be 'sha256RSA'

            }

           

            It 'Should support TLS1.2' {

                $script:SSLResult.TLS12 | Should -Be True

            }

           

            It "Should not going to expire in $WarningThreshold days" {

                ($script:SSLResult.Certificate.NotAfter -gt (Get-Date).AddDays($WarningThreshold))| Should -Be True

            }

        }

    }

}

 

#######################################################################

 

 

Best Regards,

 

cid:image005.png@01D2F664.27308760

Linus專員

資訊部

T+886 2 25071123 ext. 133

F+886 2 25077600

E-maillinus736@mail.skit.com.tw

新光證券投資信託股份有限公司

104 台北市南京東路二段12312

www.skit.com.tw

www.shinkonggroup.com

cid:image006.png@01D2F664.27308760

 

...

[未顯示完整郵件內容]  查看整封郵件
Got it, thanks!
Thanks a lot.
Thanks, I'll check them out.