powershell_Check_TLS_Version
powershell 範例
#######################################################################
1 - 檔名: Test-ServerSSLSupport.ps1
內容:
function Test-ServerSSLSupport {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[string]$HostName,
[UInt16]$Port = 443
)
process {
$RetValue = New-Object psobject -Property @{
Host = $HostName
Port = $Port
TLSv1_0 = $false
TLSv1_1 = $false
TLSv1_2 = $false
TLSv1_3 = $false
SSLv2 = $false
SSLv3 = $false
KeyExhange = $null
HashAlgorithm = $null
}
"tls", "tls11", "tls12", "tls13", "ssl2", "ssl3" | %{
$TcpClient = New-Object Net.Sockets.TcpClient
$TcpClient.Connect($RetValue.Host, $RetValue.Port)
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream(),
$true,
([System.Net.Security.RemoteCertificateValidationCallback]{ $true })
$SslStream.ReadTimeout = 15000
$SslStream.WriteTimeout = 15000
try {
$SslStream.AuthenticateAsClient($RetValue.Host,$null,$_,$false)
$RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
$RetValue.HashAlgorithm = $SslStream.HashAlgorithm
$status = $true
} catch {
$status = $false
}
switch ($_) {
"tls" {$RetValue.TLSv1_0 = $status}
"tls11" {$RetValue.TLSv1_1 = $status}
"tls12" {$RetValue.TLSv1_2 = $status}
"tls13" {$RetValue.TLSv1_3 = $status}
"ssl2" {$RetValue.SSLv2 = $status}
"ssl3" {$RetValue.SSLv3 = $status}
}
# dispose objects to prevent memory leaks
$TcpClient.Dispose()
$SslStream.Dispose()
}
$RetValue
}
}
######################################################################
#######################################################################
2 - 檔名: Test-SslProtocols.ps1
內容:
<#
.DESCRIPTION
Outputs the SSL protocols that the client is able to successfully use to connect to a server.
.NOTES
Copyright 2014 Chris Duck
http://blog.whatsupduck.net
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.PARAMETER ComputerName
The name of the remote computer to connect to.
.PARAMETER Port
The remote port to connect to. The default is 443.
.EXAMPLE
Test-SslProtocols -ComputerName "www.google.com"
ComputerName : www.google.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : rsa-sha1
Ssl2 : False
Ssl3 : True
Tls : True
Tls11 : True
Tls12 : True
#>
function Test-SslProtocols {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
)
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | ?{$_.Name -notin @("Default","None")} | %{$_.Name}
}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName
$ProtocolStatus["Certificate"] = $RemoteCertificate
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
}
}
[PSCustomObject]$ProtocolStatus
}
}
#######################################################################
#######################################################################
3 - 檔名: tls_check.ps1
內容:
function Test-SslProtocol {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
)
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] |
Get-Member -Static -MemberType Property |
Where-Object -Filter { $_.Name -notin @("Default","None") } |
Foreach-Object { $_.Name }
}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket( `
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.SignatureAlgorithm.FriendlyName
$ProtocolStatus["Certificate"] = $RemoteCertificate
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
}
}
[PSCustomObject]$ProtocolStatus
}
} # function Test-SslProtocol
# List of Web sites that we want to check the SSL on
$WebSitesToTest = @(
'ec.skit.com.tw'
)
# Number of days out to warn about certificate expiration
$WarningThreshold = 14
Describe 'SSL endpoints' {
foreach ($WebSite in $WebSitesToTest) {
Context $WebSite {
$script:SSLResult = Test-SslProtocol -ComputerName $WebSite -Port 443
It 'Should have Signature Algorithm of sha256RSA' {
$script:SSLResult.SignatureAlgorithm | Should -Be 'sha256RSA'
}
It 'Should support TLS1.2' {
$script:SSLResult.TLS12 | Should -Be True
}
It "Should not going to expire in $WarningThreshold days" {
($script:SSLResult.Certificate.NotAfter -gt (Get-Date).AddDays($WarningThreshold))| Should -Be True
}
}
}
}
#######################################################################