TestSecureNetConnection.psm1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 |
<#PSScriptInfo
.VERSION 1.0.0 .GUID 4cc61e09-5b4c-415e-b97d-2170f64823e4 .AUTHOR Anthony J. Raymond .COMPANYNAME .COPYRIGHT (c) 2022 Anthony J. Raymond .TAGS test secure connection tcp ssl tls .LICENSEURI https://github.com/CodeAJGit/posh/blob/main/LICENSE .PROJECTURI https://github.com/CodeAJGit/posh .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES Packaged in TestSecureNetConnection Module .PRIVATEDATA #> <# .DESCRIPTION Displays diagnostic information for a secure connection. .EXAMPLE Test-SecureNetConnection -ComputerName google.com -Port 443 .PARAMETER ComputerName Specifies the Domain Name System (DNS) name or IP address of the target computer. .PARAMETER SslProtocol Sets the SSL/TLS protocols that are permissible for the connection. .PARAMETER Port Specifies the TCP port number on the target computer. .PARAMETER SkipCertificateCheck Skips certificate validation checks. .PARAMETER Timeout Sets the timeout value in milliseconds for the protocol tests. .PARAMETER Force Allows the cmdlet to enable protocols that would otherwise be disabled. #> function Test-SecureNetConnection { [CmdletBinding()] [OutputType([object])] ## PARAMETERS ############################################################# param ( [Parameter( Mandatory, Position = 0, ValueFromPipelineByPropertyName, ValueFromPipeline )] [ValidateNotNullOrEmpty()] [string[]] $ComputerName, [Parameter()] [System.Collections.Generic.List[System.Security.Authentication.SslProtocols]] $SslProtocol = "None", [Parameter()] [int] [ValidateRange(1, 65535)] $Port = 443, [Parameter()] [switch] $SkipCertificateCheck, [Parameter()] [int] $Timeout = 15000, [Parameter()] [switch] $Force ) ## BEGIN ################################################################## begin { Write-Verbose "start command execution" $SaveProgressPreference = $Global:ProgressPreference $Global:ProgressPreference = "SilentlyContinue" # https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings $RegistryMap = @{ [System.Security.Authentication.SslProtocols]::Ssl2 = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" [System.Security.Authentication.SslProtocols]::Ssl3 = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" [System.Security.Authentication.SslProtocols]::Tls = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" [System.Security.Authentication.SslProtocols]::Tls11 = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" [System.Security.Authentication.SslProtocols]::Tls12 = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" [System.Security.Authentication.SslProtocols]::Tls13 = "Registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" } # https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols # Allows the operating system to choose the best protocol to use, and to block protocols that are not secure. if ($SslProtocol.Remove([System.Security.Authentication.SslProtocols]::None)) { $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Ssl2) $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Ssl3) $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Tls) $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Tls11) $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Tls12) $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Tls13) } # https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols # Default permits only the Secure Sockets Layer (SSL) 3.0 or Transport Layer Security (TLS) 1.0 protocols to be negotiated. if ($SslProtocol.Remove([System.Security.Authentication.SslProtocols]::Default)) { $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Ssl3) $SslProtocol.Add([System.Security.Authentication.SslProtocols]::Tls) } $ProtocolToRemove = [System.Collections.Generic.List[System.Security.Authentication.SslProtocols]] @() $DisableOnExit = [System.Collections.Generic.List[System.Security.Authentication.SslProtocols]] @() foreach ($Protocol in $SslProtocol) { Write-Verbose "$Protocol : start registry check" if (-not ($RegistryProperty = Get-ItemProperty -Path $RegistryMap[$Protocol] -ErrorAction SilentlyContinue).Enabled -and $null -ne $RegistryProperty) { Write-Verbose "$Protocol : disabled" if ($Force) { Write-Verbose "$Protocol : force flag detected, set registry to enabled" try { Set-ItemProperty -Path $RegistryMap[$Protocol] -Name Enabled -Type DWord -Value 1 -ErrorAction Stop $DisableOnExit.Add($Protocol) } catch { $ProtocolToRemove.Add($Protocol) switch ($_.Exception) { { $_ -is [System.Security.SecurityException] } { Write-Error "[$Protocol] The attempt to enable the protocol failed because access was denied."; break } default { Write-Error "[$Protocol] An error of type $( $_.GetType().FullName ) has occured." } } } } else { $ProtocolToRemove.Add($Protocol) Write-Warning "[$Protocol] The protocol will be skipped because it is not enabled on the client." } } else { Write-Verbose "$Protocol : enabled" } } $ProtocolToRemove.ToArray().ForEach({ $null = $SslProtocol.Remove($_) }) } ## PROCESS ################################################################ process { foreach ($Computer in $ComputerName) { Write-Verbose "$Computer : start connection" $NetConnection = Test-NetConnection -ComputerName $Computer -Port $Port -WarningAction SilentlyContinue -ErrorAction SilentlyContinue if (-not $NetConnection.RemoteAddress) { Write-Warning "[$Computer] The connection failed because the host does not exist." } elseif (-not $NetConnection.TcpTestSucceeded) { Write-Warning "[$Computer] The connection failed because the host refused the attempt." } $Hashtable = [ordered] @{ ComputerName = $NetConnection.ComputerName RemoteAddress = $NetConnection.RemoteAddress RemotePort = $NetConnection.RemotePort SourceAddress = $NetConnection.SourceAddress PingSucceeded = $NetConnection.PingSucceeded TcpTestSucceeded = $NetConnection.TcpTestSucceeded } if ($NetConnection.TcpTestSucceeded) { foreach ($Protocol in ($SslProtocol | Select-Object -Unique | Sort-Object)) { Write-Verbose "$Computer : start $Protocol test" try { $TcpClient = [System.Net.Sockets.TcpClient]::new() $TcpClient.SendTimeout = $Timeout $TcpClient.ReceiveTimeout = $Timeout # Connect (<string> hostname, <int> port); $TcpClient.Connect($Computer, $Port) try { $SslStream = if ($SkipCertificateCheck) { # SslStream (<System.IO.Stream> innerStream, <bool> leaveInnerStreamOpen, <System.Net.Security.RemoteCertificateValidationCallback> userCertificateValidationCallback); [System.Net.Security.SslStream]::new($TcpClient.GetStream(), $true, ([System.Net.Security.RemoteCertificateValidationCallback] { $true })) } else { # SslStream (<System.IO.Stream> innerStream, <bool> leaveInnerStreamOpen); [System.Net.Security.SslStream]::new($TcpClient.GetStream(), $true) } $SslStream.WriteTimeout = $Timeout $SslStream.ReadTimeout = $Timeout # AuthenticateAsClient (<string> targetHost, <System.Security.Cryptography.X509Certificates.X509CertificateCollection> clientCertificates, <System.Security.Authentication.SslProtocols> enabledSslProtocols, <bool> checkCertificateRevocation); $SslStream.AuthenticateAsClient($Computer, $null, $Protocol, (-not $SkipCertificateCheck)) } catch { switch ($_.Exception) { { $_ -is [System.Management.Automation.MethodInvocationException] } { break } default { Write-Warning "[$Protocol] An error of type $( $_.GetType().FullName ) has occured." } } } finally { $Hashtable["${Protocol}TestSucceeded"] = [bool] $SslStream.IsAuthenticated $SslStream.Dispose() } $TcpClient.Dispose() } catch { switch ($_.Exception) { { $_ -is [System.Management.Automation.MethodInvocationException] } { Write-Error "[$Protocol] The connection failed because the timeout period was reached, or the host refused the attempt."; break } default { Write-Error "[$Protocol] An error of type $( $_.GetType().FullName ) has occured." } } } } } New-Object -TypeName psobject -Property $Hashtable } } ## END #################################################################### end { Write-Verbose "start command cleanup" foreach ($Protocol in $DisableOnExit) { Write-Verbose "$Protocol : set registry to disabled" Set-ItemProperty -Path $RegistryMap[$Protocol] -Name Enabled -Type DWord -Value 0 } $Global:ProgressPreference = $SaveProgressPreference $null = [System.GC]::GetTotalMemory($true) } } Set-Alias -Name TSNC -Value Test-SecureNetConnection Export-ModuleMember -Function Test-SecureNetConnection -Alias TSNC |