Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 20, 2014 2:43 AM
Hi all
I'm wondering if the following is possible with Powershell..
I'd like to be able to pull out info on the SSL handshake and which cipher is in use. I'd also like to be able to list which ciphers the server supports and the order.
Does anyone know how I could go about doing this?
All replies (5)
Wednesday, May 21, 2014 12:12 AM âś…Answered | 1 vote
The SslStream.AuthenticateAsClient method has an overload which takes more arguments, and one of those arguments is a flags enum called "SslProtocols". By default, this allows SSL 3.0 or TLS 1.0, but you can tell it to use TLS 1.2 instead (if the server supports it). See http://msdn.microsoft.com/en-us/library/ms145061(v=vs.110).aspx and http://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx
Tuesday, May 20, 2014 3:40 AM | 1 vote
Finding out what cipher is in use is not difficult, but I don't think there's a way to list the ciphers that a server supports. The SSL handshake protocol has the client send a list of ciphers to the server; the server picks one from that list and sends it back to the client. At no point in the handshake does the server's entire list of cipher suites get sent.
Here's a quick example:
try
{
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect('msdn.microsoft.com', 443)
$sslStream = New-Object System.Net.Security.SslStream($client.GetStream())
$sslStream.AuthenticateAsClient('msdn.microsoft.com')
$sslStream | Format-List CipherAlgorithm,CipherStrength,HashAlgorithm,HashStrength,KeyExchangeAlgorithm,KeyExchangeStrength
}
finally
{
if ($null -ne $sslStream)
{
$sslStream.Dispose()
}
if ($null -ne $client)
{
$client.Dispose()
}
}
Tuesday, May 20, 2014 4:11 AM
Awesome thanks David!!
You got me re-reading the TLS RFC, of course as you say the server picks from the clients' list..
Would you know how to test for a specific cipher suite?
I'm sure there must be a way to enumerate a server's ciphers, as a few tools do it such as https://www.ssllabs.com/ssltest/analyze.html?d=msdn.microsoft.com
Tuesday, May 20, 2014 5:07 AM
I don't know for sure, but I suspect that those tools are sending multiple handshakes to the server, one for each cipher suite, and seeing which ones the server will accept. You could still do that with the TcpClient class, but you'd have to put together your own code to send the client hello message and read the server's response.
That seems to be the approach taken by this perl script: https://labs.portcullis.co.uk/tools/ssl-cipher-suite-enum/ . I didn't turn up anything similar in PowerShell or .NET with a quick web search, but I didn't really look that hard.
Tuesday, May 20, 2014 10:33 PM
Thanks heaps for your help David!
Yes it looks like I'll have to query the server for the specific suites I need.
One more thing, the script you posted works great but only connects using TLS 1.0 even if 1.2 is enabled in the OS. Is there a way to get the client to negotiate TLS 1.2?