This looks very useful indeed! Thanks.

Why do we see the hash algorithm come back as 32781 when it is SHA256 rather than text?

Is there some enum that does not have a descriptor for SHA256 somewhere in .NET?

Very usefull, thanks!

I added an extra try / catch on line 23 ( $TcpClient.Connect statement) on my local copy, to prevent PS from blassting errors if the server does not support HTTPS :)

Hi,
I am trying to install Microsoft NDES with customized templates:
1. CEP Encryption
2. Exchange Enrollment Agent (Offline Request).

I have already created required users accounts in Active Directory and assigned them the required permissions as per the Microsoft’s article:
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

Though I am able to install the NDES role but it is not using the templates that I customized. It is using the default templates. I’ll really appreciate if you can help me fix this issue. I want to install the NDES using the Customized templates.

I needed additional information so I added the lines below to the function.

"From "+ $TcpClient.client.LocalEndPoint.address.IPAddressToString +" to $hostname "+ $TcpClient.client.RemoteEndPoint.address.IPAddressToString +':'+$TcpClient.client.RemoteEndPoint.port
$SslStream |gm |?{$_.MemberType -match 'Property'}|Select-Object Name |%{$_.Name +': '+ $sslStream.($_.name)}
 

From 172.16.129.204 to apps.oakgov.com 192.168.12.27:443
CanRead: True
CanSeek: False
CanTimeout: True
CanWrite: True
CheckCertRevocationStatus: False
CipherAlgorithm: Aes256
CipherStrength: 256
HashAlgorithm: 32781
HashStrength: 384
IsAuthenticated: True
IsEncrypted: True
IsMutuallyAuthenticated: False
IsServer: False
IsSigned: True
KeyExchangeAlgorithm: 44550
KeyExchangeStrength: 256
LeaveInnerStreamOpen: False
Length:
LocalCertificate:
Position:
ReadTimeout: 15000
RemoteCertificate: System.Security.Cryptography.X509Certificates.X509Certificate
SslProtocol: Tls12
TransportContext: System.Net.SslStreamContext
WriteTimeout: 15000

Cheers, Vadim. Thanks for sharing!

-Joel

added the folowing to handle newer Key exchange algorithm

switch ($retvalue.KeyExhange) {
            "44550" {$RetValue.KeyExhange = "ECDH_Ephem"}
            }

Thanks for the handy script. I had a small issue, just mentioning it in case this helps someone else... I was getting TLS 1.0 reporting true and TLS 1.1 and 1.2 reporting false, despite being sure I had the settings right for TLS 1.2... then I removed the catch{} and discovered the enumeration values weren't quite right for my server (Windows Server 2008 R2).

Cannot convert argument "2", with value: "tls12", for "AuthenticateAsClient" to type "System.Security.Authentication.SslProtocols": "Cannot convert value "tls12" to type "System.Security.Authentication.SslProtocols" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "None, Ssl2, Ssl3, Tls, Default"."

So, "tls11" and "tls12" aren't an option. I haven't yet figured out how to find out about support for the specific versions of TLS.

Was having an issue with "The remote certtificate is invalid accrding to the validation procedure" as the server I want to test as the certificate does not match.
using the article at: https://newspaint.wordpress.com/2017/04/05/checking-ssl-certificate-expiry-on-remote-server-using-powershell/
May be usefull to someone else (or me when I next search for the same thing) 

replaced:
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream()

with:

$SslStream = New-Object System.Net.Security.SslStream(
   $TcpClient.GetStream(),
    $True,
    [System.Net.Security.RemoteCertificateValidationCallback]{ $true }
)

@Rich Johnson 

thanks!

@helen

Make sure that the installed version of .NET you're running this from is 4.5 or greater. The SSLProtocols Enum from previous versions don't have support for TLS 1.1 and above: 

See 4.0 Support:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netframework-4.0
vs. 4.5 Support:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netframework-4.5

Just in case anyone else gets an error when they run this function, I found I had to make the followuintg change:

Original:
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream(), $true, [System.Net.Security.RemoteCertificateValidationCallback]{ $true }

Changed:

$SslStream = New-Object -TypeName Net.Security.SslStream -ArgumentList $TcpClient.GetStream(), $true,([System.Net.Security.RemoteCertificateValidationCallback]{$true})

Just to summarize, might be helpfull for otehrs :-)

function Test-ServerSSLSupport {
[CmdletBinding()]
    param(
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [ValidateNotNullOrEmpty()]
        [string]$HostName,
        [UInt16]$Port = 443,
        [boolean]$MoreInfo = $false
    )
    process {
        $RetValue = New-Object psobject -Property ([ordered]@{
            Host = $HostName
            Port = $Port
            KeyExhange = $null
            HashAlgorithm = $null
            SSLv2 = $false
            SSLv3 = $false
            TLSv1_0 = $false
            TLSv1_1 = $false
            TLSv1_2 = $false
        })
        "ssl2", "ssl3", "tls", "tls11", "tls12" | %{
            $TcpClient = New-Object Net.Sockets.TcpClient
            try {$TcpClient.Connect($RetValue.Host, $RetValue.Port)}
            catch {Write-Host "`nThe host $HostName does not exist or not responding on port $Port `n" -ForegroundColor RED; break}
            $SslStream = New-Object -TypeName Net.Security.SslStream -ArgumentList $TcpClient.GetStream(), $true,([System.Net.Security.RemoteCertificateValidationCallback]{$true})
            $SslStream.ReadTimeout = 15000
            $SslStream.WriteTimeout = 15000
            try {
                $SslStream.AuthenticateAsClient($RetValue.Host,$null,$_,$false)
                $RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
                $RetValue.HashAlgorithm = $SslStream.HashAlgorithm
                $status = $true
            } catch {
                $status = $false
            }
            switch ($_) {
                "ssl2" {$RetValue.SSLv2 = $status}
                "ssl3" {$RetValue.SSLv3 = $status}
                "tls" {$RetValue.TLSv1_0 = $status}
                "tls11" {$RetValue.TLSv1_1 = $status}
                "tls12" {$RetValue.TLSv1_2 = $status}
            }
            switch ($retvalue.KeyExhange) {
            "44550" {$RetValue.KeyExhange = "ECDH_Ephem"}
            }
            If ($MoreInfo -eq $true) {
            "From "+ $TcpClient.client.LocalEndPoint.address.IPAddressToString +" to $hostname "+ $TcpClient.client.RemoteEndPoint.address.IPAddressToString +':'+$TcpClient.client.RemoteEndPoint.port
            $SslStream |gm |?{$_.MemberType -match 'Property'}|Select-Object Name |%{$_.Name +': '+ $sslStream.($_.name)}
            }
            # dispose objects to prevent memory leaks
            $TcpClient.Dispose()
            $SslStream.Dispose()
        }
        $RetValue
    }
}

I'm new to Powershell and have a newbie question..

Am I doing something wrong?

I created the file Test-ServerSSLSupport.ps1 with the script data provided

I am running powershell it the directory of the file.

When I run the following it does not return anything.

"www.inbox.lv","www.paypal.com","ib.dnb.lv" | .\Test-ServerSSLSupport

PS C:\temp\powershell> "www.inbox.lv","www.paypal.com","ib.dnb.lv" | .\Test-ServerSSLSupport
PS C:\temp\powershell>

I have also tried "www.inbox.lv","www.paypal.com","ib.dnb.lv" | Test-ServerSSLSupport but get the following error

Suggestion [3,General]: The command Test-ServerSSLSupport was not found, but does exist in the current location. Windows PowerShell does not l
oad commands from the current location by default. If you trust this command, instead type: ".\Test-ServerSSLSupport". See "get-help about_Com
mand_Precedence" for more details.
 

Thanks for your help

you need to dot-source (load) the script first:

. .\Test-ServerSSLSupport.ps1

Type dot, space and path to a file. Then you can call the command like this: "www.inbox.lv","www.paypal.com","ib.dnb.lv" | Test-ServerSSLSupport

Thanks Vadims Podāns !!!

That did the trick !!

Im a super novice, I have a list of 20 servers in a csv, I want to run Test-ServerSSLSuport against all of them. How do I get that and get the results for each and save in a another csv or send in an email.

Thank you in advance

Thanks a lot Vadims and others who contributed in comments!

Very useful! Thank you!

This is very useful.  I needed to test a few websites but found it difficult because DNS was pointing to the WAF and firewall was blocking any external IPs but the WAF, so any online testing i was doing (e.g. SSL Labs) was hitting the proxy and giving false reports. Testing internally using this script helped.

Is there any way to include the proxy address in the script. For any urls that are hosted in DMZ is accessible only via http proxy from the internal  server. Hence, is there any possibility to pass/ include the proxy address https://<proxyaddress>:<port> for fetching the sslstream data?

No, TcpClient does not support proxy settings.

does absolutely NOTHING!

Assuming the local machine support tls1.3 can we update the list of protocols to include "tls13". 

Or does TLS 1.3 need to be handled in a different way?

I cannot get results what so ever, same issue Chris Braley  had, nothing comes up

PS C:\Users\jalkar.PROD\Desktop> "www.paypal.com" | ./Test-ServerSSLSupport
PS C:\Users\jalkar.PROD\Desktop>

and when I do ../ I get "..\Test-ServerSSLSupport.ps1 : The term '..\Test-ServerSSLSupport.ps1' is not recognized as the name of a cmdlet" 

Can someone help please? 

Anyone who insists on running this from a .ps1 file and complaining why it doesn't work is doing it wrong...  This is a FUNCTION. Once your FUNCTION is inside a .ps1 file, you need to dot-load the function, and then call the function (not the PS1 file) repeatedly.

# Dot-load the function. Note there's a dot, then a space, then a path\filename that includes a dot at the start as a relative path from "here" wherever I am running the script from:

. .\PathToFile\Test-ServerSSLSupportFunctionFile.ps1

# now the function is defined in my execution context, call it like the post tells you to:

"www.paypal.com" | Test-ServerSSLSupport

can I recursively check all IIS websites using a wildcard?

> can I recursively check all IIS websites using a wildcard?

not automatically. First, you need to extract the list of websites on IIS and then pass domain names to the script.

Is it possible to modify the function handling http:// and https://

Its seems to work when parsed website name without suffix but throw an error if included1