Test-TLSConnection.ps1


Description

@GitHub Copilot - Welcome @BanterBoy, I’m your Copilot and I’m here to help you get things done faster. I can identify issues, explain and even improve code.

You can ask generic questions, but what I’m really good at is helping you with your code. For example:

Generate unit tests for my code Explain the selected code Propose a fix for the bugs in my code If you want to learn more about my capabilities and limitations, check out the Copilot documentation.

I’m powered by AI, so surprises and mistakes are possible. Make sure to verify any generated code or suggestions, and share feedback so that we can learn and improve.

@BanterBoy: - Explain what the script does and why it is useful.

@GitHub Copilot -


Script

function Test-TLSConnection {
    <#
    .Synopsis
    Test if a TLS Connection can be established.

    .DESCRIPTION
    This function uses System.Net.Sockets.Tcpclient and System.Net.Security.SslStream to connect to a ComputerName and
    authenticate via TLS. This is useful to check if a TLS connection can be established and if the certificate used on
    the remote computer is trusted on the local machine.
    If the connection can be established, the certificate's properties will be output as custom object.
    Optionally the certificate can be downloaded using the -SaveCert switch.
    The Protocol parameter can be used to specifiy which SslProtocol is used to perform the test. The CheckCertRevocationStatus parameter
    can be used to disable revocation checks for the remote certificate.

    .EXAMPLE
    Test-TlsConnection -ComputerName www.ntsystems.it

    This example connects to www.ntsystems.it on port 443 (default) and outputs the certificate's properties.

    .EXAMPLE
    Test-TlsConnection -ComputerName sipdir.online.lync.com -Port 5061 -Protocol Tls12 -SaveCert

    This example connects to sipdir.online.lync.com on port 5061 using TLS 1.2 and saves the certificate to the temp folder.

    .EXAMPLE
    Test-TlsConnection -IPAddress 1.1.1.1 -ComputerName whatever.cloudflare.com

    This example connects to the IP 1.1.1.1 using a Hostname of whatever.cloudflare.com. This can be useful to test hosts that don't have DNS records configured.

    .EXAMPLE
    "host1.example.com","host2.example.com" | Test-TLSConnection -Protocol Tls11 -Quiet

    This example tests connection to the hostnames passed by pipeline input. It uses the -Quiet parameter and therefore only returns true/false.
    #>

    [CmdletBinding(HelpUri = 'https://ntsystems.it/PowerShell/TAK/Test-TLSConnection/')]
    [Alias('ttls')]
    [OutputType([psobject], [bool])]
    param (
        # Specifies the DNS name of the computer to test
        [Parameter(Mandatory = $true,
            ValueFromPipeline = $true,
            Position = 0)]
        [ValidateNotNullOrEmpty()]
        [Alias("Server", "Name", "HostName")]
        $ComputerName,

        # Specifies the IP Address of the computer to test. Can be useful if no DNS record exists.
        [Parameter()]
        [ValidateNotNullOrEmpty()]
        [System.Net.IPAddress]
        $IPAddress,

        # Specifies the TCP port on which the TLS service is running on the computer to test
        [Parameter(Position = 1)]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [Alias("RemotePort")]
        [ValidateRange(1, 65535)]
        $Port = '443',

        [Parameter(Position = 2)]
        [ValidateNotNullOrEmpty()]
        [ValidateSet('Default', 'None', 'Ssl2', 'Ssl3', 'Tls', 'Tls11', 'Tls12', 'Tls13')]
        [System.Security.Authentication.SslProtocols[]]
        $Protocol = 'Tls12',

        # Specifies a path to a file (.cer) where the certificate should be saved if the SaveCert switch parameter is used
        [Parameter(Position = 3)]
        [System.IO.FileInfo]
        $FilePath = "$computername.cer",

        # Check revocation information for remote certificate. Default is true.
        [Parameter()]
        [bool]$CheckCertRevocationStatus = $true,

        # Saves the remote certificate to a file, the path can be specified using the FilePath parameter
        [switch]
        $SaveCert,

        # Only returns true or false, instead of a custom object with some information.
        [Alias("Silent")]
        [switch]
        $Quiet
    )

    begin {
        function Get-SanAsArray {
            param($io)
            $io.replace("DNS Name=", "").split("`n")
        }
    }

    process {
        if (-not($IPAddress)) {
            # if no IP is specified, use the ComputerName
            [string]$IPAddress = $ComputerName
        }

        try {
            $TCPConnection = New-Object System.Net.Sockets.Tcpclient($($IPAddress.ToString()), $Port)
            Write-Verbose "TCP connection has succeeded"
            $TCPStream = $TCPConnection.GetStream()
            try {
                $SSLStream = New-Object System.Net.Security.SslStream($TCPStream)
                Write-Verbose "SSL connection has succeeded with $($SSLStream.SslProtocol)"
                try {
                    # AuthenticateAsClient (string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation)
                    $SSLStream.AuthenticateAsClient($ComputerName, $null, $Protocol, $CheckCertRevocationStatus)
                    Write-Verbose "SSL authentication has succeeded"
                }
                catch {
                    Write-Warning "There's a problem with SSL authentication to $ComputerName `n$_"
                    Write-Warning "Tried to connect using $Protocol protocol. Try another protocol with the -Protocol parameter."
                    return $false
                }
                $certificate = $SSLStream.get_remotecertificate()
                $certificateX509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certificate)
                $SANextensions = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection($certificateX509)
                $SANextensions = $SANextensions.Extensions | Where-Object { $_.Oid.FriendlyName -like "*subject alternative name" }

                $data = [ordered]@{
                    'ComputerName'    = $ComputerName;
                    'Port'            = $Port;
                    'Protocol'        = $SSLStream.SslProtocol;
                    'CheckRevocation' = $SSLStream.CheckCertRevocationStatus;
                    'Issuer'          = $SSLStream.RemoteCertificate.Issuer;
                    'Subject'         = $SSLStream.RemoteCertificate.Subject;
                    'SerialNumber'    = $SSLStream.RemoteCertificate.GetSerialNumberString();
                    'ValidTo'         = $SSLStream.RemoteCertificate.GetExpirationDateString();
                    'SAN'             = (Get-SanAsArray -io $SANextensions.Format(1));
                }

                if ($Quiet) {
                    Write-Output $true
                }
                else {
                    Write-Output (New-Object -TypeName PSObject -Property $Data)
                }
                if ($SaveCert) {
                    Write-Host "Saving cert to $FilePath" -ForegroundColor Yellow
                    [system.io.file]::WriteAllBytes($FilePath, $certificateX509.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert))
                }
            }
            catch {
                Write-Warning "$ComputerName doesn't support SSL connections at TCP port $Port `n$_"
            }
        }
        catch {
            $exception = New-Object System.Net.Sockets.SocketException
            $errorcode = $exception.ErrorCode
            Write-Warning "TCP connection to $ComputerName failed, error code:$errorcode"
            Write-Warning "Error details: $exception"
        }

    } # process

    end {
        # cleanup
        Write-Verbose "Cleanup sessions"
        if ($SSLStream) {
            $SSLStream.Dispose()
        }
        if ($TCPStream) {
            $TCPStream.Dispose()
        }
        if ($TCPConnection) {
            $TCPConnection.Dispose()
        }
    }
}

Back to Top


Download

Please feel free to copy parts of the script or if you would like to download the entire script, simple click the download button. You can download the complete repository in a zip file by clicking the Download link in the menu bar on the left hand side of the page.


Report Issues

You can report an issue or contribute to this site on GitHub. Simply click the button below and add any relevant notes. I will attempt to respond to all issues as soon as possible.

Issue


Back to Top