How to verify TLS version used with .NET application to SES via SMTP

1

SUMMARY

I need to know how to verify the TLS version that my client's .NET business applications are using to connect to Amazon SES via SMTP. Is there some way via the Amazon SES SDK or some other means to conclusively verify which TLS version is being used for the .NET SMTP to Amazon SES connection?

NOTE: There are no lines of code in any of the .NET business applications that explicitly set a TLS version. My assumption, based on some recent research, is that the .NET business applications will use the Windows Server 2016 default TLS version. That being said, I still want to see verifiable proof in the form of a log entry or other such mechanism. The transactional messages emanating from the .NET business applications are literally mission critical.

DETAILS

My Client's Environment:

  • Windows Server 2016 Standard Edition not hosted within AWS
  • .NET Framework 4.0.30319
  • .NET applications targeting .NET 4.8
  • Business applications implement SMTP to connect to Amazon SES using .NET's standard SmtpClient object.

I received the notice from AWS about the TLS 1.2+ mandate i.e. "...Update your TLS connections to 1.2 for SES using SMTP...".

These entries (assumed to be Amazon SES send logs internal to AWS) were included in the email from AWS (IP address anonymised):

Region | Event | Message ID | Source IP | TLS Version
us-east-2 | SMTP Message|010f01890d4f46f6-81bf8115-5c89-4fa4-b531-a6d7eb6078dd-000000 | 999.999.999.999 | TLSv1 |

us-east-2 | SMTP Message|010f01890d4f32e1-97c4bb1f-3645-403e-bdbf-208615df037f-000000 | 999.999.999.999 | TLSv1 |

us-east-2 | SMTP Message|010f01890d4f4dc4-3eb07e7e-7829-49a6-8b52-06e3828417fc-000000 | 999.999.999.999 | TLSv1 |

A few years ago, HTTP2 was disabled at the Windows Server 2016 level via the registry which I'm reasonably confident culminated in the TLS version indicated in the log entries illustrated above. HTTP2 has been re-enabled at the server level. However, I seem to have no way to verify that TLS 1.2 is being used to negotiate with Amazon SES. I do not have access to the internal Amazon SES send logs, of course. Is there some way via the Amazon SES SDK or some other means to conclusively verify which TLS version is being used for the .NET SMTP to Amazon SES connection?

What I've Tried

  • I contacted Amazon Compliance and asked if someone would check the Amazon SES send logs. Their response was a link to official AWS documentation. This led me to installing the Amazon SES SDK. See below.
  • I whipped up a quick 'n dirty .NET application to query send statistics in the hopes that TLS version information would be included there. However, TLS version information is not included in the call to AmazonSimpleEmailServiceClient.GetSendStatistics() via the resulting GetSendStatisticsResponse.SendDataPoints property. The only information in that property is data points about counters for sends, bounces, complaints, et al.
3 Answers
0
Accepted Answer

RESOLVED

I installed Wireshark 4.0.7 and captured network packets using a filter defined as "tcp port 587". My results clearly indicate the protocol in use is TLSv1.2. See network analyzer summary output excerpt below (my client's IP address has been anonymized):

Number Time Source Destination Protocol Length Info

10 0.104235 999.999.999.999 ec2-3-128-55-40.us-east-2.compute.amazonaws.com TLSv1.2 290 Client Hello

11 0.131049 ec2-3-128-55-40.us-east-2.compute.amazonaws.com 999.999.999.999 TLSv1.2 144 Server Hello

...

37 0.432092 999.999.999.999 ec2-3-128-55-40.us-east-2.compute.amazonaws.com TLSv1.2 2317 Application Data

RESOLUTION DETAILS

  • A few years ago, we disabled HTTP/2 at the server O/S level adding two new keys to the registry. Those keys have been removed.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]

"EnableHttp2Tls"=dword:00000000

"EnaleHttp2Cleartext"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

"SystemDefaultTlsVersions"=dword:00000001

  • My client's .NET application are all targeting .NET Framework 4.8.
  • My client's .NET applications are still using the .NET SmtpClient object for sending email messages to AWS SES. Absolutely none of my client's code was modified with regard to the SMTP implementation. I may opt to replace .NET's SmtpClient with a suitable substitute (e.g. MailKit) in the future, but I have bigger fish to fry at present.
InTech
answered a year ago
0

I did a packet capture to check the TLS version. I can see I'm still sending version 1.1 despite my attempts to address the issue, so I've got work to do.

JoSo
answered a year ago
  • JoSo; I very much appreciate your response. I downloaded WireShark 4.0.7 but have not yet installed it. I will be sure to post my results once I have done so. If you achieve success, please let me know the details. I will most definitely do the same. Cheers!

  • JoSo: See my RESOLVED post above. I hope it helps you and anyone else for that matter.

0

The following is the answer in Japanese, but the answer is that it cannot be confirmed by the AWS side function.

https://repost.aws/questions/QUjqhM3cINSpSJF9vjetg5HA/tls-1-1-を利用しているクライアントアプリを特定するには#ANXdz9UOW7SVeiZ9tPGxy1vQ

The following is the text translated into English.

AWS does not currently provide the ability to check the TLS version used when sending email using SES.
There is a field named "tlsDetails" in the CloudTrail event record.
However, SES email sending requests such as SendEmail, SendRawEmail, and email sending requests via the SMTP interface are not recorded in CloudTrail.
https://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html

So, as described in the following document ""How can I detect if I am using TLS 1.0 or TLS 1.1?"", I think the only way to identify the problem is through code and network analysis.
https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-fips-endpoints/

Also, although it is not a way to check the version, perhaps the following document may be helpful.
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/enforcing-tls.html

profile picture
EXPERT
answered a year ago
  • Thank you for the verification and detailed response. どうもありがとうございます!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions