How to verify TLS version used with .NET application to SES via SMTP

Question

**SUMMARY**

I need to know how to verify the TLS version that my client's .NET business applications are using to connect to Amazon SES via SMTP.  Is there some way via the Amazon SES SDK or some other means to conclusively verify which TLS version is being used for the .NET SMTP to Amazon SES connection?

**NOTE**:  There are no lines of code in any of the .NET business applications that explicitly set a TLS version.  My assumption, based on some recent research, is that the .NET business applications will use the Windows Server 2016 default TLS version.  That being said, I still want to see verifiable proof in the form of a log entry or other such mechanism.  The transactional messages emanating from the .NET business applications are literally mission critical.

**DETAILS**

**My Client's Environment:**
* Windows Server 2016 Standard Edition not hosted within AWS
* .NET Framework 4.0.30319
* .NET applications targeting .NET 4.8
* Business applications implement SMTP to connect to Amazon SES using .NET's standard SmtpClient object.

I received the notice from AWS about the TLS 1.2+ mandate i.e. "...Update your TLS connections to 1.2 for SES using SMTP...".

These entries (assumed to be Amazon SES send logs internal to AWS) were included in the email from AWS (IP address anonymised):

A few years ago, HTTP2 was disabled at the Windows Server 2016 level via the registry which I'm reasonably confident culminated in the TLS version indicated in the  log entries illustrated above.  HTTP2 has been re-enabled at the server level.  However, I seem to have no way to verify that TLS 1.2 is being used to negotiate with Amazon SES.  I do not have access to the internal Amazon SES send logs, of course.  Is there some way via the Amazon SES SDK or some other means to conclusively verify which TLS version is being used for the .NET SMTP to Amazon SES connection?

**What I've Tried**
* I contacted Amazon Compliance and asked if someone would check the Amazon SES send logs.  Their response was a link to official AWS documentation.  This led me to installing the Amazon SES SDK.  See below.
* I whipped up a quick 'n dirty .NET application to query send statistics in the hopes that TLS version information would be included there.  However, TLS version information is not included in the call to AmazonSimpleEmailServiceClient.GetSendStatistics() via the resulting GetSendStatisticsResponse.SendDataPoints property.  The only information in that property is data points about counters for sends, bounces, complaints, et al.

Accepted Answer

**RESOLVED**

I installed Wireshark 4.0.7 and captured network packets using a filter defined as "tcp port 587".  My results clearly indicate the protocol in use is TLSv1.2.  See network analyzer summary output excerpt below (my client's IP address has been anonymized):

**Number	Time	Source	Destination	Protocol	Length	Info**

10	0.104235	999.999.999.999	ec2-3-128-55-40.us-east-2.compute.amazonaws.com	TLSv1.2	290	Client Hello

11	0.131049	ec2-3-128-55-40.us-east-2.compute.amazonaws.com	999.999.999.999	TLSv1.2	144	Server Hello

...

37	0.432092	999.999.999.999	ec2-3-128-55-40.us-east-2.compute.amazonaws.com	TLSv1.2	2317	Application Data

**RESOLUTION DETAILS**

* A few years ago, we disabled HTTP/2 at the server O/S level adding two new keys to the registry.  Those keys have been removed.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]

"EnableHttp2Tls"=dword:00000000

"EnaleHttp2Cleartext"=dword:00000000

* Per Microsoft, I configured .NET Framework to support TLS 1.2 ([How to enable TLS 1.2](https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-server#bkmk_net))

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

"SystemDefaultTlsVersions"=dword:00000001

* My client's .NET application are all targeting .NET Framework 4.8.
* My client's .NET applications are still using the .NET SmtpClient object for sending email messages to AWS SES.  Absolutely none of my client's code was modified with regard to the SMTP implementation.  I may opt to replace .NET's SmtpClient with a suitable substitute (e.g. MailKit) in the future, but I have bigger fish to fry at present.

Answer

The following is the answer in Japanese, but the answer is that it cannot be confirmed by the AWS side function.

https://repost.aws/questions/QUjqhM3cINSpSJF9vjetg5HA/tls-1-1-を利用しているクライアントアプリを特定するには#ANXdz9UOW7SVeiZ9tPGxy1vQ

The following is the text translated into English.

AWS does not currently provide the ability to check the TLS version used when sending email using SES.  
There is a field named "tlsDetails" in the CloudTrail event record.  
However, SES email sending requests such as SendEmail, SendRawEmail, and email sending requests via the SMTP interface are not recorded in CloudTrail.  
https://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html

So, as described in the following document ""How can I detect if I am using TLS 1.0 or TLS 1.1?"", I think the only way to identify the problem is through code and network analysis.  
https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-fips-endpoints/

Also, although it is not a way to check the version, perhaps the following document may be helpful.  
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/enforcing-tls.html

Answer

I did a packet capture to check the TLS version. I can see I'm still sending version 1.1 despite my attempts to address the issue, so I've got work to do.

How to verify TLS version used with .NET application to SES via SMTP

Relevant content