noid-privacy/Modules/AdvancedSecurity/Private/Test-LegacyTLS.ps1

function Test-LegacyTLS {
    <#
    .SYNOPSIS
        Test Legacy TLS configuration compliance
    
    .DESCRIPTION
        Verifies that TLS 1.0 and TLS 1.1 are disabled for both Client and Server.
    
    .OUTPUTS
        PSCustomObject with compliance details
    #>
    [CmdletBinding()]
    param()
    
    try {
        $result = [PSCustomObject]@{
            Feature = "Legacy TLS (1.0/1.1)"
            Status = "Unknown"
            Details = @()
            Compliant = $true
        }
        
        $tlsVersions = @("TLS 1.0", "TLS 1.1")
        $components = @("Server", "Client")
        $nonCompliantCount = 0
        
        foreach ($version in $tlsVersions) {
            foreach ($component in $components) {
                $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$version\$component"
                
                if (Test-Path $regPath) {
                    $enabled = (Get-ItemProperty -Path $regPath -Name "Enabled" -ErrorAction SilentlyContinue).Enabled
                    $disabledByDefault = (Get-ItemProperty -Path $regPath -Name "DisabledByDefault" -ErrorAction SilentlyContinue).DisabledByDefault
                    
                    if ($enabled -eq 0) {
                        # Compliant
                    }
                    elseif ($null -eq $enabled -and $disabledByDefault -eq 1) {
                        # Compliant (implicitly disabled)
                    }
                    else {
                        $result.Details += "$version $component is NOT disabled (Enabled=$enabled)"
                        $nonCompliantCount++
                    }
                }
                else {
                    # Key missing usually means default (Enabled on old OS, Disabled on very new OS)
                    # For hardening, we expect explicit disable keys
                    $result.Details += "$version $component registry keys missing"
                    $nonCompliantCount++
                }
            }
        }
        
        if ($nonCompliantCount -eq 0) {
            $result.Status = "Secure (Disabled)"
            $result.Compliant = $true
        }
        else {
            $result.Status = "Insecure ($nonCompliantCount issues)"
            $result.Compliant = $false
        }
        
        return $result
    }
    catch {
        Write-Log -Level ERROR -Message "Failed to test Legacy TLS: $_" -Module "AdvancedSecurity"
        return [PSCustomObject]@{
            Feature = "Legacy TLS (1.0/1.1)"
            Status = "Error"
            Details = @("Failed to test: $_")
            Compliant = $false
        }
    }
}