This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "O-Saft"

From OWASP

Jump to: navigation, search

Latest revision as of 20:19, 27 July 2019

Main
FAQs
Acknowledgements
Road Map and Getting Involved
Change Log

O-Saft - check for SSL connection, certificate and ciphers(this text to make crawlers happy;-)

O-Saft

OWASP SSL advanced forensic tool / OWASP SSL audit for testers

O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.

It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. There is also a GUI based on Tcl/Tk. However, it can simply be turned into an online CGI-tool (please read documentation first).

Introduction

Quick Installation

Download and unpack o-saft.tgz (Stable Release)
to run o-saft: Ensure that following perl modules (and their dependencies) are installed

IO::Socket::INET, IO::Socket::SSL, Net::SSLeay

Net::SSLinfo, Net::SSLhello (which are part of the tarball)

read and (re-)move o-saft-README
Show help

o-saft --help=commands

o-saft --help

Start

o-saft +info your.tld

o-saft +check your.tld

o-saft +quick your.tld

o-saft +cipherall your.tld

o-saft +cipherall --starttls=pop3 pop3.your.tld:110

o-saft +info mail.tld:25 --starttls

to run the optional checkAllCiphers (tiny program to check solely ciphers, like command '+cipherall'): It usually does not need any perl module to be additionally installed

Socket (should be part of your perl installation)

Net::SSLhello (which is part of the tarball)

NET::DNS (only needed, if option '--mx' is used)

Start

checkAllCiphers your.tld

checkAllCiphers --starttls=pop3 pop3.your.tld:110

checkAllCiphers --mx your.tld:25 --starttls=smtp

Simple GUI

o-saft.tcl

o-saft.tcl your.tld

Kali 2019

apt install o-saft # installs version 19.01.19

apt install libidn11-dev libidn2-0-dev libzip-dev libsctp-dev libkrb5-dev

cd /usr/share/o-saft

# get updated script

curl -O contrib/install_openssl.sh https://raw.githubusercontent.com/OWASP/O-Saft/master/contrib/install_openssl.sh

sh contrib/install_openssl.sh --m

# enjoy commands as described before ...

Description

The main idea is to have a tool which works on common platforms and can simply be automated.

In a Nutshell

show SSL connection details
show certificate details
check for supported ciphers
check for ciphers provided in your own libssl.so and libcrypt.so
check for ciphers without any dependency to a library (+cipherall)
checks the server's priority for ciphers (+cipherall)
check for special HTTP(S) support (like SNI, HSTS, certificate pinning, SSTP)
check for vulnerabilities (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...)
check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental')
may check for a single attribute
may check multiple targets at once
can be scripted (headless or as CGI)
should work on any platform (just needs perl, openssl optional)
can be used in CI / CD environments
output format can be customized
various trace and debug options to hunt unusual connection problems
supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) ...),[without options using openssl]
slows down to prevent blockades of requests due to too much connections (supported for some protocols like SMTP)
Proxy is supported (besides commands using openssl)
check of STARTTLS/SMTP for all servers of a MX Resource Record (e.g. checkAllCiphers --mx your.tld:25 --starttls=smtp)
checkAllCiphers.pl and '+cipherall' support DTLS for '--experimental' use (if records are *not* fragmented)

New Features of Test Version

Quick Installation (test version)

Download and unpack: master.zip
Start INSTALL.sh (if you want:)
Enjoy new functionality:

--starttls='CUSTOM' to customize your own STARTTLS sequence including error handling, see help for '--starttls_phase1..5' and '--starttls_error1..3'
'+cipherraw' and 'checkAllCiphers.pl' changed bahavior to check sni (now the default is to use solely sni >=tls1,
new option --togglesni tests without and with sni in one call
checkAllCiphers.pl/+cipherall: shows the length of dh_parameter for ciphers with DHE and DH_anon, shows the elliptic curve that the server prefers for ECDHE (independant from openssl)
checkAllCiphers.pl/+cipherall: support of fagmented messages reassembling SSL/TLS-records

please give us feedback via the mailinglist

What is O-Saft?

O-Saft provides:

SSL connection details
certificate details
full cipher check
special HTTP(s) checks
check for SSL vulnerabilities
can be scripted
platfrom independent
customizable output
supports STARTTLS and Proxy (for most commands)

Screen Shots

Documentation

help/man page

Presentations

03.04.2017 O-Saft Workshop at [BSides Munich 2017]

Workshop Kölner IT-Security-Konferenz
17.03.2016 OWASP BeNeLux Day 2016, Luxembourg

There will be a training O-Saft - TLS/SSL in Practice.

20.05.2015 AppSecEU 2015, Amsterdam

There will be a training TLS/SSL in Practice which in particular covers O-Saft.

09.12.2014 Presentation Richtig verschlüsseln mit SSL/TLS at German OWASP Day 2014, program see here
AppSecEU 2014, Cambridge

There will be a training TLS/SSL in Practice which in particular covers O-Saft. For schedule see here.

Vortrag beim German OWASP Day 2014: Richtig verschlüsseln mit SSL/TLS
Vortrag beim Münchner OWASP-Stammtisch: Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL (enthält auch ein paar Beispiele mit o-saft)

(These presentations are in German)

Project Leader

Achim Hoffmann

Licensing

OWASP O-Saft is free to use. It is licensed under the GPL v2 license.

Related Projects

Github

https://github.com/OWASP/O-Saft

Ohloh

https://www.ohloh.net/p/O-Saft

Quick Download

Stable Release (19.01.19): o-saft.tgz
more see #Change Log

Docker

A Docker Container can be found at https://hub.docker.com/r/owasp/o-saft/

News and Events

[2019] O-Saft is available as package in Kali 2019
[12. - 16.06.17] [O-Saft Track] (at OWASP Summit, London)
2013 Top Security Tools

thanks for voting O-Saft as #10 best security tools 2013

In Print / Media

Find a OWASP 24/7 podcast about the tool here.

Classifications

FAQs

Where can I get missing Perl-Modules?
This depends on your OS and Perl installation, but just try cpan <Module-Name>, e.g. cpan Net:DNS

I am connected to the internet via a Proxy
open the cpan-shell using 'cpan' and configure your proxy settings: 'o conf init /proxy/'
I can not download the requested files (the proxy needs authentication)
run 'cpan <Module-Name>' several times, read the error messages and copy the requested files manually to the paths (without any additional temporary extension of the name),
e.g. http://www.cpan.org/authors/01mailrc.txt.gz => <Your Program Path>/cpan/sources/authors/01mailrc.txt.gz

I get the Error "invalid SSL_version specified at .../perl/vendor/lib/IO/Socket/SSL.pm line ..."

add options --notlsv13 --nodtlsv1, e.g. perl o-saft.pl +info your.tld --notlsv13 --nodtlsv1
use +cipherall to check the ciphers for all protocols

My local SSL libraries do *not* support legacy Protocols like SSLv2, SSLv3 or legacy Ciphers

use o-saft.pl for all protocols that are supported by your local computer
use o-saft.pl +cipherall (or 'checkAllCiphers.pl') to get the ciphers for the missing protocols, or recompile 'Net::SSLeay' and/or openssl to support more protocols and ciphers, see Documentation INSTALLATION for details

I can not use the latest features of the test (experimental) version

Please verify that you downloaded and unpacked the 'master.zip'-Archive
some new functions are protected by the option --experimental, please add it to your command (and take care what happens)

o-saft.pl seems to hang

try one or all of following options (see Documentation Performance Problems);

--no-dns -no-http --no-cert --no-sni --no-openssl

Acknowledgements

Volunteers

O-Saft is developed by from the contributions of OWASP members. The primary contributors to date have been:

Torsten Gigler @

Repository

O-Saft's source code can be found at https://github.com/OWASP/O-Saft .

The latest stable tarball is https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz

Road Map

https://www.owasp.org/index.php/Projects/O-Saft/Roadmap

Involvement in the development and promotion of O-Saft is actively encouraged!

You do not have to be a security expert in order to contribute. Contacts:

mailto: Achim at owasp dot org
Mailinglist

Some of the ways you can help:

Quality assurance: simply test O-Saft and report defects and strange responses of servers
Give some ideas how to implement scoring
Need help in implementing

authentication for proxies (BASIC, NTLM)
check for more SSL/TLS-Extensions (including obsolete ones)
check for more vulnerabilities
check the full certificate chain

Change Log

19.01.2019 Stable Release 19.01.19;
18.11.2018 Stable Release 18.11.18;
18.07.2018 Stable Release 18.07.18; bugfixes, GUI improved, docker improved, OCSP Stapling, Makefile*, contrib/build_openssl.sh
16.04.2018 Link Docker Container (pinkstar removed) as docker is supported directly
18.01.2018 Docker improved; +sni checks improved; wrapper script o-saft; +robot
17.11.2017 Dockerfile improved; +cipherall improved; bugfix: no prefered cipher for SSLv2; bit-length for serial number corrected
17.09.2017 docker build openssl with GOST and KRB5 ciphers; bugfix for BEAST and sub-domain checks
17.07.2017 docker image supported; performance improved; support unresponsive targets
17.04.2017 ALPN and NPN support improved
17.01.2017 checking OCSP improved; certificate verification corrected; performance improved
09.09.2016 GUI improved
30.08.2016 Check for new vulnerabilities DROWN
30.08.2016 Check for new vulnerabilities Sweet32
16.07.2016 new commands (checks) for STS preload, HSTS preload HSTS http-equiv
16.05.2016 code quality improved using perlcritic
15.12.2015 Stable Release 15.12.15
15.11.2015 Stable Release 15.11.15
08.01.2015, stable release 15.01.07
05.04.2015, simple GUI available o-saft.tcl
07.12.2014, stable release 14.12.07
16.11.2014, stable release 14.11.14
15.10.2014, check for Poodle vulnerability, see test version: master.zip
10.04.2014 Heartbleed check, see https://github.com/OWASP/O-Saft

Download

Stable Release (18.07.18): o-saft.tgz
Stable Release (18.01.18): o-saft.tgz
Stable Release (17.11.17): o-saft.tgz
Stable Release (17.06.17): o-saft.tgz
Stable Release (17.05.17): o-saft.tgz
Stable Release (17.04.17): o-saft.tgz
Stable Release (17.03.17): o-saft.tgz
Stable Release (16.12.16): o-saft.tgz
Stable Release (16.11.16): o-saft.tgz
Stable Release (16.09.16): o-saft.tgz
Stable Release (15.12.15): o-saft.tgz

Retrieved from "https://wiki.owasp.org/index.php?title=O-Saft&oldid=253313"

Categories:

@@ Line 47: / Line 47: @@
 : ''o-saft.tcl''
 : ''o-saft.tcl your.tld''
+* Kali 2019
+: ''apt install o-saft'' # installs version 19.01.19
+: ''apt install libidn11-dev libidn2-0-dev libzip-dev libsctp-dev libkrb5-dev''
+: ''cd /usr/share/o-saft''
+: # get updated script
+: ''curl -O contrib/install_openssl.sh https://raw.githubusercontent.com/OWASP/O-Saft/master/contrib/install_openssl.sh''
+: ''sh contrib/install_openssl.sh --m''
+: # enjoy commands as described before ...
 ====Description====
@@ Line 58: / Line 67: @@
 :* check for ciphers without any dependency to a library (+cipherall)
 :* checks the server's priority for ciphers (+cipherall)
-:* check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
+:* check for special HTTP(S) support (like SNI, HSTS, certificate pinning, SSTP)
-:* check for protections against attacks (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...)
+:* check for vulnerabilities (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...)
 :* check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental')
 :* may check for a single attribute
@@ Line 65: / Line 74: @@
 :* can be scripted (headless or as CGI)
 :* should work on any platform (just needs perl, openssl optional)
-:* scoring for all checks (still to be improved in many ways ;-)
+:* can be used in CI / CD environments
 :* output format can be customized
 :* various trace and debug options to hunt unusual connection problems
@@ Line 80: / Line 89: @@
 :* --starttls='CUSTOM' to customize your own STARTTLS sequence including error handling, see help for '--starttls_phase1..5' and '--starttls_error1..3'
 :* '+cipherraw' and 'checkAllCiphers.pl' changed bahavior to check sni (now the default is to use solely sni >=tls1,<br>new option --togglesni tests without and with sni in one call
-:* In Improvement:
+:* checkAllCiphers.pl/+cipherall: shows the length of dh_parameter for ciphers with DHE and DH_anon, shows the elliptic curve that the server prefers for ECDHE (independant from openssl)
-::* checkAllCiphers.pl/+cipherall: check the length of dh_parameter for ciphers with DHE and DH_anon (independant from openssl, '--experimental' needed)
+:* checkAllCiphers.pl/+cipherall: support of fagmented messages reassembling SSL/TLS-records
-::* checkAllCiphers.pl/+cipherall: support of fagmented messages reassembling SSL/TLS-records ('--experimental')
 * please give us feedback via the [https://lists.owasp.org/mailman/listinfo/o-saft mailinglist]
@@ Line 116: / Line 124: @@
 == Presentations ==
+* 03.04.2017 O-Saft Workshop at <u>[[https://sites.google.com/view/bsidesmunich2017 BSides Munich 2017]]</u>
+* Workshop <u>[http://www.it-security-konferenz.de/programm.html#workshop3|3. Kölner IT-Security-Konferenz]</u>
+* 17.03.2016  <u>[[BeNeLux_OWASP_Day_2016|OWASP BeNeLux Day 2016]]</u>, Luxembourg
+: There will be a training <u>[[BeNeLux_OWASP_Day_2016#Trainingday|O-Saft - TLS/SSL in Practice]]</u>.
+* 20.05.2015 <u>[https://2015.appsec.eu/ AppSecEU 2015]</u>, Amsterdam
+: There will be a training <u>[http://2015.appsec.eu/trainings/#train4 TLS/SSL in Practice]</u> which in particular covers O-Saft.
+<!-- wenn wir eine bessere Beschreibung brauchen:
+     http://appseceurope2014.sched.org/event/0e316b9ea5c28375dcc8fd41baedd481
+-->
+* 09.12.2014 Presentation '' Richtig verschlüsseln mit SSL/TLS'' at <u>[[German_OWASP_Day_2014|German OWASP Day 2014]]</u>, program see <u>[[German_OWASP_Day_2014/Programm|here]]</u>
+* <u>[https://2014.appsec.eu/ AppSecEU 2014]</u>, Cambridge
+: There will be a training <u>[http://appseceurope2014.sched.org/event/0e316b9ea5c28375dcc8fd41baedd481 TLS/SSL in Practice]</u> which in particular covers O-Saft. For <u>[http://appseceurope2014.sched.org/ schedule see here]</u>.
 * Vortrag beim German OWASP Day 2014: <u>[[Media:Richtig_verschluesseln_mit_SSL+TLS_-_Achim_Hoffmann+Torsten_Gigler.pdf|Richtig verschlüsseln mit SSL/TLS]]</u>
 * Vortrag beim Münchner OWASP-Stammtisch: <u>[[Media:SSL-in-der-Praxis_OWASP-Stammtisch-Muenchen.pdf‎|Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL]]</u> (enthält auch ein paar Beispiele mit o-saft)
@@ Line 144: / Line 164: @@
 == Quick Download ==
-* '''Stable Release (16.09.16)''': <u>[https://github.com/OWASP/O-Saft/archive/16.09.16.tar.gz o-saft.tgz]</u>
+* '''Stable Release (19.01.19)''': <u>[https://github.com/OWASP/O-Saft/archive/19.01.19.tar.gz o-saft.tgz]</u>
-* Stable Release (15.12.15): <u>[https://github.com/OWASP/O-Saft/archive/15.12.15.tar.gz o-saft.tgz]</u>
+* more see  [[#Change Log]]
-* Test Version: <u>[https://github.com/OWASP/O-Saft/archive/master.zip master.zip]</u> (September 2016)
+== Docker ==
+A Docker Container can be found at <u>https://hub.docker.com/r/owasp/o-saft/</u>
 == News and Events ==
-* 09.09.2016 GUI improved
+* [2019] O-Saft is available as package in '''Kali 2019'''
-* 30.08.2016 Check for new vulnerabilities '''Sweet32'''
+* [12. - 16.06.17] <u>[[https://owaspsummit.org/Working-Sessions/Owasp-Projects/O-Saft.html O-Saft Track]]</u> (at OWASP Summit, London)
-* 16.07.2016 new commands (checks) for STS preload, HSTS preload HSTS http-equiv
-* 16.05.2016 code quality improved using perlcritic
-* 17.03.2016  <u>[[BeNeLux_OWASP_Day_2016|OWASP BeNeLux Day 2016]]</u>, Luxembourg
-* 30.08.2016 Check for new vulnerabilities '''DROWN'''
-: There will be a training <u>[[BeNeLux_OWASP_Day_2016#Trainingday|O-Saft - TLS/SSL in Practice]]</u>.
-<!-- not yet ready to announce
-* 07.01.2016  simple '''check for SLOTH''' added (experimental)
--->
-* 15.12.2015  Stable Release '''15.12.15'''
-* 15.11.2015  Stable Release '''15.11.15'''
-* '''20.05.2015''' <u>[https://2015.appsec.eu/ AppSecEU 2015]</u>, Amsterdam
-: There will be a training <u>[http://2015.appsec.eu/trainings/#train4 TLS/SSL in Practice]</u> which in particular covers O-Saft.
-<!-- wenn wir eine bessere Beschreibung brauchen:
-     http://appseceurope2014.sched.org/event/0e316b9ea5c28375dcc8fd41baedd481
--->
-* 05.04.2015, '''simple GUI''' available <u>[https://github.com/OWASP/O-Saft/blob/master/o-saft.tcl o-saft.tcl]</u>
-* 08.01.2015, stable release '''15.01.07'''
-* '''09.12.2014''' Presentation '' Richtig verschlüsseln mit SSL/TLS'' at <u>'''[[German_OWASP_Day_2014|German OWASP Day 2014]]'''</u>, program see <u>[[German_OWASP_Day_2014/Programm|here]]</u>
-* 07.12.2014, stable release '''14.12.07'''
-* 16.11.2014, stable release '''14.11.14'''
-* 15.10.2014, check for '''Poodle''' vulnerability, see test version: <u>[https://github.com/OWASP/O-Saft/archive/master.zip master.zip]</u>
-* <u>[https://2014.appsec.eu/ AppSecEU 2014]</u>, Cambridge
-: There will be a training <u>[http://appseceurope2014.sched.org/event/0e316b9ea5c28375dcc8fd41baedd481 TLS/SSL in Practice]</u> which in particular covers O-Saft. For <u>[http://appseceurope2014.sched.org/ schedule see here]</u>.
-* Heartbleed check
-:10.04.2014, see <u>[https://github.com/OWASP/O-Saft https://github.com/OWASP/O-Saft]</u>
 * '''2013 Top Security Tools'''
 :thanks for voting <u>[http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ O-Saft as #10 best security tools 2013 ]</u>
@@ Line 256: / Line 253: @@
 {{:Projects/O-Saft}}}
 -->
+=Change Log=
+==Change Log==
+* 19.01.2019  Stable Release '''19.01.19''';
+* 18.11.2018  Stable Release '''18.11.18''';
+* 18.07.2018  Stable Release '''18.07.18'''; bugfixes, GUI improved, docker improved, OCSP Stapling, Makefile*, contrib/build_openssl.sh
+* 16.04.2018 Link Docker Container (pinkstar removed) as docker is supported directly
+<!-- Docker Containeris available at <u>https://hub.docker.com/r/punkstar/o-saft/</u>, thanks to punkstar. outdated -->
+* 18.01.2018 Docker improved; +sni checks improved; wrapper script o-saft; +robot
+* 17.11.2017 Dockerfile improved; +cipherall improved; bugfix: no prefered cipher for SSLv2; bit-length for serial number corrected
+* 17.09.2017 docker build openssl with GOST and KRB5 ciphers; bugfix for BEAST and sub-domain checks
+* 17.07.2017 docker image supported; performance improved; support unresponsive targets
+* 17.04.2017 ALPN and NPN support improved
+* 17.01.2017 checking OCSP improved; certificate verification corrected; performance improved
+* 09.09.2016 GUI improved
+* 30.08.2016 Check for new vulnerabilities '''DROWN'''
+* 30.08.2016 Check for new vulnerabilities '''Sweet32'''
+* 16.07.2016 new commands (checks) for STS preload, HSTS preload HSTS http-equiv
+* 16.05.2016 code quality improved using perlcritic
+<!-- not yet ready to announce
+* 07.01.2016  simple '''check for SLOTH''' added (experimental)
+-->
+* 15.12.2015  Stable Release '''15.12.15'''
+* 15.11.2015  Stable Release '''15.11.15'''
+* 08.01.2015, stable release '''15.01.07'''
+* 05.04.2015, '''simple GUI''' available <u>[https://github.com/OWASP/O-Saft/blob/master/o-saft.tcl o-saft.tcl]</u>
+* 07.12.2014, stable release '''14.12.07'''
+* 16.11.2014, stable release '''14.11.14'''
+* 15.10.2014, check for '''Poodle''' vulnerability, see test version: <u>[https://github.com/OWASP/O-Saft/archive/master.zip master.zip]</u>
+* 10.04.2014 Heartbleed check, see <u>[https://github.com/OWASP/O-Saft https://github.com/OWASP/O-Saft]</u>
+== Download ==
+* Stable Release (18.07.18): <u>[https://github.com/OWASP/O-Saft/archive/18.07.18.tar.gz o-saft.tgz]</u>
+* Stable Release (18.01.18): <u>[https://github.com/OWASP/O-Saft/archive/18.01.18.tar.gz o-saft.tgz]</u>
+* Stable Release (17.11.17): <u>[https://github.com/OWASP/O-Saft/archive/17.11.17.tar.gz o-saft.tgz]</u>
+* Stable Release (17.06.17): <u>[https://github.com/OWASP/O-Saft/archive/17.06.17.tar.gz o-saft.tgz]</u>
+* Stable Release (17.05.17): <u>[https://github.com/OWASP/O-Saft/archive/17.05.17.tar.gz o-saft.tgz]</u>
+* Stable Release (17.04.17): <u>[https://github.com/OWASP/O-Saft/archive/17.04.17.tar.gz o-saft.tgz]</u>
+* Stable Release (17.03.17): <u>[https://github.com/OWASP/O-Saft/archive/17.03.17.tar.gz o-saft.tgz]</u>
+* Stable Release (16.12.16): <u>[https://github.com/OWASP/O-Saft/archive/16.12.16.tar.gz o-saft.tgz]</u>
+* Stable Release (16.11.16): <u>[https://github.com/OWASP/O-Saft/archive/16.11.16.tar.gz o-saft.tgz]</u>
+* Stable Release (16.09.16): <u>[https://github.com/OWASP/O-Saft/archive/16.09.16.tar.gz o-saft.tgz]</u>
+* Stable Release (15.12.15): <u>[https://github.com/OWASP/O-Saft/archive/15.12.15.tar.gz o-saft.tgz]</u>
 __NOTOC__ <headertabs />
 [[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Tool]] [[Category:SSL]]  [[Category:Test]]