This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "O-Saft"
(→Presentations: styles improved) |
(→Introduction) |
||
(29 intermediate revisions by the same user not shown) | |||
Line 47: | Line 47: | ||
: ''o-saft.tcl'' | : ''o-saft.tcl'' | ||
: ''o-saft.tcl your.tld'' | : ''o-saft.tcl your.tld'' | ||
+ | |||
+ | * Kali 2019 | ||
+ | : ''apt install o-saft'' # installs version 19.01.19 | ||
+ | : ''apt install libidn11-dev libidn2-0-dev libzip-dev libsctp-dev libkrb5-dev'' | ||
+ | : ''cd /usr/share/o-saft'' | ||
+ | : # get updated script | ||
+ | : ''curl -O contrib/install_openssl.sh https://raw.githubusercontent.com/OWASP/O-Saft/master/contrib/install_openssl.sh'' | ||
+ | : ''sh contrib/install_openssl.sh --m'' | ||
+ | : # enjoy commands as described before ... | ||
====Description==== | ====Description==== | ||
Line 58: | Line 67: | ||
:* check for ciphers without any dependency to a library (+cipherall) | :* check for ciphers without any dependency to a library (+cipherall) | ||
:* checks the server's priority for ciphers (+cipherall) | :* checks the server's priority for ciphers (+cipherall) | ||
− | :* check for special HTTP(S) support (like SNI, HSTS, certificate pinning) | + | :* check for special HTTP(S) support (like SNI, HSTS, certificate pinning, SSTP) |
− | :* check for | + | :* check for vulnerabilities (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 ...) |
:* check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental') | :* check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option '--experimental') | ||
:* may check for a single attribute | :* may check for a single attribute | ||
Line 65: | Line 74: | ||
:* can be scripted (headless or as CGI) | :* can be scripted (headless or as CGI) | ||
:* should work on any platform (just needs perl, openssl optional) | :* should work on any platform (just needs perl, openssl optional) | ||
− | :* | + | :* can be used in CI / CD environments |
:* output format can be customized | :* output format can be customized | ||
:* various trace and debug options to hunt unusual connection problems | :* various trace and debug options to hunt unusual connection problems | ||
Line 115: | Line 124: | ||
== Presentations == | == Presentations == | ||
− | * 03.04. | + | * 03.04.2017 O-Saft Workshop at <u>[[https://sites.google.com/view/bsidesmunich2017 BSides Munich 2017]]</u> |
* Workshop <u>[http://www.it-security-konferenz.de/programm.html#workshop3|3. Kölner IT-Security-Konferenz]</u> | * Workshop <u>[http://www.it-security-konferenz.de/programm.html#workshop3|3. Kölner IT-Security-Konferenz]</u> | ||
Line 155: | Line 164: | ||
== Quick Download == | == Quick Download == | ||
− | * '''Stable Release ( | + | * '''Stable Release (19.01.19)''': <u>[https://github.com/OWASP/O-Saft/archive/19.01.19.tar.gz o-saft.tgz]</u> |
− | |||
* more see [[#Change Log]] | * more see [[#Change Log]] | ||
+ | |||
+ | == Docker == | ||
+ | A Docker Container can be found at <u>https://hub.docker.com/r/owasp/o-saft/</u> | ||
== News and Events == | == News and Events == | ||
+ | * [2019] O-Saft is available as package in '''Kali 2019''' | ||
* [12. - 16.06.17] <u>[[https://owaspsummit.org/Working-Sessions/Owasp-Projects/O-Saft.html O-Saft Track]]</u> (at OWASP Summit, London) | * [12. - 16.06.17] <u>[[https://owaspsummit.org/Working-Sessions/Owasp-Projects/O-Saft.html O-Saft Track]]</u> (at OWASP Summit, London) | ||
* '''2013 Top Security Tools''' | * '''2013 Top Security Tools''' | ||
Line 244: | Line 256: | ||
=Change Log= | =Change Log= | ||
==Change Log== | ==Change Log== | ||
+ | * 19.01.2019 Stable Release '''19.01.19'''; | ||
+ | * 18.11.2018 Stable Release '''18.11.18'''; | ||
+ | * 18.07.2018 Stable Release '''18.07.18'''; bugfixes, GUI improved, docker improved, OCSP Stapling, Makefile*, contrib/build_openssl.sh | ||
+ | * 16.04.2018 Link Docker Container (pinkstar removed) as docker is supported directly | ||
+ | <!-- Docker Containeris available at <u>https://hub.docker.com/r/punkstar/o-saft/</u>, thanks to punkstar. outdated --> | ||
+ | * 18.01.2018 Docker improved; +sni checks improved; wrapper script o-saft; +robot | ||
+ | * 17.11.2017 Dockerfile improved; +cipherall improved; bugfix: no prefered cipher for SSLv2; bit-length for serial number corrected | ||
+ | * 17.09.2017 docker build openssl with GOST and KRB5 ciphers; bugfix for BEAST and sub-domain checks | ||
+ | * 17.07.2017 docker image supported; performance improved; support unresponsive targets | ||
* 17.04.2017 ALPN and NPN support improved | * 17.04.2017 ALPN and NPN support improved | ||
* 17.01.2017 checking OCSP improved; certificate verification corrected; performance improved | * 17.01.2017 checking OCSP improved; certificate verification corrected; performance improved | ||
Line 264: | Line 285: | ||
== Download == | == Download == | ||
+ | * Stable Release (18.07.18): <u>[https://github.com/OWASP/O-Saft/archive/18.07.18.tar.gz o-saft.tgz]</u> | ||
+ | * Stable Release (18.01.18): <u>[https://github.com/OWASP/O-Saft/archive/18.01.18.tar.gz o-saft.tgz]</u> | ||
+ | * Stable Release (17.11.17): <u>[https://github.com/OWASP/O-Saft/archive/17.11.17.tar.gz o-saft.tgz]</u> | ||
+ | * Stable Release (17.06.17): <u>[https://github.com/OWASP/O-Saft/archive/17.06.17.tar.gz o-saft.tgz]</u> | ||
+ | * Stable Release (17.05.17): <u>[https://github.com/OWASP/O-Saft/archive/17.05.17.tar.gz o-saft.tgz]</u> | ||
* Stable Release (17.04.17): <u>[https://github.com/OWASP/O-Saft/archive/17.04.17.tar.gz o-saft.tgz]</u> | * Stable Release (17.04.17): <u>[https://github.com/OWASP/O-Saft/archive/17.04.17.tar.gz o-saft.tgz]</u> | ||
* Stable Release (17.03.17): <u>[https://github.com/OWASP/O-Saft/archive/17.03.17.tar.gz o-saft.tgz]</u> | * Stable Release (17.03.17): <u>[https://github.com/OWASP/O-Saft/archive/17.03.17.tar.gz o-saft.tgz]</u> |
Latest revision as of 20:19, 27 July 2019
O-Saft
O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people. O-Saft is a command-line tool, so it can be used offline and in closed environments. There is also a GUI based on Tcl/Tk. However, it can simply be turned into an online CGI-tool (please read documentation first). Introduction
DescriptionThe main idea is to have a tool which works on common platforms and can simply be automated.
New Features of Test Version
|
What is O-Saft?O-Saft provides:
Screen ShotsDocumentationPresentations
(These presentations are in German) Project LeaderAchim Hoffmann LicensingOWASP O-Saft is free to use. It is licensed under the GPL v2 license. Related ProjectsGithubOhloh |
Quick Download
DockerA Docker Container can be found at https://hub.docker.com/r/owasp/o-saft/ News and Events
In Print / MediaFind a OWASP 24/7 podcast about the tool here. Classifications |
- FAQs
- Where can I get missing Perl-Modules?
This depends on your OS and Perl installation, but just try cpan <Module-Name>, e.g. cpan Net:DNS
- I am connected to the internet via a Proxy
open the cpan-shell using 'cpan' and configure your proxy settings: 'o conf init /proxy/' - I can not download the requested files (the proxy needs authentication)
run 'cpan <Module-Name>' several times, read the error messages and copy the requested files manually to the paths (without any additional temporary extension of the name),
e.g. http://www.cpan.org/authors/01mailrc.txt.gz => <Your Program Path>/cpan/sources/authors/01mailrc.txt.gz
- I am connected to the internet via a Proxy
- I get the Error "invalid SSL_version specified at .../perl/vendor/lib/IO/Socket/SSL.pm line ..."
- add options --notlsv13 --nodtlsv1, e.g. perl o-saft.pl +info your.tld --notlsv13 --nodtlsv1
- use +cipherall to check the ciphers for all protocols
- My local SSL libraries do *not* support legacy Protocols like SSLv2, SSLv3 or legacy Ciphers
- use o-saft.pl for all protocols that are supported by your local computer
- use o-saft.pl +cipherall (or 'checkAllCiphers.pl') to get the ciphers for the missing protocols, or recompile 'Net::SSLeay' and/or openssl to support more protocols and ciphers, see Documentation INSTALLATION for details
- I can not use the latest features of the test (experimental) version
- Please verify that you downloaded and unpacked the 'master.zip'-Archive
- some new functions are protected by the option --experimental, please add it to your command (and take care what happens)
- o-saft.pl seems to hang
- try one or all of following options (see Documentation Performance Problems);
- --no-dns -no-http --no-cert --no-sni --no-openssl
- Acknowledgements
Volunteers
O-Saft is developed by from the contributions of OWASP members. The primary contributors to date have been:
Repository
O-Saft's source code can be found at https://github.com/OWASP/O-Saft .
The latest stable tarball is https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz
- Road Map
https://www.owasp.org/index.php/Projects/O-Saft/Roadmap
- Involvement in the development and promotion of O-Saft is actively encouraged!
You do not have to be a security expert in order to contribute. Contacts:
- mailto: Achim at owasp dot org
- Mailinglist
Some of the ways you can help:
- Quality assurance: simply test O-Saft and report defects and strange responses of servers
- Give some ideas how to implement scoring
- Need help in implementing
- authentication for proxies (BASIC, NTLM)
- check for more SSL/TLS-Extensions (including obsolete ones)
- check for more vulnerabilities
- check the full certificate chain
Change Log
- 19.01.2019 Stable Release 19.01.19;
- 18.11.2018 Stable Release 18.11.18;
- 18.07.2018 Stable Release 18.07.18; bugfixes, GUI improved, docker improved, OCSP Stapling, Makefile*, contrib/build_openssl.sh
- 16.04.2018 Link Docker Container (pinkstar removed) as docker is supported directly
- 18.01.2018 Docker improved; +sni checks improved; wrapper script o-saft; +robot
- 17.11.2017 Dockerfile improved; +cipherall improved; bugfix: no prefered cipher for SSLv2; bit-length for serial number corrected
- 17.09.2017 docker build openssl with GOST and KRB5 ciphers; bugfix for BEAST and sub-domain checks
- 17.07.2017 docker image supported; performance improved; support unresponsive targets
- 17.04.2017 ALPN and NPN support improved
- 17.01.2017 checking OCSP improved; certificate verification corrected; performance improved
- 09.09.2016 GUI improved
- 30.08.2016 Check for new vulnerabilities DROWN
- 30.08.2016 Check for new vulnerabilities Sweet32
- 16.07.2016 new commands (checks) for STS preload, HSTS preload HSTS http-equiv
- 16.05.2016 code quality improved using perlcritic
- 15.12.2015 Stable Release 15.12.15
- 15.11.2015 Stable Release 15.11.15
- 08.01.2015, stable release 15.01.07
- 05.04.2015, simple GUI available o-saft.tcl
- 07.12.2014, stable release 14.12.07
- 16.11.2014, stable release 14.11.14
- 15.10.2014, check for Poodle vulnerability, see test version: master.zip
- 10.04.2014 Heartbleed check, see https://github.com/OWASP/O-Saft
Download
- Stable Release (18.07.18): o-saft.tgz
- Stable Release (18.01.18): o-saft.tgz
- Stable Release (17.11.17): o-saft.tgz
- Stable Release (17.06.17): o-saft.tgz
- Stable Release (17.05.17): o-saft.tgz
- Stable Release (17.04.17): o-saft.tgz
- Stable Release (17.03.17): o-saft.tgz
- Stable Release (16.12.16): o-saft.tgz
- Stable Release (16.11.16): o-saft.tgz
- Stable Release (16.09.16): o-saft.tgz
- Stable Release (15.12.15): o-saft.tgz