This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "O-Saft/Documentation"
From OWASP
(page created) |
(frist part of man-page) |
||
| Line 3: | Line 3: | ||
o-saft.pl --help | o-saft.pl --help | ||
| − | + | <headertabs /> | |
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]] | [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]] | ||
| + | ---- | ||
| + | ==== NAME ==== | ||
| + | : o-saft.pl - OWASP SSL audit for testers | ||
| + | : OWASP SSL advanced forensic tool | ||
| + | : | ||
| + | ==== DESCRIPTION==== | ||
| + | : This tools lists information about remote target's SSL certificate | ||
| + | : and tests the remote target according given list of ciphers. | ||
| + | : | ||
| + | : Note: Throughout this description $0 is used as an alias for the | ||
| + | : program name "o-saft.pl" . | ||
| + | |||
| + | ==== SYNOPSIS==== | ||
| + | : o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...] | ||
| + | : | ||
| + | : Where [COMMANDS] and [OPTIONS] are described below and "target" | ||
| + | : is a hostname either as full qualified domain name or as IP address. | ||
| + | : Multiple commands and targets may be combined. | ||
| + | : | ||
| + | : All commands and options can also be specified in a rc-file, see | ||
| + | : RC-FILE below. | ||
| + | ====QUICKSTART==== | ||
| + | : Before going into a detailed description of the purpose and usage, | ||
| + | : here are some examples of the most common use cases: | ||
| + | |||
| + | : Show supported (enabled) ciphers of target: | ||
| + | o-saft.pl +cipher --enabled example.tld | ||
| + | |||
| + | : Show details of certificate and connection of target: | ||
| + | o-saft.pl +info example.tld | ||
| + | |||
| + | : Check certificate, ciphers and SSL connection of target: | ||
| + | o-saft.pl +check example.tld | ||
| + | |||
| + | : List all available commands: | ||
| + | o-saft.pl --help=commands | ||
| + | |||
| + | : For more specialised test cases, refer to the COMMANDS and OPTIONS | ||
| + | : sections below. | ||
| + | |||
| + | : If no command is given, +cipher is used. | ||
| + | |||
| + | ==== WHY? ==== | ||
| + | : Why a new tool for checking SSL security and configuration when there | ||
| + | : are already a dozen or more such tools in existence (circa 2012)? | ||
| + | : Currently available tools suffer from some or all of following issues: | ||
| + | |||
| + | : * lack of tests of unusual ciphers | ||
| + | |||
| + | : * lack of tests of unusual SSL certificate configurations | ||
| + | |||
| + | : * may return different results for the same checks on a given target | ||
| + | : * missing tests for modern SSL/TLS functionality | ||
| + | |||
| + | : * missing tests for specific, known SSL/TLS vulnerabilities | ||
| + | |||
| + | : * no support for newer, advanced, features e.g. CRL, OCSP, EV | ||
| + | |||
| + | : * limited capability to create your own customised tests | ||
| + | |||
| + | : Other reasons or problems are that they are either binary and hence | ||
| + | : not portable to other (newer) platforms. | ||
| + | |||
| + | : In contrast to (all?) most other tools, including openssl, it can be | ||
| + | : used to `ask simple questions' like `does target support STS' just by | ||
| + | : calling: | ||
| + | |||
| + | o-saft.pl +cipher +hsts_sts example.tld | ||
| + | |||
| + | : For more, please see EXAMPLES section below. | ||
Revision as of 22:44, 28 May 2014
O-Saft
This is O-Saft's documentation as you get with
o-saft.pl --help
NAME
- o-saft.pl - OWASP SSL audit for testers
- OWASP SSL advanced forensic tool
DESCRIPTION
- This tools lists information about remote target's SSL certificate
- and tests the remote target according given list of ciphers.
- Note: Throughout this description $0 is used as an alias for the
- program name "o-saft.pl" .
SYNOPSIS
- o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
- Where [COMMANDS] and [OPTIONS] are described below and "target"
- is a hostname either as full qualified domain name or as IP address.
- Multiple commands and targets may be combined.
- All commands and options can also be specified in a rc-file, see
- RC-FILE below.
QUICKSTART
- Before going into a detailed description of the purpose and usage,
- here are some examples of the most common use cases:
- Show supported (enabled) ciphers of target:
o-saft.pl +cipher --enabled example.tld
- Show details of certificate and connection of target:
o-saft.pl +info example.tld
- Check certificate, ciphers and SSL connection of target:
o-saft.pl +check example.tld
- List all available commands:
o-saft.pl --help=commands
- For more specialised test cases, refer to the COMMANDS and OPTIONS
- sections below.
- If no command is given, +cipher is used.
WHY?
- Why a new tool for checking SSL security and configuration when there
- are already a dozen or more such tools in existence (circa 2012)?
- Currently available tools suffer from some or all of following issues:
- * lack of tests of unusual ciphers
- * lack of tests of unusual SSL certificate configurations
- * may return different results for the same checks on a given target
- * missing tests for modern SSL/TLS functionality
- * missing tests for specific, known SSL/TLS vulnerabilities
- * no support for newer, advanced, features e.g. CRL, OCSP, EV
- * limited capability to create your own customised tests
- Other reasons or problems are that they are either binary and hence
- not portable to other (newer) platforms.
- In contrast to (all?) most other tools, including openssl, it can be
- used to `ask simple questions' like `does target support STS' just by
- calling:
o-saft.pl +cipher +hsts_sts example.tld
- For more, please see EXAMPLES section below.
