This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "O-Saft/Documentation"
From OWASP
(frist part of man-page) |
(→QUICKSTART) |
||
| Line 46: | Line 46: | ||
: sections below. | : sections below. | ||
| − | : If no command is given, +cipher is used. | + | : If no command is given, ''+cipher'' is used. |
==== WHY? ==== | ==== WHY? ==== | ||
Revision as of 22:55, 28 May 2014
O-Saft
This is O-Saft's documentation as you get with
o-saft.pl --help
NAME
- o-saft.pl - OWASP SSL audit for testers
- OWASP SSL advanced forensic tool
DESCRIPTION
- This tools lists information about remote target's SSL certificate
- and tests the remote target according given list of ciphers.
- Note: Throughout this description $0 is used as an alias for the
- program name "o-saft.pl" .
SYNOPSIS
- o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
- Where [COMMANDS] and [OPTIONS] are described below and "target"
- is a hostname either as full qualified domain name or as IP address.
- Multiple commands and targets may be combined.
- All commands and options can also be specified in a rc-file, see
- RC-FILE below.
QUICKSTART
- Before going into a detailed description of the purpose and usage,
- here are some examples of the most common use cases:
- Show supported (enabled) ciphers of target:
o-saft.pl +cipher --enabled example.tld
- Show details of certificate and connection of target:
o-saft.pl +info example.tld
- Check certificate, ciphers and SSL connection of target:
o-saft.pl +check example.tld
- List all available commands:
o-saft.pl --help=commands
- For more specialised test cases, refer to the COMMANDS and OPTIONS
- sections below.
- If no command is given, +cipher is used.
WHY?
- Why a new tool for checking SSL security and configuration when there
- are already a dozen or more such tools in existence (circa 2012)?
- Currently available tools suffer from some or all of following issues:
- * lack of tests of unusual ciphers
- * lack of tests of unusual SSL certificate configurations
- * may return different results for the same checks on a given target
- * missing tests for modern SSL/TLS functionality
- * missing tests for specific, known SSL/TLS vulnerabilities
- * no support for newer, advanced, features e.g. CRL, OCSP, EV
- * limited capability to create your own customised tests
- Other reasons or problems are that they are either binary and hence
- not portable to other (newer) platforms.
- In contrast to (all?) most other tools, including openssl, it can be
- used to `ask simple questions' like `does target support STS' just by
- calling:
o-saft.pl +cipher +hsts_sts example.tld
- For more, please see EXAMPLES section below.
