This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "O-Saft/Documentation"
From OWASP
(→+list) |
(→+version) |
||
| Line 179: | Line 179: | ||
: that it uses, then exit. | : that it uses, then exit. | ||
| − | : Use | + | : Use ''--v'' option to show more details. |
====== +libversion====== | ====== +libversion====== | ||
Revision as of 23:32, 28 May 2014
O-Saft
This is O-Saft's documentation as you get with
o-saft.pl --help
NAME
- o-saft.pl - OWASP SSL audit for testers
- OWASP SSL advanced forensic tool
DESCRIPTION
- This tools lists information about remote target's SSL certificate
- and tests the remote target according given list of ciphers.
- Note: Throughout this description
$0is used as an alias for the - program name
o-saft.pl.
SYNOPSIS
- o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
- Where [COMMANDS] and [OPTIONS] are described below and
target - is a hostname either as full qualified domain name or as IP address.
- Multiple commands and targets may be combined.
- All commands and options can also be specified in a rc-file, see
- RC-FILE below.
QUICKSTART
- Before going into a detailed description of the purpose and usage,
- here are some examples of the most common use cases:
- Show supported (enabled) ciphers of target:
o-saft.pl +cipher --enabled example.tld
- Show details of certificate and connection of target:
o-saft.pl +info example.tld
- Check certificate, ciphers and SSL connection of target:
o-saft.pl +check example.tld
- List all available commands:
o-saft.pl --help=commands
- If no command is given, +cipher is used.
WHY?
- Why a new tool for checking SSL security and configuration when there
- are already a dozen or more such tools in existence (circa 2012)?
- Currently available tools suffer from some or all of following issues:
- * lack of tests of unusual ciphers
- * lack of tests of unusual SSL certificate configurations
- * may return different results for the same checks on a given target
- * missing tests for modern SSL/TLS functionality
- * missing tests for specific, known SSL/TLS vulnerabilities
- * no support for newer, advanced, features e.g. CRL, OCSP, EV
- * limited capability to create your own customised tests
- Other reasons or problems are that they are either binary and hence
- not portable to other (newer) platforms.
- In contrast to (all?) most other tools, including openssl, it can be
- used to `ask simple questions' like `does target support STS' just by
- calling:
o-saft.pl +cipher +hsts_sts example.tld
- For more, please see EXAMPLES section below.
RESULTS
- For the results, we have to distinguish those returned by +cipher
- command and those from all other tests and checks like +check or
- +info command.
+cipher
- The cipher checks will return one line for each tested cipher. It
- contains at least the cipher name,
yesornowhether it's - supported or not, and a security qualification. It may look like:
AES256-SHA yes HIGH
NULL-SHA no weak
- Depending on the used --legacy=* option the format may differ
- and also contain more information. For details see --legacy=*
- option below.
- The text for security qualifications are mainly those returned by
- openssl (version 1.0.1): LOW, MEDIUM, HIGH and WEAK.
- The same texts but with all lower case characters are used if the
- qualification was adapted herein.
+check
- These tests return a line with a label describing the test and a
- test result for it. The idea is to report
yesif the result - is considered "secure" and report the reason why it is considered
- insecure otherwise. Example of a check considered secure:
Label of the performed check: yes
- Example of a check considered insecure:
Label of the performed check: no (reason why)
- Note that there are tests where the results appear confusing when
- first viewed, like for www.wi.ld:
Certificate is valid according given hostname: no (*.wi.ld)
Certificate's wildcard does not match hostname: yes
- This can for example occur with:
Certificate Common Name: *.wi.ld
Certificate Subject's Alternate Names: DNS:www.wi.ld
- Please check the result with the +info command also to verify
- if the check sounds reasonable.
+info
- The test result contains detailed information. The labels there
- are mainly the same as for the "+check" command.
- ll output is designed to make it easily parsable by postprocessors.
- lease see OUTPUT section below for details.
COMMANDS
- There are commands for various tests according the SSL connection to
- the target, the targets certificate and the used ciphers.
- All commands are preceded by a
+to easily distinguish from other - arguments and options. However, some --OPT options are treated as
- commands for historical reason or compatibility to other programs.
- The most important commands are (in alphabetical order):
+check +cipher +info +http +list +quick +sni +sni_check +version
- A list of all available commands will be printed with
o-saft.pl --help=cmd
- The summary and internal commands return requested information or the
- results of checks. These are described below.
- The description of all other commands will be printed with
o-saft.pl --help=commands
Commands for information about this tool
- All these commands will exit after execution (cannot be used together
- with other commands).
+ciphers
- Show ciphers offerd by local SSL implementation.
+list
- Show all ciphers known by this tool. This includes cryptogrphic
- details of the cipher and some internal details about the rating.
- Use --v option to show more details.
+abbr +abk
- Show common abbreviation used in the world of security.
+version
- Show version information for both the program and the Perl modules
- that it uses, then exit.
- Use --v option to show more details.
+libversion
- Show version of openssl.
+todo
- Show known problems and bugs.
