This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "O-Saft/Documentation"
From OWASP
(→QUICKSTART) |
(→SYNOPSIS) |
||
| Line 21: | Line 21: | ||
: o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...] | : o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...] | ||
: | : | ||
| − | : Where [COMMANDS] and [OPTIONS] are described below and | + | : Where [COMMANDS] and [OPTIONS] are described below and <code>target</code> |
: is a hostname either as full qualified domain name or as IP address. | : is a hostname either as full qualified domain name or as IP address. | ||
: Multiple commands and targets may be combined. | : Multiple commands and targets may be combined. | ||
: | : | ||
: All commands and options can also be specified in a rc-file, see | : All commands and options can also be specified in a rc-file, see | ||
| − | : RC-FILE below. | + | : [[#RC-FILE|RC-FILE]] below. |
| + | |||
====QUICKSTART==== | ====QUICKSTART==== | ||
: Before going into a detailed description of the purpose and usage, | : Before going into a detailed description of the purpose and usage, | ||
Revision as of 23:06, 28 May 2014
O-Saft
This is O-Saft's documentation as you get with
o-saft.pl --help
NAME
- o-saft.pl - OWASP SSL audit for testers
- OWASP SSL advanced forensic tool
DESCRIPTION
- This tools lists information about remote target's SSL certificate
- and tests the remote target according given list of ciphers.
- Note: Throughout this description $0 is used as an alias for the
- program name "o-saft.pl" .
SYNOPSIS
- o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
- Where [COMMANDS] and [OPTIONS] are described below and
target - is a hostname either as full qualified domain name or as IP address.
- Multiple commands and targets may be combined.
- All commands and options can also be specified in a rc-file, see
- RC-FILE below.
QUICKSTART
- Before going into a detailed description of the purpose and usage,
- here are some examples of the most common use cases:
- Show supported (enabled) ciphers of target:
o-saft.pl +cipher --enabled example.tld
- Show details of certificate and connection of target:
o-saft.pl +info example.tld
- Check certificate, ciphers and SSL connection of target:
o-saft.pl +check example.tld
- List all available commands:
o-saft.pl --help=commands
- If no command is given, +cipher is used.
WHY?
- Why a new tool for checking SSL security and configuration when there
- are already a dozen or more such tools in existence (circa 2012)?
- Currently available tools suffer from some or all of following issues:
- * lack of tests of unusual ciphers
- * lack of tests of unusual SSL certificate configurations
- * may return different results for the same checks on a given target
- * missing tests for modern SSL/TLS functionality
- * missing tests for specific, known SSL/TLS vulnerabilities
- * no support for newer, advanced, features e.g. CRL, OCSP, EV
- * limited capability to create your own customised tests
- Other reasons or problems are that they are either binary and hence
- not portable to other (newer) platforms.
- In contrast to (all?) most other tools, including openssl, it can be
- used to `ask simple questions' like `does target support STS' just by
- calling:
o-saft.pl +cipher +hsts_sts example.tld
- For more, please see EXAMPLES section below.
