This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "O-Saft/Documentation"
From OWASP
(RESULTS added) |
(RESULTS completed) |
||
| Line 83: | Line 83: | ||
: command and those from all other tests and checks like ''+check'' or | : command and those from all other tests and checks like ''+check'' or | ||
: ''+info'' command. | : ''+info'' command. | ||
| + | |||
| + | ====== +cipher====== | ||
| + | |||
| + | : The cipher checks will return one line for each tested cipher. It | ||
| + | : contains at least the cipher name, "yes" or "no" whether it's | ||
| + | : supported or not, and a security qualification. It may look like: | ||
| + | |||
| + | AES256-SHA yes HIGH | ||
| + | NULL-SHA no weak | ||
| + | |||
| + | : Depending on the used ''--legacy=*'' option the format may differ | ||
| + | : and also contain more information. For details see ''--legacy=*'' | ||
| + | : option below. | ||
| + | |||
| + | : The text for security qualifications are mainly those returned by | ||
| + | : openssl (version 1.0.1): LOW, MEDIUM, HIGH and WEAK. | ||
| + | : The same texts but with all lower case characters are used if the | ||
| + | : qualification was adapted herein. | ||
| + | |||
| + | ====== +check====== | ||
| + | |||
| + | : These tests return a line with a label describing the test and a | ||
| + | : test result for it. The idea is to report <code>yes</code> if the result | ||
| + | : is considered "secure" and report the reason why it is considered | ||
| + | : insecure otherwise. Example of a check considered secure: | ||
| + | Label of the performed check: yes | ||
| + | : Example of a check considered insecure: | ||
| + | Label of the performed check: no (reason why) | ||
| + | |||
| + | : Note that there are tests where the results appear confusing when | ||
| + | : first viewed, like for www.wi.ld: | ||
| + | Certificate is valid according given hostname: no (*.wi.ld) | ||
| + | Certificate's wildcard does not match hostname: yes | ||
| + | : This can for example occur with: | ||
| + | Certificate Common Name: *.wi.ld | ||
| + | Certificate Subject's Alternate Names: DNS:www.wi.ld | ||
| + | |||
| + | : Please check the result with the ''+info'' command also to verify | ||
| + | : if the check sounds reasonable. | ||
| + | |||
| + | ====== +info====== | ||
| + | |||
| + | : The test result contains detailed information. The labels there | ||
| + | : are mainly the same as for the "+check" command. | ||
| + | |||
| + | : ll output is designed to make it easily parsable by postprocessors. | ||
| + | : lease see [[#OUTPUT|OUTPUT]] section below for details. | ||
| + | |||
| + | ==== COMMANDS==== | ||
| + | |||
| + | : There are commands for various tests according the SSL connection to | ||
| + | : the target, the targets certificate and the used ciphers. | ||
| + | |||
| + | : All commands are preceded by a <code>+</code> to easily distinguish from other | ||
| + | : arguments and options. However, some ''--OPT'' options are treated as | ||
| + | : commands for historical reason or compatibility to other programs. | ||
| + | |||
| + | : The most important commands are (in alphabetical order): | ||
Revision as of 23:24, 28 May 2014
O-Saft
This is O-Saft's documentation as you get with
o-saft.pl --help
NAME
- o-saft.pl - OWASP SSL audit for testers
- OWASP SSL advanced forensic tool
DESCRIPTION
- This tools lists information about remote target's SSL certificate
- and tests the remote target according given list of ciphers.
- Note: Throughout this description
$0is used as an alias for the - program name
o-saft.pl.
SYNOPSIS
- o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
- Where [COMMANDS] and [OPTIONS] are described below and
target - is a hostname either as full qualified domain name or as IP address.
- Multiple commands and targets may be combined.
- All commands and options can also be specified in a rc-file, see
- RC-FILE below.
QUICKSTART
- Before going into a detailed description of the purpose and usage,
- here are some examples of the most common use cases:
- Show supported (enabled) ciphers of target:
o-saft.pl +cipher --enabled example.tld
- Show details of certificate and connection of target:
o-saft.pl +info example.tld
- Check certificate, ciphers and SSL connection of target:
o-saft.pl +check example.tld
- List all available commands:
o-saft.pl --help=commands
- If no command is given, +cipher is used.
WHY?
- Why a new tool for checking SSL security and configuration when there
- are already a dozen or more such tools in existence (circa 2012)?
- Currently available tools suffer from some or all of following issues:
- * lack of tests of unusual ciphers
- * lack of tests of unusual SSL certificate configurations
- * may return different results for the same checks on a given target
- * missing tests for modern SSL/TLS functionality
- * missing tests for specific, known SSL/TLS vulnerabilities
- * no support for newer, advanced, features e.g. CRL, OCSP, EV
- * limited capability to create your own customised tests
- Other reasons or problems are that they are either binary and hence
- not portable to other (newer) platforms.
- In contrast to (all?) most other tools, including openssl, it can be
- used to `ask simple questions' like `does target support STS' just by
- calling:
o-saft.pl +cipher +hsts_sts example.tld
- For more, please see EXAMPLES section below.
RESULTS
- For the results, we have to distinguish those returned by +cipher
- command and those from all other tests and checks like +check or
- +info command.
+cipher
- The cipher checks will return one line for each tested cipher. It
- contains at least the cipher name, "yes" or "no" whether it's
- supported or not, and a security qualification. It may look like:
AES256-SHA yes HIGH
NULL-SHA no weak
- Depending on the used --legacy=* option the format may differ
- and also contain more information. For details see --legacy=*
- option below.
- The text for security qualifications are mainly those returned by
- openssl (version 1.0.1): LOW, MEDIUM, HIGH and WEAK.
- The same texts but with all lower case characters are used if the
- qualification was adapted herein.
+check
- These tests return a line with a label describing the test and a
- test result for it. The idea is to report
yesif the result - is considered "secure" and report the reason why it is considered
- insecure otherwise. Example of a check considered secure:
Label of the performed check: yes
- Example of a check considered insecure:
Label of the performed check: no (reason why)
- Note that there are tests where the results appear confusing when
- first viewed, like for www.wi.ld:
Certificate is valid according given hostname: no (*.wi.ld)
Certificate's wildcard does not match hostname: yes
- This can for example occur with:
Certificate Common Name: *.wi.ld
Certificate Subject's Alternate Names: DNS:www.wi.ld
- Please check the result with the +info command also to verify
- if the check sounds reasonable.
+info
- The test result contains detailed information. The labels there
- are mainly the same as for the "+check" command.
- ll output is designed to make it easily parsable by postprocessors.
- lease see OUTPUT section below for details.
COMMANDS
- There are commands for various tests according the SSL connection to
- the target, the targets certificate and the used ciphers.
- All commands are preceded by a
+to easily distinguish from other - arguments and options. However, some --OPT options are treated as
- commands for historical reason or compatibility to other programs.
- The most important commands are (in alphabetical order):
