This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

O-Saft/Documentation

From OWASP
Revision as of 23:24, 28 May 2014 by Achim (talk | contribs) (RESULTS completed)

Jump to: navigation, search

O-Saft

This is O-Saft's documentation as you get with 

o-saft.pl --help

NAME

o-saft.pl - OWASP SSL audit for testers
OWASP SSL advanced forensic tool

DESCRIPTION

This tools lists information about remote target's SSL certificate
and tests the remote target according given list of ciphers.
Note: Throughout this description $0 is used as an alias for the
program name o-saft.pl .

SYNOPSIS

o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
Where [COMMANDS] and [OPTIONS] are described below and target
is a hostname either as full qualified domain name or as IP address.
Multiple commands and targets may be combined.
All commands and options can also be specified in a rc-file, see
RC-FILE below.

QUICKSTART

Before going into a detailed description of the purpose and usage,
here are some examples of the most common use cases:
  • Show supported (enabled) ciphers of target:
   o-saft.pl +cipher --enabled example.tld
  • Show details of certificate and connection of target:
   o-saft.pl +info example.tld
  • Check certificate, ciphers and SSL connection of target:
   o-saft.pl +check example.tld
  • List all available commands:
   o-saft.pl --help=commands
For more specialised test cases, refer to the COMMANDS and OPTIONS
sections below.
If no command is given, +cipher is used.

WHY?

Why a new tool for checking SSL security and configuration when there
are already a dozen or more such tools in existence (circa 2012)?
Currently available tools suffer from some or all of following issues:
* lack of tests of unusual ciphers
* lack of tests of unusual SSL certificate configurations
* may return different results for the same checks on a given target
* missing tests for modern SSL/TLS functionality
* missing tests for specific, known SSL/TLS vulnerabilities
* no support for newer, advanced, features e.g. CRL, OCSP, EV
* limited capability to create your own customised tests
Other reasons or problems are that they are either binary and hence
not portable to other (newer) platforms.
In contrast to (all?) most other tools, including openssl, it can be
used to `ask simple questions' like `does target support STS' just by
calling:
   o-saft.pl +cipher +hsts_sts example.tld
For more, please see EXAMPLES section below.

RESULTS

For the results, we have to distinguish those returned by +cipher
command and those from all other tests and checks like +check or
+info command.
+cipher
The cipher checks will return one line for each tested cipher. It
contains at least the cipher name, "yes" or "no" whether it's
supported or not, and a security qualification. It may look like:
       AES256-SHA       yes    HIGH
       NULL-SHA         no     weak
Depending on the used --legacy=* option the format may differ
and also contain more information. For details see --legacy=*
option below.
The text for security qualifications are mainly those returned by
openssl (version 1.0.1): LOW, MEDIUM, HIGH and WEAK.
The same texts but with all lower case characters are used if the
qualification was adapted herein.
+check
These tests return a line with a label describing the test and a
test result for it. The idea is to report yes if the result
is considered "secure" and report the reason why it is considered
insecure otherwise. Example of a check considered secure:
       Label of the performed check:           yes
Example of a check considered insecure:
       Label of the performed check:           no (reason why)
Note that there are tests where the results appear confusing when
first viewed, like for www.wi.ld:
       Certificate is valid according given hostname:  no (*.wi.ld)
       Certificate's wildcard does not match hostname: yes
This can for example occur with:
       Certificate Common Name:                *.wi.ld
       Certificate Subject's Alternate Names:  DNS:www.wi.ld
Please check the result with the +info command also to verify
if the check sounds reasonable.
+info
The test result contains detailed information. The labels there
are mainly the same as for the "+check" command.
ll output is designed to make it easily parsable by postprocessors.
lease see OUTPUT section below for details.

COMMANDS

There are commands for various tests according the SSL connection to
the target, the targets certificate and the used ciphers.
All commands are preceded by a + to easily distinguish from other
arguments and options. However, some --OPT options are treated as
commands for historical reason or compatibility to other programs.
The most important commands are (in alphabetical order):
Retrieved from "https://wiki.owasp.org/index.php?title=O-Saft/Documentation&oldid=176006"