O-Saft

=Main=

O-Saft - check for SSL connection, certificate and ciphers(this text to make crawlers happy;-)



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

O-Saft

 * OWASP SSL audit for testers / OWASP SSL advanced forensic tool

O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.

It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).

Introduction

 * Quick Installation:
 * Download and unpack o-saft.tgz (Stable Release)
 * Ensure that following perl modules (and their dependencies) are installed
 * &#160; &#160; &#160; IO::Socket::INET, IO::Socket::SSL, Net::SSLeay
 * &#160; &#160; &#160; Net::SSLinfo (which is part of the tarball)


 * read and (re-)move o-saft-README
 * Show help
 * o-saft --help=commands
 * o-saft --help


 * Start
 * o-saft +info your.tld
 * o-saft +check your.tld
 * o-saft +quick your.tld
 * o-saft +cipherall your.tld
 * o-saft +cipherall --starttls=pop3 pop3.your.tld:110

Description
The main idea is to have a tool which works on common platforms and can simply be automated.
 * In a Nutshell:
 * show SSL connection details
 * show certificate details
 * check for supported ciphers
 * check for ciphers provided in your own libssl.so and libcrypt.so
 * check for ciphers without any dependency to a library (+cipherall)
 * checks the server's priority for ciphers (+cipherall)
 * check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
 * check for protections against attacks (BEAST, CRIME, Heartbleed, RC4 Bias, ...)
 * may check for a single attribute
 * may check multiple targets at once
 * can be scripted (headless or as CGI)
 * should work on any platform (just needs perl, openssl optional)
 * scoring for all checks (still to be improved in many ways ;-)
 * output format can be customized
 * various trace and debug options to hunt unusual connection problems
 * supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP,...)

New Features of Test Version

 * Quick Installation (test version):
 * Download and unpack: master.zip
 * Start INSTALL-devel.sh
 * Enjoy new functionality:
 * +cipherall: Automatic slow down of starttls-requests to prevent blockades of requests due to too much connections
 * +cipherall: better robustness for STARTTLS, IMAP support is not experimental (fixed)
 * +cipherall: STARTTLS: IRC support added (experimental)
 * CheckAllCiphers.pl: '--mx' to check a Mail-Domain instead of a host (makes sense together with --STARTTLS=SMTP)
 * CheckAllCiphers.pl: '--trace-time' prints additional timestamps in trace output


 * please give us feedback via the mailinglist


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is O-Saft?
O-Saft provides:


 * SSL connection details
 * certificate details
 * full cipher check
 * special HTTP(s) checks
 * check for SSL vulnerabilities
 * can be scripted
 * platfrom independent
 * customizable output
 * supports STARTTLS (+cipherall)

Documentation

 * help/man page

Presentation
Vortrag beim Münchner OWASP-Stammtisch: [[Media:SSL-in-der-Praxis_OWASP-Stammtisch-Muenchen.pdf‎|Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL]] (enthält auch ein paar Beispiele mit o-saft) (this presentation is in German)

Project Leader
Achim Hoffmann

Licensing
OWASP O-Saft is free to use. It is licensed under the GPL v2 license.

Github

 * https://github.com/OWASP/O-Saft

Ohloh

 * https://www.ohloh.net/p/O-Saft


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download

 * Stable Release: o-saft.tgz
 * Test Version: master.zip

News and Events

 * 16/11/2014, stable release 14.11.14
 * 15/10/2014, check for Poodle vulnerability, see test ersion: master.zip
 * AppSecEU 2014, Cambridge
 * There will be a training TLS/SSL in Practice which in particular covers O-Saft. For schedule see here.


 * Heartbleed check
 * 10/04/2014, see https://github.com/OWASP/O-Saft


 * 2013 Top Security Tools
 * thanks for voting O-Saft as #10 best security tools 2013


 * Latest stable release
 * 11/2014, O-Saft 14.11.14

In Print / Media
Find a OWASP 24/7 podcast about the tool here.

Classifications

 * }

=FAQs=
 * FAQs
 * Where can I get missing Perl-Modules? This depends on your OS and Perl installation, but just try 'cpan ', e.g. 'cpan Net:DNS'
 * I am connected to the internet via a Proxy open the cpan-shell using 'cpan' and configure your proxy settings: 'o conf init /proxy/'
 * I can not download the requested files (the proxy needs authentication) run 'cpan ' several times, read the error messages and copy the requested files manually to the paths (without any additional temporary extension of the name), e.g. http://www.cpan.org/authors/01mailrc.txt.gz => /cpan/sources/authors/01mailrc.txt.gz

= Acknowledgements =
 * Acknowledgements

Volunteers
O-Saft is developed by from the contributions of OWASP members. The primary contributors to date have been:

Repository
O-Saft's source code can be found at https://github.com/OWASP/O-Saft.

The latest stable tarball is https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz

= Road Map and Getting Involved = https://www.owasp.org/index.php/Projects/O-Saft/Roadmap
 * Road Map

You do not have to be a security expert in order to contribute. Contacts: Some of the ways you can help:
 * Involvement in the development and promotion of O-Saft is actively encouraged!
 * mailto: Achim at owasp dot org
 * Mailinglist
 * Quality assurance: simply test O-Saft and report defects
 * Give some ideas how to implement scoring
 * Need help in implementing SSL for other protocols like LDAP, IMAP, ...
 * (currently, November 2014, we have proxy and STARTTLS functionality for LDAP, IMAP, POP, SMTP,...)