Difference between revisions of "O-Saft"

From OWASP
Jump to: navigation, search
(Introduction)
(typos)
 
(38 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
<!-- see also: https://www.owasp.org/index.php/OWASP_Documentation_Project_Template -->
 
<!-- see also: https://www.owasp.org/index.php/OWASP_Documentation_Project_Template -->
  
 +
<div style="position:absolute;top:-5555px">O-Saft - check for SSL connection, certificate and ciphers(this text to make crawlers happy;-)</div>
 +
<!-- previous line cannot be H1 tag because headertab extension would break the page layout then :-( -->
 +
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
  
Line 8: Line 11:
  
 
==O-Saft==
 
==O-Saft==
;OWASP SSL audit for testers / OWASP SSL advanced forensic tool
+
;OWASP SSL advanced forensic tool / OWASP SSL audit for testers
  
 
O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.
 
O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.
Line 15: Line 18:
  
 
O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).
 
O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).
 
<small>O-Saft checks SSL connections and certificates (this text to make crawlers happy;-)</small>
 
  
 
====Introduction====
 
====Introduction====
 
;Quick Installation:
 
;Quick Installation:
* Download and unpack ''o-saft.tgz''
+
* Download and unpack ''o-saft.tgz'' (Stable Release)
* Ensure that following perl modules (and their dependencies) are installed
+
* to run ''o-saft'': Ensure that following perl modules (and their dependencies) are installed
 
: <nowiki>&#160; &#160; &#160;</nowiki> ''IO::Socket::INET'', ''IO::Socket::SSL'', ''Net::SSLeay''
 
: <nowiki>&#160; &#160; &#160;</nowiki> ''IO::Socket::INET'', ''IO::Socket::SSL'', ''Net::SSLeay''
: <nowiki>&#160; &#160; &#160;</nowiki> ''Net::SSLinfo'' (which is part of the tarball)
+
: <nowiki>&#160; &#160; &#160;</nowiki> ''Net::SSLinfo'', ''Net::SSLhello'' (which are part of the tarball)
 
* read and (re-)move ''o-saft-README''
 
* read and (re-)move ''o-saft-README''
 
* Show help
 
* Show help
Line 33: Line 34:
 
: ''o-saft +quick your.tld''
 
: ''o-saft +quick your.tld''
 
: ''o-saft +cipherall your.tld''
 
: ''o-saft +cipherall your.tld''
 
+
: ''o-saft +cipherall --starttls=pop3 pop3.your.tld:110''
 +
* to run the optional ''checkAllCiphers'' (tiny program to check solely ciphers, like command '+cipherall'): It usually does not need any perl module to be additionally installed
 +
: <nowiki>&#160; &#160; &#160;</nowiki> ''Socket'' (should be part of your perl installation)
 +
: <nowiki>&#160; &#160; &#160;</nowiki> ''Net::SSLhello'' (which is part of the tarball)
 +
: <nowiki>&#160; &#160; &#160;</nowiki> ''NET::DNS'' (only needed, if option '--mx' is used)
 +
* Start
 +
: ''checkAllCiphers your.tld''
 +
: ''checkAllCiphers --starttls=pop3 pop3.your.tld:110''
 +
: ''checkAllCiphers --mx your.tld:25 --starttls=smtp''
 
====Description====
 
====Description====
  
Line 42: Line 51:
 
:* check for supported ciphers
 
:* check for supported ciphers
 
:* check for ciphers provided in your own libssl.so and libcrypt.so
 
:* check for ciphers provided in your own libssl.so and libcrypt.so
 +
:* check for ciphers without any dependency to a library (+cipherall)
 +
:* checks the server's priority for ciphers (+cipherall)
 
:* check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
 
:* check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
 
:* check for protections against attacks (BEAST, CRIME, Heartbleed, RC4 Bias, ...)
 
:* check for protections against attacks (BEAST, CRIME, Heartbleed, RC4 Bias, ...)
Line 51: Line 62:
 
:* output format can be customized
 
:* output format can be customized
 
:* various trace and debug options to hunt unusual connection problems
 
:* various trace and debug options to hunt unusual connection problems
 +
:* +cipherall: supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) ...),<br>&nbsp; slows down to prevent blockades of requests due to too much connections (supported for some protocols like SMTP)
 +
:* check of STARTTLS/SMTP for all servers of a MX Resource Record (e.g. ''checkAllCiphers --mx your.tld:25 --starttls=smtp'')
 +
 +
==New Features of Test Version==
 +
;Quick Installation (test version):
 +
* Download and unpack: ''master.zip''
 +
* Start ''INSTALL-devel.sh''
 +
* Enjoy new functionality:
 +
:* supports now STARTTLS and Proxy for all commands (experimental), e.g. ''o-saft&nbsp;+info&nbsp;mail.tld:25&nbsp;--starttls&nbsp;--experimental''
 +
:* '+cipherall (+cipherraw)', checkAllCiphers.pl: Fixed a Bug in SNI
 +
 +
* please give us feedback via the [https://lists.owasp.org/mailman/listinfo/o-saft mailinglist]
  
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
Line 66: Line 89:
 
* platfrom independent
 
* platfrom independent
 
* customizable output
 
* customizable output
 +
* supports STARTTLS (+cipherall)
  
 
== Documentation ==
 
== Documentation ==
 
* [[O-Saft/Documentation | help/man page]]
 
* [[O-Saft/Documentation | help/man page]]
  
== Presentation ==
+
== Presentations ==
  
Vortrag beim Münchner OWASP-Stammtisch: <u>[[Media:SSL-in-der-Praxis_OWASP-Stammtisch-Muenchen.pdf‎|Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL]]</u> (enthält auch ein paar Beispiele mit o-saft)
+
* Vortrag beim German OWASP Day 2014: <u>[[Media:Richtig_verschluesseln_mit_SSL+TLS_-_Achim_Hoffmann+Torsten_Gigler.pdf|Richtig verschlüsseln mit SSL/TLS]]</u>
<small>(this presentation is in German)</small>
+
* Vortrag beim Münchner OWASP-Stammtisch: <u>[[Media:SSL-in-der-Praxis_OWASP-Stammtisch-Muenchen.pdf‎|Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL]]</u> (enthält auch ein paar Beispiele mit o-saft)
 +
 
 +
<small>(This presentations are in German)</small>
  
 
== Project Leader ==
 
== Project Leader ==
Line 85: Line 111:
  
 
<!-- * [[OWASP_CISO_Survey]] -->
 
<!-- * [[OWASP_CISO_Survey]] -->
 +
 +
== Github ==
 +
 +
*<u>https://github.com/OWASP/O-Saft</u>
  
 
== Ohloh ==
 
== Ohloh ==
  
*https://www.ohloh.net/p/O-Saft
+
*<u>https://www.ohloh.net/p/O-Saft</u>
  
 
| valign="top"  style="padding-left:25px;width:200px;" |
 
| valign="top"  style="padding-left:25px;width:200px;" |
Line 94: Line 124:
 
== Quick Download ==
 
== Quick Download ==
  
* [https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz o-saft.tgz]
+
* Stable Release (15.01.07): <u>[https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz o-saft.tgz]</u>
 +
* Test Version: <u>[https://github.com/OWASP/O-Saft/archive/master.zip master.zip]</u>
  
 
== News and Events ==
 
== News and Events ==
 +
* 08/01/2015, stable release '''15.01.07'''
 +
* '''09/12/2014''' Presentation '' Richtig verschlüsseln mit SSL/TLS'' at <u>'''[[German_OWASP_Day_2014|German OWASP Day 2014]]'''</u>, program see <u>[[German_OWASP_Day_2014/Programm|here]]</u>
 +
* 07/12/2014, stable release '''14.12.07'''
 +
* 16/11/2014, stable release '''14.11.14'''
 +
* 15/10/2014, check for '''Poodle''' vulnerability, see test version: <u>[https://github.com/OWASP/O-Saft/archive/master.zip master.zip]</u>
 
* <u>[https://2014.appsec.eu/ AppSecEU 2014]</u>, Cambridge
 
* <u>[https://2014.appsec.eu/ AppSecEU 2014]</u>, Cambridge
 
: There will be a training <u>[http://appseceurope2014.sched.org/event/0e316b9ea5c28375dcc8fd41baedd481 TLS/SSL in Practice]</u> which in particular covers O-Saft. For <u>[http://appseceurope2014.sched.org/ schedule see here]</u>.
 
: There will be a training <u>[http://appseceurope2014.sched.org/event/0e316b9ea5c28375dcc8fd41baedd481 TLS/SSL in Practice]</u> which in particular covers O-Saft. For <u>[http://appseceurope2014.sched.org/ schedule see here]</u>.
Line 103: Line 139:
 
* '''2013 Top Security Tools'''
 
* '''2013 Top Security Tools'''
 
:thanks for voting <u>[http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ O-Saft as #10 best security tools 2013 ]</u>
 
:thanks for voting <u>[http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/ O-Saft as #10 best security tools 2013 ]</u>
* Latest stable release
 
:01/2014, O-Saft 14.1.4
 
  
 
== In Print / Media ==
 
== In Print / Media ==
Line 113: Line 147:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+
   | align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
 
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
 
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
 
   |-
 
   |-
Line 127: Line 161:
 
=FAQs=
 
=FAQs=
 
;FAQs <!-- workaround bug in headertabs-->
 
;FAQs <!-- workaround bug in headertabs-->
: (not yet available)
+
* Where can I get missing Perl-Modules?<br>This depends on your OS and Perl installation, but just try 'cpan <Module-Name>', e.g. 'cpan Net:DNS'
 +
:* I am connected to the internet via a Proxy<br>open the cpan-shell using 'cpan' and configure your proxy settings: 'o conf init /proxy/'
 +
:* I can not download the requested files (the proxy needs authentication)<br>run 'cpan <Module-Name>' several times, read the error messages and copy the requested files manually to the paths (without any additional temporary extension of the name),<br>e.g. <nowiki>http://www.cpan.org/authors/01mailrc.txt.gz</nowiki> => <Your Program Path>/cpan/sources/authors/01mailrc.txt.gz
 +
 
 +
* I get the Error "invalid SSL_version specified at .../perl/vendor/lib/IO/Socket/SSL.pm line ..."
 +
:* add options '--notlsv13 --nodtlsv1', e.g. perl o-saft.pl +info your.tld --notlsv13 --nodtlsv1
  
 
= Acknowledgements =
 
= Acknowledgements =
Line 133: Line 172:
 
==Volunteers==
 
==Volunteers==
 
O-Saft is developed by <!--a worldwide team of volunteers--> from the contributions of OWASP members. The primary contributors to date have been:
 
O-Saft is developed by <!--a worldwide team of volunteers--> from the contributions of OWASP members. The primary contributors to date have been:
 +
* {{Template:Contact | name = Torsten Gigler | email =torsten.gigler@owasp.org | username = T.Gigler}}
  
 
==Repository==
 
==Repository==
Line 147: Line 187:
 
Contacts:
 
Contacts:
 
* mailto: Achim at owasp dot org
 
* mailto: Achim at owasp dot org
* [https://www.owasp.org/index.php/Projects/O-Saft/Roadmap Mailinglist]
+
* [https://lists.owasp.org/mailman/listinfo/o-saft Mailinglist]
 
Some of the ways you can help:
 
Some of the ways you can help:
* Quality assurance: simply test O-Saft and report defects
+
* Quality assurance: simply test O-Saft and report defects and strange responses of servers
 
* Give some ideas how to implement scoring
 
* Give some ideas how to implement scoring
* Need help in implementing SSL for other protocols like LDAP, IMAP, ...
+
* Need help in implementing  
 
+
:* SSL for other protocols using STARTTLS, ...<br>(currently, February 2015, we have STARTTLS functionality for LDAP, IMAP, POP3, SMTP, RDP, FTP, XMPP,...)
 +
:* authentication for proxies (BASIC, NTLM)
 +
:* to check the size of Diffie Hellmann Parameters
 +
:* check for more SSL/TLS-Extensions (including obsolete ones)
 +
:* check for more vulnerabilities
 +
:* check the full certificate chain
 
<!-- don't include legacy project template, just for information here
 
<!-- don't include legacy project template, just for information here
 
=Project About=
 
=Project About=
Line 160: Line 205:
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Tool]]
+
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Tool]] [[Category:SSL]]

Latest revision as of 05:13, 14 February 2015

[edit]

O-Saft - check for SSL connection, certificate and ciphers(this text to make crawlers happy;-)
OWASP Project Header.jpg

O-Saft

OWASP SSL advanced forensic tool / OWASP SSL audit for testers

O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.

It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).

Introduction

Quick Installation
  • Download and unpack o-saft.tgz (Stable Release)
  • to run o-saft: Ensure that following perl modules (and their dependencies) are installed
      IO::Socket::INET, IO::Socket::SSL, Net::SSLeay
      Net::SSLinfo, Net::SSLhello (which are part of the tarball)
  • read and (re-)move o-saft-README
  • Show help
o-saft --help=commands
o-saft --help
  • Start
o-saft +info your.tld
o-saft +check your.tld
o-saft +quick your.tld
o-saft +cipherall your.tld
o-saft +cipherall --starttls=pop3 pop3.your.tld:110
  • to run the optional checkAllCiphers (tiny program to check solely ciphers, like command '+cipherall'): It usually does not need any perl module to be additionally installed
      Socket (should be part of your perl installation)
      Net::SSLhello (which is part of the tarball)
      NET::DNS (only needed, if option '--mx' is used)
  • Start
checkAllCiphers your.tld
checkAllCiphers --starttls=pop3 pop3.your.tld:110
checkAllCiphers --mx your.tld:25 --starttls=smtp

Description

The main idea is to have a tool which works on common platforms and can simply be automated.

In a Nutshell
  • show SSL connection details
  • show certificate details
  • check for supported ciphers
  • check for ciphers provided in your own libssl.so and libcrypt.so
  • check for ciphers without any dependency to a library (+cipherall)
  • checks the server's priority for ciphers (+cipherall)
  • check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
  • check for protections against attacks (BEAST, CRIME, Heartbleed, RC4 Bias, ...)
  • may check for a single attribute
  • may check multiple targets at once
  • can be scripted (headless or as CGI)
  • should work on any platform (just needs perl, openssl optional)
  • scoring for all checks (still to be improved in many ways ;-)
  • output format can be customized
  • various trace and debug options to hunt unusual connection problems
  • +cipherall: supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) ...),
      slows down to prevent blockades of requests due to too much connections (supported for some protocols like SMTP)
  • check of STARTTLS/SMTP for all servers of a MX Resource Record (e.g. checkAllCiphers --mx your.tld:25 --starttls=smtp)

New Features of Test Version

Quick Installation (test version)
  • Download and unpack: master.zip
  • Start INSTALL-devel.sh
  • Enjoy new functionality:
  • supports now STARTTLS and Proxy for all commands (experimental), e.g. o-saft +info mail.tld:25 --starttls --experimental
  • '+cipherall (+cipherraw)', checkAllCiphers.pl: Fixed a Bug in SNI

What is O-Saft?

O-Saft provides:

  • SSL connection details
  • certificate details
  • full cipher check
  • special HTTP(s) checks
  • check for SSL vulnerabilities
  • can be scripted
  • platfrom independent
  • customizable output
  • supports STARTTLS (+cipherall)

Documentation

Presentations

(This presentations are in German)

Project Leader

Achim Hoffmann

Licensing

OWASP O-Saft is free to use. It is licensed under the GPL v2 license.

Related Projects

Github

Ohloh

Quick Download

News and Events

  • 08/01/2015, stable release 15.01.07
  • 09/12/2014 Presentation Richtig verschlüsseln mit SSL/TLS at German OWASP Day 2014, program see here
  • 07/12/2014, stable release 14.12.07
  • 16/11/2014, stable release 14.11.14
  • 15/10/2014, check for Poodle vulnerability, see test version: master.zip
  • AppSecEU 2014, Cambridge
There will be a training TLS/SSL in Practice which in particular covers O-Saft. For schedule see here.
  • Heartbleed check
10/04/2014, see https://github.com/OWASP/O-Saft
  • 2013 Top Security Tools
thanks for voting O-Saft as #10 best security tools 2013

In Print / Media

Find a OWASP 24/7 podcast about the tool here.

Classifications

Owasp-labs-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files TOOL.jpg

FAQs
  • Where can I get missing Perl-Modules?
    This depends on your OS and Perl installation, but just try 'cpan <Module-Name>', e.g. 'cpan Net:DNS'
  • I am connected to the internet via a Proxy
    open the cpan-shell using 'cpan' and configure your proxy settings: 'o conf init /proxy/'
  • I can not download the requested files (the proxy needs authentication)
    run 'cpan <Module-Name>' several times, read the error messages and copy the requested files manually to the paths (without any additional temporary extension of the name),
    e.g. http://www.cpan.org/authors/01mailrc.txt.gz => <Your Program Path>/cpan/sources/authors/01mailrc.txt.gz
  • I get the Error "invalid SSL_version specified at .../perl/vendor/lib/IO/Socket/SSL.pm line ..."
  • add options '--notlsv13 --nodtlsv1', e.g. perl o-saft.pl +info your.tld --notlsv13 --nodtlsv1

Acknowledgements

Volunteers

O-Saft is developed by from the contributions of OWASP members. The primary contributors to date have been:

Repository

O-Saft's source code can be found at https://github.com/OWASP/O-Saft .

The latest stable tarball is https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz

Road Map

https://www.owasp.org/index.php/Projects/O-Saft/Roadmap

Involvement in the development and promotion of O-Saft is actively encouraged!

You do not have to be a security expert in order to contribute. Contacts:

Some of the ways you can help:

  • Quality assurance: simply test O-Saft and report defects and strange responses of servers
  • Give some ideas how to implement scoring
  • Need help in implementing
  • SSL for other protocols using STARTTLS, ...
    (currently, February 2015, we have STARTTLS functionality for LDAP, IMAP, POP3, SMTP, RDP, FTP, XMPP,...)
  • authentication for proxies (BASIC, NTLM)
  • to check the size of Diffie Hellmann Parameters
  • check for more SSL/TLS-Extensions (including obsolete ones)
  • check for more vulnerabilities
  • check the full certificate chain