Difference between revisions of "O-Saft"

Jump to: navigation, search
Line 28: Line 28:
: ''o-saft +quick your.tld''
: ''o-saft +quick your.tld''
The main idea is to have a tool which works on common platforms and can simply be automated.
The main idea is to have a tool which works on common platforms and can simply be automated.

Revision as of 19:12, 29 January 2014

OWASP Project Header.jpg


OWASP SSL audit for testers / OWASP SSL advanced forensic tool

O-Saft is an easy to use tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.

It's designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.


Quick Installation
  • Download and unpack o-saft.tgz
  • Ensure that following perl modules (and their dependencies) are installed
      IO::Socket::INET, IO::Socket::SSL, Net::SSLeay
      Net::SSLinfo (which is part of the tarball)
  • read and (re-)move o-saft-README
  • Show help
o-saft --help=commands
o-saft --help
  • Start
o-saft +info your.tld
o-saft +check your.tld
o-saft +quick your.tld


The main idea is to have a tool which works on common platforms and can simply be automated.

In a Nutshell
  • show SSL connection details
  • show certificate details
  • check for supported ciphers
  • check for ciphers provided in your own libssl.so and libcrypt.so
  • check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
  • check for protections against attacks (BEAST, CRIME, RC4 Bias, ...)
  • may check for a single attribute
  • may check multiple targets at once
  • can be scripted (headless or as CGI)
  • should work on any platform (just needs perl, openssl optional)
  • scoring for all checks (still to be improved in many ways ;-)
  • output format can be customized
  • various trace and debug options to hunt unusual connection problems

What is O-Saft?

O-Saft provides:

  • SSL connection details
  • certificate details
  • full cipher check
  • special HTTP(s) checks
  • check for SSL vulnerabilities
  • can be scripted
  • platfrom independent
  • customizable output


Vortrag beim Münchner OWASP-Stammtisch: Überblick über aktuelle Angriffsmöglichkeiten auf HTTPS / SSL (enthält auch ein paar Beispiele mit o-saft) (this presentation is in German)

Project Leader

Achim Hoffmann


OWASP O-Saft is free to use. It is licensed under the GPL v2 license.

Related Projects

Quick Download

News and Events

  • Latest stable release
01/2014, O-Saft 14.1.4

In Print


Owasp-incubator-trans-85.png Owasp-builders-small.png
Project Type Files TOOL.jpg
(not yet available)


O-Saft is developed by from the contributions of OWASP members. The primary contributors to date have been:


O-Saft's source code can be found at https://github.com/OWASP/O-Saft .

The latest stable tarball is https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz

Road Map


Involvement in the development and promotion of O-Saft is actively encouraged!

You do not have to be a security expert in order to contribute. Contacts: