O-Saft v23.04.23 releases – OWASP SSL advanced forensic tool

OWASP SSL advanced forensic tool / OWASP SSL audit for testers

O-Saft is easy to use tool to show information about SSL certificate and tests the SSL connection according to given list of ciphers and various SSL configurations.

It’s designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important information or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. There is also a GUI based on Tcl/Tk. However, it can simply be turned into an online CGI-tool.

In a Nutshell

• show SSL connection details
• show certificate details
• check for supported ciphers
• check for ciphers provided in your own libssl.so and libcrypt.so
• check for ciphers without any dependency to a library (+cipherall)
• checks the server’s priority for ciphers (+cipherall)
• check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
• check for protections against attacks (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 …)
• check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option ‘–experimental’)
• may check for a single attribute
• may check multiple targets at once
• can be scripted (headless or as CGI)
• should work on any platform (just needs Perl, OpenSSL optional)
• can be used in CI / CD environments
• the output format can be customized
• various trace and debug options to hunt unusual connection problems
• supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) …),[without options using openssl]
  slows down to prevent blockades of requests due to too many connections (supported by some protocols like SMTP)
• Proxy is supported (besides commands using OpenSSL)
• a check of STARTTLS/SMTP for all servers of an MX Resource Record (e.g. checkAllCiphers –mx your.tld:25 –starttls=smtp)
• checkAllCiphers.pl and ‘+cipherall’ support DTLS for ‘–experimental’ use (if records are *not* fragmented)

UNIQUE FEATURES
( ===============
) ### * working in closed environments, i.e. without an internet connection
( ### * checking availability of ciphers independent of installed library
) ### * checking for all possible ciphers (up to 65535 per SSL protocol)
( ### * needs just Perl without modules for checking ciphers and protocols
) ### * mainly the same results on all platforms

Changelog v23.04.23

BUGFIX

* contrib/INSTALL-template.sh: BF: overlong message corrected when modules are missing
* contrib/HTML-table.awk: BF: generating HTML comment corrected
* t/Makefile.misc: BF: target nytprof.html generates output in t/nytprof
* Makefile: BT: target pdf for generating PDF corrected
* o-saft.pl: BF: extracting message number in _warn() corrected (used to avoid printing duplicate messages)
* o-saft.pl: BF: avoid “Use of uninitialized value $_no …”; issues/133
* o-saft-man.pm: BF: value attribute for generated checkbox corrected

CHANGES

* OSaft/Doc/help.txt: ED: documentation for developers moved to other files
* contrib/HTML-table.awk: EF: generate HTML4 or HTML5 depending on scriptname; default: HTML5
* contrib/HTML-table.awk: EF: comment added; h1 tag added
* Net/SSLinfo.pm: ED: using =head3 for method description in POD
* Net/SSLhello.pm: ED: using =head3 for method description in POD
* t/Makefile.dev: EF: using EXE.log-filterarg in testarg*pod.log targets (not yet fully working)
* Makefile: EF: INSERTED_BY_MAKE_OSAFT_PM: give INSTALL.sh list of own perl modules
* Makefile: ET: DOC.src renamed to DOC.odg; SRC.doc to SRC.odg
* o-saft-man.pm: EF: TOC added to generated HTML using <aside> tag (needs to be improved)
* o-saft-man.pm: EF: provide options –format=html4 and –format=html5
* o-saft-man.pm: EF: use linear-gradient background for help buttons in cgi.html
* o-saft-man.pm: EF: –no-tlsv13 removed from default settings in .cgi.html

NEW

* t/Makefile.misc: NF: targets docs.anno docs.subs added
* t/gen-graph-annotations.sh new
* t/gen-graph-sub-calls.sh: new

Download

git clone git@github.com:OWASP/O-Saft.git

Tutorial

Copyright (C) 2013 Achim Hoffmann

Source: https://github.com/OWASP/