O-Saft v22.11.22 releases – OWASP SSL advanced forensic tool

by do son · Published January 21, 2019 · Updated November 24, 2022

OWASP SSL advanced forensic tool / OWASP SSL audit for testers

O-Saft is easy to use tool to show information about SSL certificate and tests the SSL connection according to given list of ciphers and various SSL configurations.

It’s designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important information or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.

O-Saft is a command-line tool, so it can be used offline and in closed environments. There is also a GUI based on Tcl/Tk. However, it can simply be turned into an online CGI-tool.

In a Nutshell

show SSL connection details
show certificate details
check for supported ciphers
check for ciphers provided in your own libssl.so and libcrypt.so
check for ciphers without any dependency to a library (+cipherall)
checks the server’s priority for ciphers (+cipherall)
check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
check for protections against attacks (BEAST, CRIME, DROWN, FREAK, Heartbleed, Lucky 13, POODLE, RC4 Bias, Sweet32 …)
check the length of Diffie Hellman Parameters by the cipher (+cipherall needs option ‘–experimental’)
may check for a single attribute
may check multiple targets at once
can be scripted (headless or as CGI)
should work on any platform (just needs Perl, OpenSSL optional)
can be used in CI / CD environments
the output format can be customized
various trace and debug options to hunt unusual connection problems
supports STARTTLS for various protocols like (SMTP, POP3, IMAP, LDAP, RDP, XMPP, IRC (experimental) …),[without options using openssl]
slows down to prevent blockades of requests due to too many connections (supported by some protocols like SMTP)
Proxy is supported (besides commands using OpenSSL)
a check of STARTTLS/SMTP for all servers of an MX Resource Record (e.g. checkAllCiphers –mx your.tld:25 –starttls=smtp)
checkAllCiphers.pl and ‘+cipherall’ support DTLS for ‘–experimental’ use (if records are *not* fragmented)

UNIQUE FEATURES
( ===============
) ### * working in closed environments, i.e. without an internet connection
( ### * checking availability of ciphers independent of installed library
) ### * checking for all possible ciphers (up to 65535 per SSL protocol)
( ### * needs just Perl without modules for checking ciphers and protocols
) ### * mainly the same results on all platforms

Changelog v22.11.22

BUGFIX
* Net/SSLinfo.pm: BF: avoid “Use of uninitialized value …” in datadump()
* OSaft/Ciphers.pm: BF: using string ‘0 ‘ if value is 0 in _ciphers_init()
* OSaft/Fata.pm: BF: string <<internal>> changed to internal to avoid conflict in HTML
* o-saft.pl: BF: output for –ciphermode=dump corrected
* o-saft.cgi: BF: regex for arguments to be ignored corrected
* o-saft.tcl: BF: generating content for “help” improved
* t/Makefile: ET: name of targets unified: testarg-hlp-*
* t/Makefile.cipher: BT: targets testcmd-cipher-+test-ciphers-list-* corrected (are testarg-* now)
* contrib/gen_standalone.sh: BF: better check for include of o-saft-dbx.pm
CHANGES
* o-saft.pl: EF: print number of checked ciphers for each protocol
* o-saft.pl: EF: print warning if no ciphers specified
* o-saft-man.pm: EF: new design for o-saft.cgi.html
* o-saft-man.pm: EF: man_docs_write() (writes –help=ciphers-text also)
* o-saft.cgi: EF: regex for illegal commands and options improved
* o-saft.tcl: ED: “Key Bindings” documented
* o-saft.tcl: EF: osaft_write_docs() used “o-saft.pl –help=gen-docs” to generate files
* OSaft/Doc/help.txt: EF: description for –cipherrange=RANGE improved; –cipherpattern=PATTERN added
* OSaft/Ciphers.pm: EF: cipher suites SM4-GCM-SM3 and SM4-CCM-SM3 added
* OSaft/Ciphers.pm: EF: security for ciphers *PSK*CBC* set mediu
* OSaft/Ciphers.pm: ET: test functionality improved
* OSaft/Ciphers.pm: EF: @cipher_iana_recomended added (list of ciphers suites recommended by IANA)
* t/Makefile.cipher: ET: tests for –ciphermode=dump added
* t/Makefile.dev: ET: new Targets to test INSTALL.sh
* Makefile: EF: enforce LANG=C environment for all tests
* Makefile: EF: remove useless environment variables
* Makefile: EF: include t/Makefile.gen t/Makefile.mod
* Makefile: ET: target docs and do.data improved
* contrib/HTML-table.awk: EF: improved for cipher lists; some header lines handled special
* contrib/*_completion_o-saft: EF: completion for make added
* checkAllCiphers.pl: EF: trace variable assignment improved
NEW
* o-saft.pl: EF: –cipher=CIPHER implemented
* OSaft/Ciphers.pm: NF: get(pfs) implemented
* t/Makefile: NT: target commands of testarg-%.log and testcmd-%.log piped to filter
* t/Makefile.gen: NF: new Makefilewith user defined functions
* t/Makefile.pod: EF: new section Make:target generation
* t/Makefile.inc: EF: new text for TEST.logtxt; EXE.arg-logfilter and EXE.cmd-logfilter added
* t/Makefile.dev: NT: targets for get_keys_list and get_names_list added
* t/Makefile.dev: ET: targets for testng OSaft/Ciphers.pm functions added
* t/Makefile.dev: ET: targets testarg-dev-o-saft-sh–post-* added
* t/Makefile.misc: NT: new target testarg-misc_hashbang
* contrib/INSTALL-template.sh: EF: copy_file implemented with –useenv; descrition for –useenv added