O-Saft v16.05.15:  OWASP SSL audit for testers & OWASP SSL advanced forensic tool.

O-Saft v16.05.15: OWASP SSL audit for testers & OWASP SSL advanced forensic tool.

changelog version 16.05.15:
+ updated version, deleted unused value for cfg{‘openssl_version_map’}
+ First use of error_handler, editorial changes
+ Net::SSLeay as exception for global vars added
+ formal change
+ Option –all und –yeast implementiert
+ nicer output and more selective trace info, sub ‘version’ not exported any more
— trace >2 is needed for full trace info, new constant for error type: OERR_SSLHELLO_ABORT_PROGRAM version # updatedo-saft-16-5-15

This tools lists information about remote target’s SSL certificate and tests the remote target according given list of ciphers.

O-Saft Gui

O-Saft Gui

– Why a new tool for checking SSL when there already exist a dozens or
– more in 2012? Some (but not all) reasons are:
* lack of tests of unusual ciphers
* different results returned for the same check on same target
* missing functionality (checks) according modern SSL/TLS
* lack of tests of unusual (SSL, certificate) configurations
* (mainly) missing feasability to add own tests

* penetration testers
* administrators

In a Nutshell:
– show SSL connection details
– show certificate details
– check for supported ciphers
– check for ciphers provided in your own libssl.so and libcrypt.so
– check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
– check for protections against attacks (BEAST, CRIME, RC4 Bias, …)
– may check for a single attribute
– may check multiple targets at once
– can be scripted (headless or as CGI)
– should work on any platform (just needs perl, openssl optional)
– scoring for all checks (still to be improved in many ways 😉
– output format can be customized
– various trace and debug options to hunt unusual connection problems

Installation :
o-saft.pl requires following Perl modules:
– Net::SSLeay (prefered >= 1.51)
– IO::Socket::SSL (prefered >= 1.37)
– IO::Socket::INET (prefered >= 1.31)
– Net::DNS (for –mx option only)

There are no dependencies for checkAllCiphers.pl, so the test of all
ciphers (aka +cipherall) will work with it.
Module Net::SSLinfo and Net::SSLhello are part of O-Saft and should be
installed in ./Net .
All dependencies for these modules must also be installed.

Following files are optional:
.o-saft.pl (private user configuration)
o-saft-dbx.pm (for debugging, tracing)
o-saft-man.pm (documentation and generation functions)
o-saft-usr.pm (private functions, some kind of API)
checkAllCiphers.pl (simple script for +cipherall option)

.o-saft.pl is delivered as .o-saft.pl.sample to avoid destroying user
configurations. It needs to be renamed before used.

o-saft.pl reads o-saft-README if possible and exits.
o-saft-README must be renamed or removed to get o-saft.pl working.


Download : o-saft.tgz or git clone 

Source ; https://www.owasp.org/index.php/Projects/O-Saft | Our Post Before