+ * adapted to new commands, typo corrected
+ * bugfix: need IO::Socket::INET->new() instead of IO::Socket::SSL->new()
This tools lists information about remote target’s SSL certificate and tests the remote target according given list of ciphers.
– Why a new tool for checking SSL when there already exist a dozens or
– more in 2012? Some (but not all) reasons are:
* lack of tests of unusual ciphers
* different results returned for the same check on same target
* missing functionality (checks) according modern SSL/TLS
* lack of tests of unusual (SSL, certificate) configurations
* (mainly) missing feasability to add own tests
* penetration testers
In a Nutshell:
– show SSL connection details
– show certificate details
– check for supported ciphers
– check for ciphers provided in your own libssl.so and libcrypt.so
– check for special HTTP(S) support (like SNI, HSTS, certificate pinning)
– check for protections against attacks (BEAST, CRIME, RC4 Bias, …)
– may check for a single attribute
– may check multiple targets at once
– can be scripted (headless or as CGI)
– should work on any platform (just needs perl, openssl optional)
– scoring for all checks (still to be improved in many ways 😉
– output format can be customized
– various trace and debug options to hunt unusual connection problems
o-saft.pl requires following Perl modules:
– Net::SSLeay (prefered >= 1.51)
– IO::Socket::SSL (prefered >= 1.37)
– IO::Socket::INET (prefered >= 1.31)
– Net::DNS (for –mx option only)
There are no dependencies for checkAllCiphers.pl, so the test of all
ciphers (aka +cipherall) will work with it.
Module Net::SSLinfo and Net::SSLhello are part of O-Saft and should be
installed in ./Net .
All dependencies for these modules must also be installed.
Following files are optional:
.o-saft.pl (private user configuration)
o-saft-dbx.pm (for debugging, tracing)
o-saft-man.pm (documentation and generation functions)
o-saft-usr.pm (private functions, some kind of API)
checkAllCiphers.pl (simple script for +cipherall option)
.o-saft.pl is delivered as .o-saft.pl.sample to avoid destroying user
configurations. It needs to be renamed before used.
o-saft.pl reads o-saft-README if possible and exits.
o-saft-README must be renamed or removed to get o-saft.pl working.
o-saft.pl +check your.tld
o-saft.pl +info your.tld
o-saft.pl +quick your.tld
o-saft.pl +cipher your.tld
o-saft.pl +cipherall your.tld