owasp / o-saft Goto Github PK

O-Saft - OWASP SSL advanced forensic tool

License: GNU General Public License v2.0

Shell 4.74% Perl 79.65% Tcl 6.97% Awk 0.65% Ruby 0.06% Makefile 7.14% Dockerfile 0.79%

o-saft's Introduction


Any use of this project's code by GitHub Copilot, past or present, is done without our permission. We do not consent to GitHub's use of this project's code in Copilot.

O-Saft - OWASP SSL advanced forensic tool

Download Version 24.01.24

QUICK START

  o-saft.pl --help
  o-saft.pl +check  your.tld
  o-saft.pl +info   your.tld
  o-saft.pl +quick  your.tld
  o-saft.pl +cipher your.tld
  o-saft.pl --help=commands

  o-saft.tcl      # (simple GUI; requires Tcl/Tk 8.5 or newer)

  o-saft-docker   # (simple wrapper to call o-saft.pl in docker image)

  o-saft          # (simple wrapper to call o-saft.pl or o-saft.tcl or o-saft-docker)

DESCRIPTION

This tools lists information about remote target's SSL certificate and tests the remote target according given list of ciphers.

UNIQUE FEATURES

working in closed environments, i.e. without internet connection
checking availability of ciphers independent of installed library
checking for all possible ciphers (up to 65535 per SSL protocol)
needs just perl without modules for checking ciphers and protocols
mainly same results on all platforms

WHY?

Why a new tool for checking SSL when there already exist a dozens or more good tools in 2012? Some (but not all) reasons are:

lack of tests of unusual ciphers
different results returned for the same check on same target
missing functionality (checks) according modern SSL/TLS
lack of tests of unusual (SSL, certificate) configurations
(mainly) missing feasability to add own tests

For more details, please use:

  o-saft.pl --help

or read the source ;-)

TARGET AUDIENCE

penetration testers
administrators

INSTALLATION

o-saft.pl requires following Perl modules:

Module	Version
`Net::SSLeay`	(prefered >= 1.51, recommended 1.85)
`IO::Socket::SSL`	(prefered >= 1.37, recommended 2.002)
`IO::Socket::INET`	(prefered >= 2.31)
`Net::DNS`	(prefered >= 0.65, for --mx option only)

It can be executed from within the unpacked or cloned directory, installation is not necessary. However, a INSTALL.sh script will be provided, which can be called as follows:

  INSTALL.sh /path/to/install
  INSTALL.sh --check

For more details on installation, please see:

  INSTALL.sh --help

There're no dependencies to other Perl modules for checkAllCiphers.pl so the test of all ciphers will work with it. The modules SSLinfo, SSLhello beside som others, are part of the tool and should be installed in ./lib .

Following files are optional:

File / Tool	Description
`.o-saft.pl`	(private user configuration)
`.o-saft.tcl`	(private user configuration for GUI)
`lib/OTrace.pm`	(functions for debugging)
`lib/OMan.pm`	(documentation and generation functions)
`doc/o-saft.pod`	(documentation in POD format)
`lib/o-saft-img.tcl`	(images for buttons in GUI)
`checkAllCiphers.pl`	(simple script for checking all ciphers)
`usr/*`	(additional programs and tools)

Sources

Project home is https://www.owasp.org/index.php/O-Saft
Project repo is https://github.com/OWASP/O-Saft
Historic Project home https://www.owasp.org/index.php/Projects/O-Saft

Get a Copy (latest stable release)

  wget https://github.com/OWASP/O-Saft/raw/master/o-saft.tgz

Get a Copy (development version)

  git clone https://github.com/OWASP/O-Saft.git
  git clone [email protected]:OWASP/O-Saft.git

Get Docker Image (latest stable release)

  docker pull owasp/o-saft

VERSION

24.01.24

The version of the tarball o-saft.tgz represents the version listed on top herein. All other files in the repository may be ahead of this tarball version.

SHA256 checksum of o-saft.tgz

3332af75f20933b4be4dd2e49c8d67cd505fc7856f4844211671e2fd304bbefb

SHA256 checksum of docker image owasp/o-saft:latest and owasp/o-saft:18.11.18

b85423d142c186c1cf10494aa0e993f6f2030ab769977aca9584d7d650421697

NOTE that the checksums listed here are the previous versions if this file is from o-saft.tgz itself, or inside the docker image.

Older version

Version 24.01.24 is a major redesign (refactoring) of the project. The top directory now contains the main tools only. All modules, documentation and (user) contributed tools are in sub-directories. These changes are also reflected in the directories available at github.

If older versions should be used, please get the correspondig o-saft.tgz from github's releases, see: https://github.com/OWASP/O-Saft/releases (as of January 2024).

o-saft's People

Contributors

Stargazers

Watchers

Forkers

lucabongiorni lodoss sslhello mgm-sp xthk spoint42 vasiab humbertcostas givc0d3r owasp-tools-erpragatisingh fleischkatapult olivierh59500 hackur trustplane alexxnica kryndex kbahaxor sage-pe techlord-rce minkione gronau-it-cloud-computing fossler ll2b copyleftdev team-firebugs souravbadami achipapakon mtmtcode mcne65 gormed r3p3r maxdu92 seabreg fullstackenviormentss mattlk13 stitch ro9ueadmin anezashraf mer0vigi0 uronurknees owaspmemphis sasqwatch kumarchatla goveswarareddy johannusnl l9sk lnaphade pentestbr eagle3294 netsec coredamage the-oinkprotocol-labs modulexcite digitalarche alchemycyberblaze backwardn endsu forkkit lager1 adityavs nasrullo 5l1v3r1 ops-sandy latkes qp53catoei2wwrhhsoco apython123 6un9-h0-dan honsa naveen12 anubisant masterscott ekmixon readloud isabella232 nunogt kingthorin websecresearch sethrice tobey123 ilir4734 zaperking ethicalsecurity-agency s1l3nt-cr0w lgc33 stnert

o-saft's Issues

Consider putting Size and Count in a sentence in +check mode

For +check mode, for consistency (I am writing a plugin that reads o-saft output), I have to modify the following so that they are consistent with the rest of the report. Is there any particular reason it has to be in the original way?
And by the way, thanks for the fast response to get the output option done. I tried but right now I am doing my own parsing, but your looks promising.

When I parse I split on : character. Since most of the rows in the report happen to be in label : value format, I decided to change how the followings are written.

--- a/o-saft.pl
+++ b/o-saft.pl
@@ -447,24 +447,24 @@ my %check_size = (
     # collected and checked length and count data
     # counts and sizes are integer values, key mast have prefix (len|cnt)_
     #------------------+-----------------------------------------------------
-    'len_pembase64' => {'txt' => "Size: Certificate PEM (base64)"}, # <(2048/8*6)
-    'len_pembinary' => {'txt' => "Size: Certificate PEM (binary)"}, # < 2048
-    'len_subject'   => {'txt' => "Size: Certificate subject"},      # <  256
-    'len_issuer'    => {'txt' => "Size: Certificate subject"},      # <  256
-    'len_CPS'       => {'txt' => "Size: Certificate CPS"},          # <  256
-    'len_CRL'       => {'txt' => "Size: Certificate CRL"},          # <  256
-    'len_CRL_data'  => {'txt' => "Size: Certificate CRL data"},
-    'len_OCSP'      => {'txt' => "Size: Certificate OCSP"},         # <  256
-    'len_OIDs'      => {'txt' => "Size: Certificate OIDs"},
-    'len_publickey' => {'txt' => "Size: Certificate public key"},   # > 1024
-    'len_sigdump'   => {'txt' => "Size: Certificate signature key"},# > 1024
-    'len_altname'   => {'txt' => "Size: Certificate subject altname"},
-    'len_chain'     => {'txt' => "Size: Certificate Chain size"},   # < 2048
-    'len_sernumber' => {'txt' => "Size: Certificate Serial Number"},# <=  20 octets
-    'cnt_altname'   => {'txt' => "Count: Certificate subject altname"}, # == 0
-    'cnt_wildcard'  => {'txt' => "Count: Certificate wildcards"},   # == 0
-    'cnt_chaindepth'=> {'txt' => "Count: Certificate Chain Depth"}, # == 1
-    'cnt_ciphers'   => {'txt' => "Count: Offered Ciphers"},         # <> 0
+    'len_pembase64' => {'txt' => "Certificate PEM (base64) size"}, # <(2048/8*6)
+    'len_pembinary' => {'txt' => "Certificate PEM (binary) size"}, # < 2048
+    'len_subject'   => {'txt' => "Certificate subject size"},      # <  256
+    'len_issuer'    => {'txt' => "Certificate subject size"},      # <  256
+    'len_CPS'       => {'txt' => "Certificate CPS size"},          # <  256
+    'len_CRL'       => {'txt' => "Certificate CRL size"},          # <  256
+    'len_CRL_data'  => {'txt' => "Certificate CRL data size"},
+    'len_OCSP'      => {'txt' => "Certificate OCSP size"},         # <  256
+    'len_OIDs'      => {'txt' => "Certificate OIDs size"},
+    'len_publickey' => {'txt' => "Certificate public key size"},   # > 1024
+    'len_sigdump'   => {'txt' => "Certificate signature key size"},# > 1024
+    'len_altname'   => {'txt' => "Certificate subject altname size"},
+    'len_chain'     => {'txt' => "Certificate Chain size"},   # < 2048
+    'len_sernumber' => {'txt' => "Certificate Serial Number size"},# <=  20 octets
+    'cnt_altname'   => {'txt' => "Certificate subject altname count"}, # == 0
+    'cnt_wildcard'  => {'txt' => "Certificate wildcards count"},   # == 0
+    'cnt_chaindepth'=> {'txt' => "Certificate Chain Depth count"}, # == 1
+    'cnt_ciphers'   => {'txt' => "Offered Ciphers count"},         # <> 0
     'cnt_totals'    => {'txt' => "Total number of checked ciphers"},
     #------------------+-----------------------------------------------------

"invalid SSL_version specified" breaks O-Saft with newer versions of OpenSSL

As requested by @EnDe in issue #21 I'm opening this to advise that a default OpenSSL installation on Debian sid/unstable breaks O-Saft.

claudio@Chuck:~/projects/o-saft$ ./o-saft.pl +info google.com
=== reading options from  ./.o-saft.pl ===

==== Target: google.com:443 ====

=--------------------------------------+-----------------------------------
Given hostname:                         google.com
IP for given hostname:                  74.125.24.138
Reverse resolved hostname:              de-in-f138.1e100.net
DNS entries for given hostname:         74.125.24.138 de-in-f113.1e100.net; 74.125.24.138 de-in-f100.1e100.net; 74.125.24.138 de-in-f102.1e100.net; 74.125.24.138 de-in-f139.1e100.net; 74.125.24.138 de-in-f138.1e100.net; 74.125.24.138 de-in-f101.1e100.net; 
=--------------------------------------+-----------------------------------
invalid SSL_version specified at libs/IO-Socket-SSL-1.90/lib/IO/Socket/SSL.pm line 415.

Following Achim's suggestion, I used --no-dtlsv1 as a command line option; with that, O-Saft works correctly.

claudio@Chuck:~/projects/o-saft$ ./o-saft.pl --no-dtlsv1 +info google.com
=== reading options from  ./.o-saft.pl ===

==== Target: google.com:443 ====

=--------------------------------------+-----------------------------------
Given hostname:                         google.com
IP for given hostname:                  74.125.24.101
Reverse resolved hostname:              de-in-f101.1e100.net
DNS entries for given hostname:         74.125.24.101 de-in-f101.1e100.net; 74.125.24.101 de-in-f100.1e100.net; 74.125.24.101 de-in-f113.1e100.net; 74.125.24.101 de-in-f102.1e100.net; 74.125.24.101 de-in-f138.1e100.net; 74.125.24.101 de-in-f139.1e100.net; 
=--------------------------------------+-----------------------------------

=== Informations ===
= Description                           Value
=--------------------------------------+-----------------------------------
Certificate Version:                3 (0x2)
Certificate Common Name:            *.google.com
Certificate Subject:                /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
Certificate Subject Name hash:      a18bd28a
Certificate Issuer:                 /C=US/O=Google Inc/CN=Google Internet Authority G2
Certificate Issuer Name hash:       c4c7a654
Certificate Serial Number:          22D82A5707169BBD
Certificate Fingerprint:            SHA1 Fingerprint=98227514A4A1CBF99689AEA72932E14B7ACF2DD1
[snip]

Thanks for the great work!

Claudio

duplicate descriptions for ciphers

Some ciphers are valid for more than one SSL version. Some descriptions are missing.

Out of Memory

The script gives a "Out of Memory" everytime i try to start it.
Perl-debugger teminates with "Out of Memory" :-)

Centos 5

low memory problem

The script may fail to start external programs (like openssl) due to insufficient memory. This only effects data returned by external programs (i.g. openssl only) but not other data.
In this case some data have <> as value.

+info and other "check"-command not working

It's not possible to use +info command in conjunction with other commands commands.
This is already descrbed in the documentations LIMITATION section.
A warning at runtime would be nice.

Perl errors

Given hostname: google.com
IP for given hostname: 74.125.228.66
Reverse resolved hostname: <<gethostbyaddr() failed>>
DNS entries for given hostname: 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>; 55.52.46.49 <<gethostbyaddr() failed>>;
=--------------------------------------+-----------------------------------
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in concatenation (.) or string at Net/SSLinfo.pm line 1170, line 1983.
Use of uninitialized value $_timeout in concatenation (.) or string at Net/SSLinfo.pm line 1173, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in string ne at Net/SSLinfo.pm line 375, line 1983.
Use of uninitialized value $_timeout in concatenation (.) or string at Net/SSLinfo.pm line 1170, line 1983.
Use of uninitialized value $_timeout in concatenation (.) or string at Net/SSLinfo.pm line 1173, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.
Use of uninitialized value in subroutine entry at /Library/Perl/5.16/IO/Socket/SSL.pm line 421, line 1983.

Instructions to enable sslv2 support on modern distros

I'm trying to use o-saft on a Ubuntu 15.04 VM but I cannot make it work with SSLv2.0

I have already enabled sslv2.0 support on openssl following/adapting instructions here http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support-in-kali-linux.html and I have also tried to enable sslv2.0 on Net::SSLeay following http://www.techstacks.com/howto/enable-sslv2-methods-in-netssleay.html

When I try to execute the o-saft tool this warning shows up:

danilonc@tcc:~/tcc$ perl o-saft.pl +info encrypted.google.com                                                                                                                                                        
=== reading: ./.o-saft.pl (No such file or directory) ===
**WARNING: SSL version 'SSLv2' not supported by openssl; ignored

How can i make it work?

dnssec / TLSA support

Would be nice to be able to check for DNSSEC and TLSA record suport.

See Swede for a tool that can do TLSA checking, however it dosen't do starttls:

https://github.com/pieterlexis/swede/

SNI not working proper for +cipher

checking ciphers (+cipher command) for SNI-enabled servers is not always reliable

(experimental) Proxy-Feature for o-saft.pl is not working (SSLinfo fails)

SSLinfo fails, if the client tries to connect via a proxy:

o-saft.pl +info --proxyhost=proxy --proxyport=3128 www.server.tld --experimental --v --v --v --trace=3
...

O-Saft :: cn_nosni: {

Net::SSLinfo::do_ssl_open(www.server.tld,443,,)

Net::SSLinfo::do_ssl_open cipherlist: ALL:NULL:eNULL:aNULL:LOW

Net::SSLinfo::_check_host(www.server.tld)

Net::SSLinfo::_check_host .

Net::SSLinfo::errors:do_ssl_open() failed calling _check_host(www.server.tld):

Net::SSLinfo::do_ssl_open() failed.

O-Saft :: cn_nosni: }

Net::SSLinfo::do_ssl_open(www.server.tld,443,,)

Net::SSLinfo::do_ssl_open cipherlist: ALL:NULL:eNULL:aNULL:LOW

Net::SSLinfo::_check_host(www.server.tld)

Net::SSLinfo::_check_host .

Net::SSLinfo::errors:do_ssl_open() failed calling _check_host(www.server.tld): #Net::SSLinfo::errors:do_ssl_open() failed calling _check_host(www.server.tld):

Net::SSLinfo::do_ssl_open() failed.

Net::SSLinfo::_SSLinfo_get('errors',www.server.tld,443)

do_ssl_open() failed calling _check_host(www.server.tld):

do_ssl_open() failed calling _check_host(www.server.tld):
**WARNING: Can't make a connection to www.server.tld:443; target ignored

Net::SSLinfo::do_ssl_close(www.server.tld,443)

**WARNING: undefined Net::SSLinfo::socket; connection cannot be closed at Net/SSLinfo.pm line 1509.

O-Saft :: done: www.server.tld

--cipher=CIPHER

option to select list of ciphers only accepts exact cipher name but no shortcuts as used by openSSL

check: +verify_altname case insensitive

Names in subjectAltNames are checked case insensitive; implement a case sensitive check.
Reason: even FQDN are case insensitive an attacker may craft names using similar characters froom other charactersets which will not be displayed in browsers.

check: reverse hostname lookup

Reverse DNS lookup for a given hostname does not always returns the specified hostname.
As this is not a SSL/Certificate issue but a DNS configuration problem (wether local or remote DNS server), this is something to be discussed how to deal with.
Example:
o-saft.pl +sni_check youtu.be
---------------------------------------+-----------------------------------
Given hostname: youtu.be
Reverse resolved hostname: muc03s07-in-f3.1e100.net
IP for given hostname: 173.194.44.3
---------------------------------------+-----------------------------------

Use of uninitialized value $headers in split

Following error occours when a HTTP connection is refused by the target:
Use of uninitialized value $headers in split at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/do_httpx2.al) line 1290.

Can't make a connection to some hosts; no initial data Error

I also posted this on the Mailing list. On some hosts (for example httpsnow.org) the scan terminates with an error:

*_WARNING: Can't make a connection to httpsnow.org:443; no initial data
do_ssl_open() WARNING 'Net::SSLeay::CTX_set_ssl_version()' not available, using system default
do_ssl_open() failed calling Net::SSLeay::connect() failed handshake:
do_ssl_open() WARNING 'Net::SSLeay::CTX_set_ssl_version()' not available, using system default
do_ssl_open() failed calling Net::SSLeay::connect() failed handshake:
*_WARNING: Can't make a connection to httpsnow.org:443; target ignored

When I run the scan on other sites (google.de) it works fine without any error. O-Saft seems to terminate the whole scan as soon as the connection fails.
When I uncomment the "goto CLOSE_SSL;" (line 5968) the scan finishes and the cipher check works fine, but checks like +sts or +certificate don't work and another error appears: Use of uninitialized value in string eq at o-saft.pl line 4054

My o-saft call looks like this: perl o-saft.pl httpsnow.org +hsts +certificate --no-dtlsv1 --v

length() used on @array (did you mean "scalar(@array)"?) at ./o-saft.pl line 4568

HI,

I'm having 2 issues, but I believe they might be related:

the first one, as I mentioned in the title, is that upon startup this message happens:

length() used on @array (did you mean "scalar(@array)"?) at ./o-saft.pl line 4568.

The second one happens later (and makes everything crash):

Use of uninitialized value in subroutine entry at /usr/share/perl5/IO/Socket/SSL.pm line 430.
invalid SSL_version specified at /usr/share/perl5/IO/Socket/SSL.pm line 368.

Here's the whole execution:

claudio@Chuck:~/projects/o-saft$ ./o-saft.pl +info google.com
length() used on @array (did you mean "scalar(@array)"?) at ./o-saft.pl line 4568.
=== reading options from  ./.o-saft.pl ===

==== Target: google.com:443 ====

=--------------------------------------+-----------------------------------
Given hostname:                         google.com
IP for given hostname:                  74.125.24.102
Reverse resolved hostname:              de-in-f102.1e100.net
DNS entries for given hostname:         74.125.24.102 de-in-f113.1e100.net; 74.125.24.102 de-in-f139.1e100.net; 74.125.24.102 de-in-f138.1e100.net; 74.125.24.102 de-in-f101.1e100.net; 74.125.24.102 de-in-f102.1e100.net; 74.125.24.102 de-in-f100.1e100.net; 
=--------------------------------------+-----------------------------------
Use of uninitialized value in subroutine entry at /usr/share/perl5/IO/Socket/SSL.pm line 430.
invalid SSL_version specified at /usr/share/perl5/IO/Socket/SSL.pm line 368.

I don't trust myself enough to try and fix it by replacing the length() with scalar();

Could you please take a look?

SysOp: Debian unstable/sid x64 Kernel 3.12-1-amd64

ii libio-socket-ssl-perl 1.967-1 all Perl module implementing object oriented interface to SSL sockets
ii libnet-ssleay-perl 1.58-1 amd64 Perl module for Secure Sockets Layer (SSL)

o-saft.pl +vulns exits non-zero when vulnerability is found

I run o-saft from Jenkins, if the script would fail on a vulnerability found, then the jenkins build could fail and I can sent an alert.

--short leads to error message "Use of uninitialized value $label in concatenation (.) or string at ./o-saft.pl line 3848."

The --short option seems to lead to warning messages.

Example:

$ ./o-saft.pl --short +hsts www.twitter.com

Output:

=== reading: ./.o-saft.pl (options done) ===
**WARNING: Can't do DNS reverse lookup: for www.twitter.com: <<gethostbyaddr() failed>>; ignored
**WARNING: no reply: 'Connection reset by peer'
HTTPS STS MaxAge:                   631138519
HTTPS STS sub-domains:
Redirects to same host:                 yes
STS header not for IP:                  yes
HTTP Status code is 301:                yes
HTTP Status code not 30x:               yes
STS and Location header:                no (https://twitter.com/)
Redirects without STS:                  yes
STS and no Refresh header:              yes
STS header:                             yes
STS long max-age:                       no (631138519 = 7304 days)
Use of uninitialized value $label in concatenation (.) or string at ./o-saft.pl line 3848.
:                                       no (> 0)
Use of uninitialized value $label in concatenation (.) or string at ./o-saft.pl line 3848.
:                                       no (> 86400)
Use of uninitialized value $label in concatenation (.) or string at ./o-saft.pl line 3848.
:                                       no (> 2592000)
Use of uninitialized value $label in concatenation (.) or string at ./o-saft.pl line 3848.
:                                       no (> 31536000)
Use of uninitialized value $label in concatenation (.) or string at ./o-saft.pl line 3848.
:                                       yes
STS includeSubdomain:                   no ( )

Without --short no warning regarding uninitialized values is shown.

check: +verify_altname fails with TLD in subjectAltNames

check with +verify_altname fails if subjectAltNames contains a TLD and the given hostname is a host or subnet of that TLD

some commands miss label in output

some commands, i.e. +len_CRL, +hasSSLv2, are printed without its label
label is only missing when the commands are not used in conjunction with +check
however, checks are correct

Plan for output format?

Currently everything is dump to STDOUT and it would be nice if it could be export to xml, json or even html.

Can't locate "get_sslversion"

My daily build fails since November 20th:

Can't locate object method "get_sslversion" via package "IO::Socket::SSL" at ./o-saft.pl line 2659

UTF-8 characters in documentation

If non-latin1 (aka US-ASCII) characters are used in documentation, perldoc may display them incorrectly.
The problem can be (1) program file not stored with UTF-8 character encoding, (2) program file is not an UTF-8 file, (3) no proper locales installed, (4) wrong setting of environment variable LAB (or related ones), (5) probably some more ...

As this does not harm functionality, it will not be fixed.

Proper Release

Please release the tool properly. It should be available in the download tab, and not as a part of the repository itself.

+hasSSLv3 and +poodle checks do not honor --no-sslv3 option

+hasSSLv3 and +poodle simply check if SSLv3 is supported, when --no-sslv3 was given this check returns "yes" meaning that no SSLv3 is supported (and hence no vulnerability). This result is miss-leading when --no-sslv3 was given.

Is O-Saft installed in Kali 2.x by default?

I noticed that Kali 2.x doesn't have O-Saft already installed. Previous versions of Kali installed it by default.
Can anyone confirm? :)

Packaging O-Saft as a standalone Windows executable

Hello,

Just as sslscan and sslyze, do you think you could package O-Saft as a standalone Windows (and even ELF) executable ?
As you may imagine, this is very convenient when you can't have your workstation on the audited network.

Cheers.

Adding an option to specify custom explicit TLS kickstart bytes

Hello,

I'm cross-posting a feature request from https://github.com/rbsec/sslscan/ as o-saft and sslscan are the most popular tool for TLS assessment:

rbsec/sslscan#84

Cheers !

uninitialized value in subroutine entry at SSL.pm

perl ./o-saft.pl +info domain.com

I'm getting the following message:
Use of uninitialized value in subroutine entry at /usr/lib64/perl5/vendor_perl/5.20.1/IO/Socket/SSL.pm line 430.
invalid SSL_version specified at /usr/lib64/perl5/vendor_perl/5.20.1/IO/Socket/SSL.pm line 368.

Any ideas how to fix it?

Read error: Connection reset by peer

Sometime an error like follows is returned:
Read error: Connection reset by peer (,199725) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/tcp_read_all.al) line 535.

This most likely happens when the target resets the TCP connection when a HTTP GET is performed.
The error ocours in Net/SSLeay.pm and cannot be handled outside.

However, up to now, all cases where this occours, the target responded with a valid HTTP response, either with a HTTP/1.1 900 status (which is very uncommon) or with a HTTP/1.1 30x status.

Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC

When using +check or +cipher o-saft.pl exits with a perl error like:

Can't locate auto/Net/SSLeay/CTX_v2_new.al in @inc (@inc contains: /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at /usr/share/perl5/IO/Socket/SSL.pm line 1427

Probelm most likely is that the used openssl (and it's library libssl.so) does no support SSLv2, for example with openessl 1.0.x.

Workaround: use another libssl.so and openssl.so using --lib and --exe options.

Future version will detect missing functionality and switch it off automatically and also provide an option to disable SSLv2 checks.

enhancement: o-saft.pl command line option to fail when vulnerability is found.

I request a non-zero exit code when one of the tests fails, or at least an option for that. As a consumer I can then clone, run, and fail when a test fails, without programming.

With the current output I have to parse myself:

Connection is safe against BEAST attack (any cipher):no ( <<N/A as --no-SSLv2 in use>> TLSv11)
Connection is safe against BREACH attack:no (<<NOT YET IMPLEMENTED>>)
Connection is safe against CRIME attack:yes
Connection is safe against DROWN attack:no (<<N/A as --no-SSLv2 in use>>)
Connection is safe against FREAK attack:yes
Connection is safe against Heartbleed attack:yes
Connection is safe against Logjam attack:yes
Connection is safe against Lucky 13 attack:no
Connection is safe against POODLE attack:yes
Connection is safe against RC4 attack:yes
Connection is safe against Sweet32 attack:no
Target does not support SSLv2:no (<<N/A as --no-SSLv2 in use>>)
Target does not support SSLv3:yes
Target supports PFS (selected cipher):yes
Target TLS Session Ticket is random:yes

When I would launch with the proposed --fail flag the exit code is non-zero when any tests says no.

./o-saft.pl --fail --no-warning --no-header +vulns mysite.org --legacy=compact

--ca-path and --ca-file not handled properly

the arguments given with --ca-path and --ca-file are not passed to Net::SSLinfo

Reverse resolved hostname missing

sometimes the "Reverse resolved hostname" is missing 'cause gethostbyaddr() fails

check for OPENSSLDIR

The check for OPENSSLDIR (see --ca-path) fails if --openssl or --force-openssl is used.

Bug only occours on windows or if --openssl=* is used.

+hasSSLv2 and +hasSSLv3 checks are wrong

if these commands (checks) are used solely, without +check, then the result is wrong as no such ckeck is done

check for EV certificates miss age check of certificate

EV certificates must be valid less than 27 months

command line option --cipher=CIPHER

Command line option --cipher=CIPHER does not work proper when CIPHER is not a valid cipher name. It should also be possible to use CIPHER as with openssl's cipher command, like CBC+SHA.

warning VERSION in numeric lt (<) at ...

following warnng may be returned (see issue #50 )

Use of uninitialized value $version::VERSION in numeric lt (<) at ./o-saft.pl line 1712.

Perl error when cipher description is missing

When the underlaying library checks for ciphers which are not know/defined in o-saft.pl itself, perl bails out with an error like:

Can't use an undefined value as an ARRAY reference at ./o-saft.pl line 2529, line 2585.

Perl errors

osaft.pm contains joke code

Commits from 18 may are adding some obfuscated joke code to osaft.pm that tells "Alles Gut" and "Happy Birtday" when you try to run osaft. EnDe account hacked ?

It should certainly be reverted, the joke is annoying fro people cloning the tool from repository (not my birthday).

It's also quite frightening; what if it were some trojan setup code instead ? Maybe the github setting should be changed to a two stages validation process ?

https

testing the ssl connection with http(s) is not yet implemented

O-Saft not working with IO::Socket::SSL 1.967

As Achim requested in Issue #21 I'm opening this to report that O-Saft is not working with IO::Socket::SSL 1.967

claudio@Chuck:~/projects/o-saft$ ./o-saft.pl +info google.com

=== reading options from  ./.o-saft.pl ===

==== Target: google.com:443 ====

[snip]

Use of uninitialized value in subroutine entry at /usr/share/perl5/IO/Socket/SSL.pm line 430.

Building IO::Socket::SSL 1.90 from sources[1] and adding a "use lib" seems to fix the problem

claudio@Chuck:~/projects/o-saft$ ./o-saft.pl --no-dtlsv1 +info google.com
=== reading options from  ./.o-saft.pl ===

==== Target: google.com:443 ====

=--------------------------------------+-----------------------------------
Given hostname:                         google.com
IP for given hostname:                  74.125.24.113
Reverse resolved hostname:              de-in-f113.1e100.net
DNS entries for given hostname:         74.125.24.113 de-in-f113.1e100.net; 74.125.24.113 de-in-f100.1e100.net; 74.125.24.113 de-in-f102.1e100.net; 74.125.24.113 de-in-f139.1e100.net; 74.125.24.113 de-in-f138.1e100.net; 74.125.24.113 de-in-f101.1e100.net; 
=--------------------------------------+-----------------------------------

=== Informations ===
= Description                           Value
=--------------------------------------+-----------------------------------
Certificate Version:                3 (0x2)
Certificate Common Name:            *.google.com
Certificate Subject:                /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
[snip]

Thanks for the help!

Claudio

[1] http://search.cpan.org/~sullr/IO-Socket-SSL-1.90/lib/IO/Socket/SSL.pm

check: self-signed

checking the certificate chain sometimes fails and reports:
Certificate is not self-signed: no (num=20:unable to get local issuer certificate)

check: Certificate is not self-signed

check for self-signed certificate is wrong

crash when target does not provide a certificate

o-saft crashes when the connected target allows SSL protocol but does not provide a certificate.
The crash, for example: segmentation fault, does not occour in o-saft itself, but the underlaying libssl.

+quick checks miss check vor SSLv3 (+hasSSLv3 and +poodle)

list of check for +quick command does not contain checks for SSLv3 support

o-saft 14.1.4 on CentOS 6.5 doesn't report correctly on TLSv1.1 and TLAv1.2 ciphersuites

I'm running a CentOS 6.5 VM. Apache httpd is configured to use AES128-GCM-SHA256 but o-saft.pl 14.1.4 doesn't report that it's available. I don't think it's a problem with openssl because I can use openssl s_client to connect using that cipher.

This actually happens for 4 ciphersuites:
AES128-GCM-SHA256
AES256-GCM-SHA384
AES256-SHA256
AES128-SHA256

The remaining 6 ciphersuites are reported correctly.

Some output from "./o-saft.pl +cipher --enabled --v --v --v --v --trace --trace dlib-shandon.ucs.ed.ac.uk"

check cipher TLSv1: AES128-GCM-SHA256 # check

O-Saft ::_usesocket(..., AES128-GCM-SHA256)

DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected

DEBUG: .../IO/Socket/SSL.pm:506: socket connected

DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started

DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname dlib-shandon.ucs.ed.ac.uk

DEBUG: .../IO/Socket/SSL.pm:612: set socket to non-blocking to enforce timeout=2

DEBUG: .../IO/Socket/SSL.pm:1733: SSL connect attempt failed

DEBUG: .../IO/Socket/SSL.pm:631: fatal SSL error: SSL connect attempt failed error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available

The ciphersuite is configured

[astuart4@dlib-shandon ~]$ grep -i AES128-GCM-SHA256 /etc/httpd/conf.d/ssl.conf
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

I can connect using openssl s_client

[astuart4@dlib-shandon o-saft]$ echo '^D' | openssl s_client -cipher AES128-GCM-SHA256 -connect dlib-shandon.ucs.ed.ac.uk:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = NL, O = TERENA, CN = TERENA SSL CA
verify return:1
depth=0 OU = Domain Control Validated, CN = dlib-shandon.ucs.ed.ac.uk
verify return:1

Certificate chain
0 s:/OU=Domain Control Validated/CN=dlib-shandon.ucs.ed.ac.uk
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware

Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIRAJmV9NPp9fkfBCVMvsjjJ0wwDQYJKoZIhvcNAQEFBQAw
NjELMAkGA1UEBhMCTkwxDzANBgNVBAoTBlRFUkVOQTEWMBQGA1UEAxMNVEVSRU5B
IFNTTCBDQTAeFw0xNDA1MDcwMDAwMDBaFw0xNzA1MDYyMzU5NTlaMEcxITAfBgNV
BAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEiMCAGA1UEAxMZZGxpYi1zaGFu
ZG9uLnVjcy5lZC5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANMCGXYZ80ak2S0gmEf8JUAgvzNLNfucV8WgKEvjwS2+vWdn2hwrkMQunOgt0XiK
T3mR+Hka4l7r3McxPeCir0b+IHx6mQ01Lg1ChXgWc3giwkM2j0vy+WCs1ozgeEL6
bnTxaW7ao/tPJD5zGOBxjKNCybbp2ZeoyiUNewlsfSk5rbnpRyUwBElI+A2hj9QL
CbrE90iU59raNWToxuuC+iajTEGxYGDmU2L1TYmwPD27ht1JjCgZRwIxuC2i9/3M
XGtTOTo7c4bIjLlHnvAEfV5M6QqHSmZsQ9SafA/aKQ3A513qJmkqd1nTjmsUbCn/
cwuT5LbDCoODXv6/hu4cgpUCAwEAAaOCAXYwggFyMB8GA1UdIwQYMBaAFAy9k2gM
896ro0lrKzdXR+qQ47ntMB0GA1UdDgQWBBS0BltEr54QP6Mbvqct5hzSIeecyTAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQICHTAIBgZngQwBAgEw
OgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC50Y3MudGVyZW5hLm9yZy9URVJF
TkFTU0xDQS5jcmwwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8v
Y3J0LnRjcy50ZXJlbmEub3JnL1RFUkVOQVNTTENBLmNydDAmBggrBgEFBQcwAYYa
aHR0cDovL29jc3AudGNzLnRlcmVuYS5vcmcwJAYDVR0RBB0wG4IZZGxpYi1zaGFu
ZG9uLnVjcy5lZC5hYy51azANBgkqhkiG9w0BAQUFAAOCAQEArPNTsIYz48krFU5v
pkYhc2KkNbfmnMqC7Ws8SLD9pRtKpmLiGNL+HiqzKyKt6/qkpV4gwv5caVgKuQgx
QdYjwtBCb8pzPXGdYxGU+2pNR2RhyD/FWn/TrjKp21WvzY07wsuV7bIkTyALZsEz
unw5yMQntxNzIVJRTiiVfsv2dxZ1CRI+cDnFLDbtxofgKOgxL6RnHX52DGLmCWWD
+C78MzNWGqgMwTr5nxHjsYlMlLrd/an+3au8WSg8oXHkJ3xq/+YLATQrgV3u0wdP
M4/1HKXVEBneDtAAX0gXvuOm8DKWbWE6ztYFRI0W8VeyPP8ChabogRYGogQ3QUVx
IUfVWw==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=dlib-shandon.ucs.ed.ac.uk
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA

No client certificate CA names sent

SSL handshake has read 4860 bytes and written 419 bytes

New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-GCM-SHA256
Session-ID: 22B0717733B453EF6C1A8600291F32AC95FFC9D1AE3323EED65A67D19712A452
Session-ID-ctx:
Master-Key: 955770AB92B3ABD21C5BF4BE04F7A628E2156F631851A9E487E13E0931DAC1278B59BE7B8763165ABAFB6EC5EF9D3EDC
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7f ad 1d 50 ed a7 df 98-51 cf 9e e7 d6 e5 9c de ...P....Q.......
0010 - 6a 32 b8 6a 44 13 c6 e9-8f 9c bb 9f f7 91 60 bd j2.jD.........`.
0020 - 52 f6 f4 b6 c4 6d bd 74-1c e8 92 1a aa 47 91 19 R....m.t.....G..
0030 - 08 e6 e0 2c 18 be fe 56-4e 98 9a db 6d ba ab 6c ...,...VN...m..l
0040 - cd 1d 72 06 db f3 b5 8f-5c a8 dd 98 4c 5f b9 c3 ..r........L_..
0050 - dd c2 10 dc 3b c5 62 b9-61 dd 12 a8 70 02 6f 29 ....;.b.a...p.o)
0060 - 45 6e 0e f3 6e 62 f8 7c-45 f4 6d d0 da 56 ff e3 En..nb.|E.m..V..
0070 - 89 e1 21 c1 cb 70 a4 18-40 24 2f 41 41 b7 e0 63 ..!..p..@$/AA..c
0080 - 69 0e 4a db 50 08 43 fe-03 e0 5b 3f 7a f8 53 c4 i.J.P.C...[?z.S.
0090 - 2a 67 41 69 5a 6a f5 8d-f6 e2 5a 59 20 d7 2c f9 *gAiZj....ZY .,.
00a0 - 0f 05 68 c9 44 cd 5f 5d-c7 b4 d6 a4 ba 35 9b c8 ..h.D._].....5..
00b0 - 2b b5 92 8f ea 52 48 07-d6 75 85 d6 ec b9 4f 49 +....RH..u....OI

Start Time: 1404745866
Timeout   : 300 (sec)
Verify return code: 0 (ok)

DONE

Diagnostic information

[astuart4@dlib-shandon o-saft]$ ./o-saft.pl +version
**WARNING: SSL version 'SSLv2' not supported by openssl; ignored
./o-saft.pl 14.1.4
OpenSSL 1.0.1e-fips 11 Feb 2013
Required (and used) Modules:
IO::Socket::INET 1.31
IO::Socket::SSL 1.994
Net::SSLeay 1.64
Net::SSLinfo 14.1.4

[astuart4@dlib-shandon ~]$ cat /etc/redhat-release
CentOS release 6.5 (Final)

[astuart4@dlib-shandon o-saft]$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Jun 5 12:49:27 UTC 2014
platform: linux-elf
options: bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack -DPURIFY -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic

owasp / o-saft Goto Github PK

o-saft's Introduction

QUICK START

DESCRIPTION

UNIQUE FEATURES

WHY?

TARGET AUDIENCE

INSTALLATION

Sources

VERSION

Older version

o-saft's People

Contributors

Stargazers

Watchers

Forkers

o-saft's Issues

O-Saft :: cn_nosni: {

Net::SSLinfo::do_ssl_open(www.server.tld,443,,)

Net::SSLinfo::do_ssl_open cipherlist: ALL:NULL:eNULL:aNULL:LOW

Net::SSLinfo::_check_host(www.server.tld)

Net::SSLinfo::_check_host .

Net::SSLinfo::errors:do_ssl_open() failed calling _check_host(www.server.tld):

Net::SSLinfo::do_ssl_open() failed.

O-Saft :: cn_nosni: }

Net::SSLinfo::do_ssl_open(www.server.tld,443,,)

Net::SSLinfo::do_ssl_open cipherlist: ALL:NULL:eNULL:aNULL:LOW

Net::SSLinfo::_check_host(www.server.tld)

Net::SSLinfo::_check_host .

Net::SSLinfo::errors:do_ssl_open() failed calling _check_host(www.server.tld): #Net::SSLinfo::errors:do_ssl_open() failed calling _check_host(www.server.tld):

Net::SSLinfo::do_ssl_open() failed.

Net::SSLinfo::_SSLinfo_get('errors',www.server.tld,443)

do_ssl_open() failed calling _check_host(www.server.tld):

Net::SSLinfo::do_ssl_close(www.server.tld,443)

O-Saft :: done: www.server.tld

Some output from "./o-saft.pl +cipher --enabled --v --v --v --v --trace --trace dlib-shandon.ucs.ed.ac.uk"

check cipher TLSv1: AES128-GCM-SHA256 # check

O-Saft ::_usesocket(..., AES128-GCM-SHA256)

The ciphersuite is configured

I can connect using openssl s_client

Diagnostic information

Recommend Projects

Recommend Topics

Recommend Org