O-Saft - OWASP SSL advanced forensic tool
where [COMMANDS] and [OPTIONS] are described below and target is a hostname either as full qualified domain name or an IP address. Multiple commands and targets may be combined.
All commands and options can also be specified in a rc-file, see RC-FILE below.
I.g. all commands start with a + character and options start with - or -- characters. Anything else is treated as target name.
This tool lists information about remote target's SSL certificate, and tests the remote target according given list of ciphers.
Note: Throughout this description `$0' is used as an alias for the program name o-saft.pl.
Before going into a detailed description of the purpose and usage, here are some examples of the most common use cases:
For more specialised test cases, refer to the sections COMMANDS and OPTIONS below. For more examples please refer to EXAMPLES section.
For more details, please see Requirements and INSTALLATION below.
Why a new tool for checking SSL security and configuration when there are already a dozen or more such good tools in existence (in 2012)?
Unique features:
Currently available tools suffer from some or all of following issues:
Other reasons or problems are that other tools are either binary or use additional binaries and hence are not portable to other platforms.
In contrast to (all?) most other tools, including openssl(1), it can be used to ask simple questions like does target support STS just by calling:
For more, please see EXAMPLES section below. If it should run on systems with old software (perl or Perl modules), please see DEBUG section below.
This tool is designed to be used by people doing security or forensic analyses. Hence no malicious input is expected.
There are no special security checks implemented. Some parameters are roughly sanitised according unwanted characters. In particular there are no checks according any kind of code injection.
Care should be taken, when additional tools and modules are installed as described in INSTALLATION below. In particular it is recommended to do these installations into directoies specially prepared for use with o-saft.pl . No other tools of your system should use these additional installed tools, for example by accident or because environment variables point to them.
Note that compilation and installation of additional tools (openssl, Net::SSLeay, etc.) uses known insecure configurations and features! This is essential to make o-saft.pl able to check for such insecurities.
It is highly recommended to do these installations and use the tools on a separate testing system.
DO NOT USE THESE INSTALLATIONS ON PRODUCTIVE SYSTEMS.
The purpose of O-Saft is to do the work, not to force the user to learn a new tool or to install newer software first. However, the user should do something if necessary depending on the reported results.
Developers may read more details on the concept in docs/concepts.txt
The sequence of the sections in the help text doesn't strictly follow the common guidlines for UNIX-style man pages. This is because it is important to understand the concepts of the tool and what options and commands are in context of the tool. In particular the DESCRIPTION section contains only a very brief description. The OPTIONS section follows the COMMANDS section.
Results of checks are marked yes or no. This leaves the proper interpretation, if the result is good or bad, to the user. Background: it is not always possible to rate a result as good or bad or insecure or whatever. That's why O-Saft can not give the the best or proper recommendation. In practice it depends on the context what a recommendation or countermeasure should be. That's why results are marked yes or no if considered questionable, or not good (for example according other checks).
For more details please see RESULTS below.
It is important to understand, which provided information is based on data returned by underlaying (used) libraries and the information computed directly.
Starting with version 19.11.19 the +cipher command does not use any external library. Checking for ciphers is done using plain Perl code. Only other collected SSL/TLS related information requires an external library, in general libssl. The description about OpenSSL and libssl below applies only if any of the options --ciphermode=openssl or --ciphermode=ssleay are given with the +cipher command.
Therefore following commands and options changed:
The historic commands +cipherall and +cipherraw should be replaced with the new syntax, as follows:
Up to version 19.11.19 the default behaviour for the +cipher command was to use libssl. The commands +cipherall and +cipherraw did not use any other library as described below.
In general the tool uses Perl's Net::SSLeay(3pm) module which itself is based on libssl and/or libssleay library of the operating system. It's possible to use other versions of these libraries, see options:
The external openssl(1) is called to extract some information from its output. The version of openssl can be controlled with following options:
OpenSSL is recommended to be used for libssl and libcrypto. Versions 0.9.8k to 1.0.2e (Jan. 2016) are known to work. However, versions be- for 1.0.0 may not provide all information. Some functionality (checks) of O-Saft may be missing or fail, when openssl versions 1.1.x are used (because functionality was removed). LibreSSL is not recommended, because some functionality considered insecure, has been removed. For more details, please see INSTALLATION below.
All checks according the validity of the certificate chain are based on the root CAs installed on the system. Note that Net::SSLeay(3pm) and openssl(1) may have their own rules where to find the root CAs. Please refer to the documentation on your system for these tools. However, there are folloing options to tweak these rules:
All arguments starting with + are considered COMMANDS for this tool. All arguments starting with -- are considered OPTIONS for this tool.
Reading any data from STDIN or here-documents is not yet supported. It's reserved for future use.
Please see ENVIRONMENT .
For +info and +check (and all related) commands, perl (5.x) with following modules (minimal version) is recommended:
However, it is recommended to use the most recent version of the mod- ules which then gives more accurate results and less warnings. If the modules are missing, they can be installed for example with:
Note: if you want to use advanced features of openssl or Net::SSLeay, please see INSTALLATION section how to compile and install the tools fully customised. Requirements for openssl are described there.
Also an openssl executable should be available, but is not mandatory.
For checking DH parameters of ciphers, openssl 1.0.2 or newer should be available. If an older version of openssl is found, we try hard to extract the DH parameters from the data returned by the server, see +cipher-dh command.
If you need to run on systems with older perl or Perl module versions please refer to the DEBUG section for more information.
For building and/or viewing the documentation, any of following tools should be available:
There are commands for various tests according the SSL connection to the target, the targets certificate and the used ciphers.
All commands are preceded by a + to easily distinguish from other arguments and options. However, some --OPTIONS options are treated as commands for historical reason or compatibility to other programs.
The most important commands are (in alphabetical order): +check +cipher +info +http +list +quick +sni +sni_check +version
A list of all available commands will be printed with:
The description of all other commands will be printed with:
The summary and internal commands return requested information or the results of checks. These are described below.
Note that some commands may be a combination of other commands, see:
The following sub-sections only describe the commands, which do more than giving a simple information from the target. All other commands can be listed with:
The final sub-sections Notes about commands describes some notes about special commands and related commands.
All these commands will exit after execution (cannot be used together with other commands).
Show known ciphers in format like openssl ciphers. It also accepts the -v and -V option. Use +list command for more information according ciphers.
Show all ciphers supported by this tool. This includes cryptogrphic details of the cipher and some internal details.
Different output formats are used for the --legacy=* option:
Just show version and exit.
Show version information for both the program and the Perl modules that it uses, then exit.
Use --v option to show more details.
Show version of openssl.
Show internal data and exit, used for testing and debugging only. Please see TESTING below.
Following (summary and internal) commands are simply a shortcut for a list of other commands. For details of the list use:
Check the SSL connection for security issues. Implies +cipher .
Print details about the targets hostname, DNS, etc. These details are usually printed only for the +check and +info command, but not for any individual command.
Perform HTTP checks (like STS, redirects etc.).
Overview of most important details of the SSL connection.
Use --v option to show details also, which span multiple lines.
Overview of all details of the SSL connection. It is a shortcut for all commands listed below but not including +cipher.
This command is intended for debugging as it prints some details of the used Net::SSLinfo module.
Quick overview of checks. Implies --enabled and --label=short.
Check if servers offers ciphers with prefect forward secrecy (PFS).
Check for protocols supported by target.
Check for various vulnerabilities.
Various checks according STS HTTP header. This option implies --http, means that --no-http is ignored.
Check for Server Name Indication (SNI) usage.
Check for Server Name Indication (SNI) usage and validity of all names (CN, subjectAltName, FQDN, etc.).
Various checks according BSI TR-02102-2 and TR-03116-4 compliance.
Various checks according certificate's extended Validation (EV).
Hint: use option --v --v to get information about failed checks.
Check length, size and count of some values in the certificate.
Dump data retrieved from openssl s_client ... call. This should be used for debugging only. It can be used just like openssl itself, for example:
Dumps internal data for SSL connection and target certificate. This is mainly for debugging and should not be used together with other commands (except +cipher). Each key-value pair is enclosed in #{ and #} .
Using --trace --trace dumps data of Net::SSLinfo too.
Command used internally when requested to use other libraries. This command should not be used directly.
Beside the description of the commands itself here, please see also Notes about commands below.
Check target for ciphers, either all ciphers, or ciphers specified with --cipher=CIPHER option.
Use --v option to see all ciphers being checked.
Lists the cipher selected by the server for each protocol sometimes referred to as default cipher.
For each protocol the two selected ciphers are shown, one returned by the server if the cipher list in the ClientHello is sorted with the strongest cipher first, and one returned if the cipher list in the ClientHello is sorted with strongest cipher last. See Notes about commands for details.
Checked target for ciphers. All ciphers supported by the server are printed with their DH or ECDH paramaters (if available). ciphers.
Check if target accepts NULL ciphers.
Check if target accepts ciphers with anonymous key exchange.
Check if target accepts EXPORT ciphers.
Check if target accepts CBC ciphers.
Check if target accepts DES ciphers.
Check if target accepts RC4 ciphers.
Check if target supports ephemeral ciphers.
Check if target supports ciphers with PFS.
Check if target selects strongest cipher.
Check if target selects weak cipher (oposite of +cipher-strong).
While +cipher prints checked ciphers, +cipher-dh prints ciphers with their DH or ECDH paramaters (if available) only for supported ciphers.
Both commands show the default cipher foreach protocol.
+cipher lists a summary of ciphers selected by the server for each protocol requested by the user (for example by using options like: --sslv3 --tlsv1 etc.). When the --v option is used, all selected ciphers for all known protocols are listed. This summary focuses on counts for various ciphers.
+cipher-default lists the cipher selected by the server for each protocol.
+selected lists the cipher selected by the server if no particular protocol was specified and the system's default cipher list is send in the ClientHello to the server.
+cipher-default lists the cipher selected by the server for each protocol.
+strong-cipher shows the result of the check if strong ciphers are preferred by the server. It is a check command.
+cipher-default lists the cipher selected by the server for each protocol. It is a information command.
It is not possible to check if a server uses SSLHonorCipherOrder. Even if it is used (switched on), it is not possible to check the specified order of the ciphers.
I. g. it is expected that the order is according the cipher suite's strength, meaning the most strongest first, and the weakest last. It does not make sense to use an order where a weak cipher preceeds a stronger one. Such a (mis-)configuration should be detected.
Having this in mind, the algorithm to detect a proper cipher order is as simply as follows:
Exceptions: If either, the server or the client, uses only one cipher suite in the list, SSLHonorCipherOrder cannot be detected at all. The same happens, if only one cipher in the client's list matches a cipher in the server's list.
Certificate extensions are shown with +extensions while the TLS protocol extensions are shown with +tlsextensions. Use +tlsextdebug to show more information about the TLS protocol extensions.
These commands are just an alias for the +protocols command.
The commands +cn and +altname print the information stored in the certificate. The command +hostname checks if the given hostname matches the CN value in the certificate. Note that wildcard names in the CN, only allow to contain one *. The command +wildcard checks if the given hostname does not match any name specified in the certificate's subjectAltname. This check is useful if the certificate and the configuration must comply to RFC 6125 or EV certificates.
All options are written in lowercase. Words written in all capital in the description here is text provided by the user.
Brief documentation of --help* options/commands.
Complete user documentation.
Show available commands; short form.
Show available commands with short description.
Show available options; short form.
Show available options with their description.
Show available checks.
Description of tools around O-Saft, when, where and how to use.
Show additional and user specified commands.
Show additional and user specified commands. Output can be used in RC-FILE or as option.
Show texts used as labels in output for checks (see +check) ready for use in RC-FILE or as option.
Show available information.
Show texts used as labels in output for data (see +info) ready for use in RC-FILE or as option.
Show texts used in hint messages.
Show texts used in hint messages ready for use in RC-FILE or as option.
Show texts used in various messages.
Show texts used in various messages ready for use in RC-FILE or as option.
Show possible legacy formats (used as value in --legacy=TOOL).
Show available compliance checks.
Show internal commands.
Show alias for commands and options.
Show list of cipher pattern (used for --cipher=CIPHER).
Show list of cipherranges (see --cipherrange=RANGE).
Show headlines from help text. Useful to get an overview.
Show SECTION from documentation, see --help=toc for a list. Example:
Show regular expressions to match our own strings used in output.
Show regular expressions used internally.
Print documentation in HTML format.
Print documentation in POD format.
Print documentation in mediawiki format.
Print HTML form to be used for CGI.
Show KNOWN PROBLEMS section with description of known error and warning messages.
Show KNOWN PROBLEMS and LIMITATIONS section.
Show common abbreviation used in the world of security.
Show list of URLs related to SSL/TLS.
Show list of RFC related to SSL/TLS.
Show known problems and bugs.
Show possible --exit=KEY options. Used for debugging only.
Show warning messages defined in code.
For developers.
Do DNS lookups to map given hostname to IP, do a reverse lookup.
Do not make DNS lookups. Note that the corresponding IP and reverse hostname may be missing in some messages then.
Specify HOST as target to be checked. Legacy option.
Specify PORT of target to be used. Legacy option.
When giving more than one HOST argument, the sequence of the given HOST argument and the given --port=PORT and the given --host=HOST options are important. The rule how ports and hosts are mapped is as follows:
Note that URLs are treated as HOST:PORT, if they contain a port. Example:
will connect to:
Make all connection to target using PROXYHOST.
Also possible is: --proxy=PROXYUSER:PROXYPASS@PROXYHOST:PROXYPORT
Make all connection to target using PROXYHOST:PROXYPORT.
Specify username for proxy authentication.
Specify password for proxy authentication.
Use STARTTLS command to start a TLS connection via SMTP. This option is a shortcut for --starttls=SMTP .
Use STARTTLS command to start a TLS connection via protocol. PROT may be any of: SMTP, IMAP, IMAP2, POP3, FTPS, RDP, LDAP or XMPP .
For --starttls=SMTP see --dns-mx also to use MX records instead of host
Number of seconds to wait before sending a packet, to slow down the STARTTLS requests. Default is 0. This may prevent blocking of requests by the target due to too much or too fast connections. Note: In this case there is an automatic suspension and retry with a longer delay.
Internal use for CGI mode only.
Read RC-FILE if exists, from directory where program was found.
Do not read RC-FILE.
The exit status code will be greater 0, if any of following applies:
In particular, the status code will be the total count of all these checks. The status code will also be printed at end, like:
Parts of these checks can be diasabled, see --exitcode-* options below.
Use --v or --exitcode-v to see details about the performed checks.
Functionality implemented experimental, may change in future.
Print information about performed checks.
Do not print status code at end, like # EXIT 23.
Do not count checks with result no for --exitcode .
Do not count LOW, WEAK or MEDIUM security ciphers for --exitcode .
Do not count any ciphers for --exitcode .
Do not count ciphers without PFS for --exitcode .
Use openssl s_slient ... call to retrieve more information from the SSL connection. This is disabled by default on Windows because of performance problems. Without this option (default on Windows !) following information are missing:
See Net::SSLinfo for details.
If used together with --trace, s_client data will also be printed in debug output of Net::SSLinfo.
Do not use external openssl tool to retrieve information. Use of openssl is disabled by default on Windows. Note that this results in some missing information, see above.
TOOL can be a path to openssl executable; default: openssl
FILE path of directory or full path of openssl.cnf
If set, environment variable OPENSSL_CONF will be set to given path (or file) when openssl(1) is started. Please see openssl's man page for details about specifying alternate openssl.cnf files.
Use openssl to check for supported ciphers; default: IO::Socket(3pm)
This option forces to use openssl s_slient -connect CIPHER .. to check if a cipher is supported by the remote target. This is useful if the --lib=PATH option doesn't work (for example due to changes of the API or other incompatibilities).
PATH is a full path where to find openssl.
PATH is a full path where to find libssl.so, libcrypto.so.
See HACKER's INFO below for a detailed description how it works.
NAME is the name of a environment variable containing additional paths for searching dynamic shared libraries. Default is LD_LIBRARY_PATH.
Check your system for the proper name, for example:
The connection to a target may fail, or even block, due to various reasons for example lost network at all, blocking at firewall, etc. In particular when checking ciphers with +cipher , this may result in long delays until results are printed. Using this option stops trying to do more connections to the target when --ssl-error-max=CNT consecutive errors occoured, or when the total amount of errors increases --ssl-error-total=CNT.
Note that this may result in loss of information and/or checks.
Max. amount of consecutive errors (default: 5).
Timeout in seconds when a failed connection is treated as error and then counted (default: 1).
Max. total amount of errors (default: 10).
I.g. this tools tries to identify available functionality according SSL versions from the underlaying libraries. Unsupported versions are then disables and a warning is shown. Unfortunately some libraries have not implemented all functions to check availability of a specific SSL version, which then results in a compile error.
This option disables the strict check of availability. If the underlaying library doesn't support the required SSL version at all, following error may occour:
See Note on SSL versions for a general note about SSL versions. A more detailled description of the problem and how Net::SSLeay be- haves, can be found in the source of o-saft.pl , see section starting at
Timeout in seconds when connecting to the target (default: 2).
METHOD method to be used for specific functionality
Available methods:
Method names starting with:
The second part of the name denotes which kind of method to call:
Example:
will use the external openssl(1) executable to check the target for supported ciphers.
Default settings are:
Just for curiosity, instead of using:
consider to use your own script like:
:-))
Print list of ciphers in style like: openssl ciphers -v. Option used with +ciphers command only.
Print list of ciphers in style like: openssl ciphers -V. Option used with +ciphers command only.
Following MODEs are supported:
CIPHER can be any cipher suite name or (internal) hex constant. If CIPHER does not match a hex key, for example 0x03000035, it is used as pattern (RegEx) to match cipher suite names. For example:
To be sure that exactly one cipher suite matches, use for example:
When --ciphermode=openssl or --ciphermode=ssleay is used, CIPHER can be any string accepted by openssl or a hex constant. Examples:
will be mapped to DHE-DSS-RC4-SHA
Note: if more than one cipher matches, just one will be selected.
Default is ALL:NULL:eNULL:aNULL:LOW as specified in Net::SSLinfo.
TCP socket will be reused for next connection attempt even if SSL connection failed.
Close TCP socket and then reopen for next connection attempt if SSL connection failed.
This is useful for some servers which may return an TLS alert if the connection fails and then fail again on the same socket.
A simple check if the target can be connected will be performed by default. If this check fails, the target will be ignored, means no more requested checks will be done. As this connection check some- times fails due to various reasons, the check can be disabled using this option.
Do not use *-MD5 ciphers for other protocols than SSLv2. This option is only effective with +cipher command.
The purpose is to avoid warnings from IO::Socket::SSL(3pm) like:
which occours with some versions of IO::Socket::SSL(3pm) when a *-MD5 ciphers will be used with other protocols than SSLv2.
Note that these ciphers will be checked for SSLv2 only.
(--SSL variants): Test ciphers for this SSL/TLS version. (--no-SSL variants): Don't test ciphers for this SSL/TLS version.
Shortcut for: --no-sslv2 --no-sslv3 --no-tlsv1 --no-tlsv11 --no-tlsv12 --no-tlsv13
Shortcut for: --sslv2 --sslv3 --tlsv1 --tlsv11 --tlsv12 --tlsv13
Shortcut for: --no-dtlsv09 --no-dtlsv1 --no-dtlsv11 --no-dtlsv12 --no-dtlsv13
Shortcut for: --dtlsv09 --dtlsv1 --dtlsv11 --dtlsv12 --dtlsv13
This option forces to assume that SSLv2 is enabled even if the target does not accept any ciphers.
The target server may accept connections with SSLv2 but not allow any cipher. Some checks verify if SSLv2 is enabled at all, which then would result in a failed test. The default behaviour is to assume that SSLv2 is not enabled if no ciphers are accepted.
Make a HTTP request if cipher is supported.
If used twice debugging will be enabled using environment variable HTTPS_DEBUG.
Do not make HTTP request.
Make SSL connection in SNI mode.
Do not make SSL connection in SNI mode (default: SNI mode).
Test with and witout SNI mode.
Do not check if SNI seems to be supported by Net::SSLeay(3pm). Older versions of openssl and its libries do not support SNI or the SNI support is implemented buggy. By default it's checked if SNI is properly supported. With this option this check can be disabled.
Be warned that this may result in improper results.
If SNI mode is active, see --sni above, NAME is used instead of hostname for connections to the target. If SNI mode is not active, see --no-sni above, NAME is not used. The default is undefined, which forces to use the given FQDN.
This is useful, for example when an IP instead of a FQDN was given, where a correct hostname (i.g. a FQDN) needs to be specified.
Note: i.g. there is no need to use this option, as a correct value for the SNI name will be choosen automatically (except for IPs). However, it is kind of fuzzing ... even setting to an empty string is possible.
Limitation: the same NAME is used for all targets, if more than one target was specified.
Do not get data from target's certificate, return empty string.
Do not get data from target's certificate, return default string of Net::SSLinfo (see --no-cert-text=TEXT option).
Set TEXT to be returned from Net::SSLinfo if no certificate data is collected due to use of --no-cert.
Check certificate chain to depth INT (like openssl's -verify).
Use FILE with bundle of CAs to verify target's certificate chain.
Use DIR where to find CA certificates in PEM format.
NOT YET IMPLEMENTED I. g. openssl uses default settings where to find certificate files. When --ca-file=FILE and/or --ca-path=DIR was used, this default will be overwritten by appropriate options passed to openssl. If the default does not work as expected, --force-ca can be used to force setting of proper values according well known common defaults. See:
to see the used settings.
Use -alpn option for openssl.
Do not use -alpn option for openssl.
Do not use -nextprotoneg option for openssl.
Name of protocol to be added to list of applcation layer protocols (ALPN), which is used for any connection to the targets. See --cipher-alpn=NAME also.
Name of protocol to be added to list of next protocol negotiations (NPN), which is used for any connection to the targets. See --cipher-npn=NAME also.
Use SSL option compression for connection.
Use SSL option no compression for connection (default: don't use)
Do not use -reconnect option for openssl.
Do not use -tlsextdebug option for openssl.
Argument or option passed to openssl's s_client command.
Additional delay in seconds after each connect for a cipher check. This is useful when connecting to servers which have IPS in place, or are slow in accepting new connections or requests.
Name of protocol to be added to list of applcation layer protocols (ALPN), which is used for cipher checks.
--cipher-alpn=, sets empty list. --cipher-alpn=,, sets list to empty element .
Name of protocol to be added to list of next protocol negotiations (NPN), which is used for cipher checks.
--cipher-npn=, sets empty list. --cipher-npn=,, sets list to empty element .
Note: setting empty list or element most likely does not work with openssl executable (for example --force-openssl).
Name of ecliptic curve to be added to list of ecliptic curves (EC), which is used for cipher checks.
--cipher-curve=, sets empty list. --cipher-curve=,, sets list to empty element .
Note: setting empty list or element most likely does not work with openssl executable (for example --force-openssl).
Specify range of cipher constants to be tested with +cipher . Following RANGEs are supported:
Note: SSLv2 is the internal list used for testing SSLv2 ciphers. It does not make sense to use it for other protocols; however ...
For details about the ranges, please see:
If any --cipher=CIPHER is used, --cipherrange=RANGE is ignored.
Additional delay in seconds after the server is connected using a proxy or before starting STARTTLS. This is useful when connecting via slow proxy chains or connecting to slow servers before sending the STARTTLS sequence.
Maximal number of ciphers sent in a sslhello (default: 32).
Send SSL extension reneg_info even if list of ciphers includes TLS_EMPTY_RENEGOTIATION_INFO_SCSV (default: do not include)
Some servers do not answer (i.g. they disconnect) if none of the offered ciphers is supported by the server.
Continue testing with next ciphers when the target disconnects or does not send data within specified timeout (see --timeout). Useful for TLS intolerant servers.
Abort testing with next ciphers when the target disconnects.
Use supported elliptic curves. Default on.
Use TLS ec_point_formats extension. Default on.
Test for ciphers with secure renegotiation flag set. Default: don't set secure renegotiation flag.
Number of retries when connection timed-out (default: 2).
Number of seconds to wait until connection is qualified as timeout.
Get DNS MX records for given target and check the returned targets. (only useful with --starttls=SMTP).
Options used for +check command:
Only print result for ciphers accepted by target.
Only print result for ciphers not accepted by target.
Prints HTTP response body of the target also, if requested with +https_body , which is disabled by default (because it may be huge amount of data not related to SSL/TLS).
Checks are done case insensitive.
Checks are done case sensitive. Default: case insensitive. Currently only checks according CN, alternate names in the target's certificate compared to the given hostname are effected.
When checking for the TLS heartbeat extension, the server may not respond at all, which would result in a no reply message. This marks the check for +heartbleed as no. I.g. a server is not vulnerable to the heartbleed attack if the TLS heartbeat extension is disabled. Hence the check result no may be mis-leading. This option treats the no reply result as not vulnerable and returns yes then.
Note: if the server does not respond for this check, does not mean that the heartbeat extension is switched off. If unsure, disable this lazy check with --no-ignore-no-reply .
Defines the format of the descriptive text (label) for +check and +info command.
Following TYPEs are supported:
Prints full text for labels:
Prints short less descriptive text for labels:
Internal format: print name of key instead of text as label. Key is Prints name of key instead of text as label. The key is that of the internal data structure(s).
For ciphers and protocols, the corresponding hex value is used as key. Note that these values are unique.
For compatibility with other tools, the output format used for the result of the +cipher command can be adjusted to mimic the format of other SSL testing tools.
The argument to the --legacy=TOOL option is the name of the tool to be simulated.
Following TOOLs are supported:
Note that these legacy formats only apply to output of the checked ciphers. Other texts like headers and footers are adapted slightly.
When using ths option, please do not expect identical output as the TOOL. It is a best guess and should be parsable in a very similar way.
Internal format: mainly avoid tabs and spaces format is as follows:
Internal format: pretty print each label in its own line, followed by data prepended by tab character (useful for +info only).
Results for cipher checks use rating from OWASP Cipher Cheat Sheet.
Internal format: use tab as separator; ciphers are printed with bit length (implies --tab).
Internal default format.
This option is used to specify the format of the result lines. This covers the value of the result line only.
Get the screen width and then adapt output of documentation to fit to that width. If the environment variable COLUMNS is not set the command tput or stty of system is used to get the screen width.
It's a very simple approach to make texts better readable on narrow devices like tablets. For more details, please see:
Set the screen width to NN characters (see --format-tty also). Default will be calculated automatically.
Set the amount of spaces used for identation (see --tty also). Default is 2.
Set the additional chacacter when lines are split. Default: ↲
Print formatting header. Default for +check, +info, +quick and and +cipher only.
Do not print formatting header. Usefull if raw output should be passed to other programs.
Note: must be used on command-line to inhibit all header lines.
Do not print output (data or check result) for command CMD. CMD is any valid command, see COMMANDS , without leading +. Option can be used multiple times.
--ignore-out=, sets empty list.
Print scoring results. Default for +check.
Do not print scoring results.
CHAR will be used as separator between label and value of the
TAB character (0x09, \t) will be used as separator between label and value of the printed results. As label and value are already separated by a TAB character, this options is only useful in conjunction with the --legacy=compact option.
Prefix each printed line with the given hostname (target). The hostname will be followed by the separator character.
This option is used to specify the general output format for STDOUT and STDERR. All results are written to STDOUT, errors and warnings may also be written to STDERR . The default is :unix:utf8, which is the perlish definition used internally.
Following values are supported:
The option can be used multiple times with different values. To reset the default behaviour, either raw or unix must be used. Obviously, they must be used first. All other values are used additionally. Note: utf8 just defines the format of the characters, it does no further checks on the converted characters. In contrast, UTF-8 is used as real encoding and does some checks.
For more details, please see perldoc -f binmode .
Currently (Jan. 2018), these options must be used before any --help option.
Obsolete, please use --std-format=crlf .
Please see other programs for detailed description (if not obvious:). Note that often only the long form options are accepted as most short form options are ambiguous. If other programs use the same option,but with a different behaviour, then thes other options are not supported. For a list of supported options, please see:
Following list contains only those options not shown with:
For definition of SSL see --SSL and --no-SSL above.
Option for customisation have the general from: --cfg-CFG=KEY=TEXT For general descriptions please see CUSTOMISATION section below.
Redefine list of commands. Sets %cfg{cmd-CMD} to LIST. Commands can be written without the leading +. If CMD is any of the known internal commands, it will be redifned. If CMD is a unknown command, it will be created.
Example:
To get a list of commands and their settings, use:
Main purpose is to reduce list of commands or to print them sorted.
Redefine texts used for labels in output. Sets %data{KEY}{txt} or %checks{KEY}{txt} to TEXT.
To get a list of preconfigured labels, use:
Redefine the security value (i.e. HIGH) in the cipher description. Example:
Redefine general texts used in output. Sets %text{KEY} to TEXT.
To get a list of preconfigured texts, use:
Note that \n, \r and \t are replaced by the corresponding character when read from RC-FILE.
Read definitions for %text{KEY}=my text from file FILE.
Redefine texts used for hints. Sets %cfg{hints}{KEY} to TEXT.
To get a list of preconfigured texts, use:
Set the internal %cfg hash. This options is intended for testing and debugging only. Please see TESTING below.
See Options for SSL tool.
Execute functions defined in o-saft-usr.pm.
Options ignored, but stored as is internal in $cfg{usr-args} . These options can be used in o-saft-usr.pm or o-saft-dbx.pm.
Use experimental functionality. Some functionality of this tool is under development and only used when this option is given.
Do not execute, just show commands (only useful in conjunction with using openssl).
While --v is used to print more data, --trace is used to print more information about internal data such as procedure names and/or variable names and program flow.
Print more information about checks.
Note that this option should be first otherwise some debug messages are missing.
Note that --v is different from -v (see above).
Print remotely checked ciphers.
Print remotely checked ciphers. In contrast to --v --v above, this just prints the ciphers while being checked, but no other verbose messages.
Print debugging messages.
Print more debugging messages and pass trace=2 to Net::SSLeay and Net::SSLinfo.
Print more debugging messages and pass trace=3 to Net::SSLeay and Net::SSLinfo.
Print processing of all command-line arguments.
Print complete command-line first. Used for internal testing.
Print command-line argument processing.
Trace execution of command processing (those given as +CMD).
Print some internal variable names in output texts (labels). Variable names are prefixed to printed line and enclosed in # . Example without --trace-key :
Example with --trace-key :
Prints trace output with timestamps. More timestamps are printed if used together with --trace-cmd.
Alias for --trace-VALUE options (see above).
Use FILE instead of the default RC-FILE, for example .o-saft.pl.
Print debugging messages for o-saft.pl only, but not any modules.
Print debugging messages for modules only, but not o-saft.pl itself.
Print hint messages (!!Hint:).
Do not print hint messages (!!Hint:).
Print warning messages (**WARNING:).
Do not print warning messages (**WARNING:).
Do not suppress duplicate warning messages (**WARNING:).
Terminate o-saft.pl at specified KEY. Please see TESTING below.
For compatibility with other programs and lazy users, some arguments looking like options are silently taken as commands. This means that --THIS becomes +THIS then. These options are:
Take care that this behaviour may be removed in future versions as it conflicts with those options and commands which actually exist, like:
Following strings are treated as a command instead of target names:
A warning will be printed.
We support following options, which are all identical, for lazy users and for compatibility with other programs.
This applies to most such options, --port is just an example. When used in the RC-FILE, the --OPTION=VALUE variant must be used.
Dash -, dot . and/or underscore _ in option names are optional, all following are the same:
This applies to all such options, --no-dns is just an example.
Following syntax is supported also:
Note that only the hostname and the port are used from an URL.
See Options vs. Commands in OPTIONS section above
All output is designed to be easily parsed by postprocessors. Please see OUTPUT section below for details.
For the results, we have to distinguish those returned by +cipher command and those from all other tests and checks like +check or +info command.
The cipher checks will return one line for each tested cipher. It contains at least the cipher name, yes or no whether it is supported or not, and a security qualification. It may look like:
Depending on the used --legacy=* option the format may differ and also contain more information. For details see --legacy=* option below.
The text for security qualifications are (mainly) those returned by openssl (version 1.0.1): LOW, MEDIUM, HIGH and WEAK. The same texts, but with all lower case characters, are used if the qualification was adapted herein. Following rules for adjusting the qualification were used:
These tests return a line with a label describing the test and a test result for it. The idea is to report yes if the result is considered secure otherwise report no followed by the reason why it's considered insecure. Example of a check considered secure:
Example of a check considered insecure:
Note that there are tests where the results appear confusing when first viewed, like for www.wi.ld:
This can for example occur with:
Please check the result with the +info command also to verify if the check sounds reasonable.
The test result contains detailed information. The labels there are mainly the same as for the +check command.
All SSL related check performed by the tool will be described here.
Lookup the IP of the given hostname (FQDN), and then tries to reverse resolve the FQDN again.
Check which ciphers are supported by target. Please see RESULTS for details of this check.
Check if heartbeat extension is supported by target.
Check if target is vulnerable to POODLE attack (SSLv3 enabled).
Check if target is vulnerable to ROBOT attack (server offers ciphers with RSA encryption).
Check if target is vulnerable to SLOTH attack (server offers RSA-MD5 or ECDSA-MD5 ciphers).
Check if target is vulnerable to Sweet32 attack (server offers CBC or CBC3 or DES or 3DES ciphers).
Note that FIPS-140 compliance requires 3DES ciphers, hence compliant systems are then vulnerable to Sweet32 attacks.
Check if target supports ALPN. Following messages are evaluated:
Please see also CHECKS ALPN and NPN below.
Check if ciphers for anonymous key exchange are supported: ADH|DHA. Such key exchanges can be sniffed.
Check if ephemeral ciphers are supported: DHE|EDH. They are necessary to support Perfect Forward Secrecy (PFS).
Check if ciphers with CBC for protocol SSLv1, SSLv3 or TLSv1 are used. TLSv1.2 checks are not yet implemented.
Connection is vulnerable if target supports SSL-level compression, or supports SPDY/3 (because SPDY/3 uses compression). See http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl
Note: SPDY/3 is only possible if the client explicitely asks for this alternate protocol (for example openssl ... -nextprotoneg spdy/3).
Connection is vulnerable if target supports SSLv2.
Attack against SSL/TLS to downgrade to EXPORT ciphers. Currently (2018) a simple check is used: SSLv3 enabled and EXPORT ciphers supported by server. See CVE-2015-0204 and https://freakattack.com/ .
Check if target is vulnerable to heartbleed attack, see CVE-2014-0160 and http://heartbleed.com/ .
Not implemented.
There are no checks for the HEIST attack implemented, because this is an attack on TCP/IP rather than SSL/TLS on top of TCP/IP.
To perform a MiTM attack with Key Compromise Impersonation, the atta- cker needs to engage the victim to install and use a client certificate. This is considered a low risk and hence not tested here.
Check if target is vulenerable to Logjam attack. Check if target suports EXPORT ciphers and/or DH Parameter is less than 2048 bits. ECDH must be greater to 511 bits.
Check if CBC ciphers are offered. Note the recommendation to be safe against Lucky13 was to use RC4 ciphers. But they are also subject to attacks (see below). Hence the check is only for CBC ciphers.
Check if RC4 ciphers are supported. They are assumed to be broken. Note that +rc4 reports the vulnerabilitiy to the RC4 Attack, while +cipher-rc4 simply reports if RC4 ciphers are offered. However the check, and hence the result, is the same.
Check if DHE ciphers are used. Checks also if the TLS session ticket is random or not used at all. TLSv1.2 checks are not yet implemented.
Check if target is vulnerable to POODLE attack (just check if SSLv3 is enabled).
This attack allows an attacker to read the servers private key if the server does not check properly the passed points for a ecliptic curve when EDH ciphers are used.
This check will not send multiple invalid points, but only checks if the server closes the connection or responds with no matching cipher.
Bleichebacher's Oracle attack against SSL/TLS ciphers.
Not implemented. https://robotattack.org/
Currently (2016) we check for ciphers with ECDSA, RSA-MD5. Checking the TLS extension tls-unique is not yet implemented.
Currently (2016) we check for ciphers with CBC or CBC3 or DES or 3DES.
NOT YET IMPLEMENTED Check if target is vulnerable to ticketbleed, means that it returns up to 31 random bytes from memory as Session Ticket, see CVE-2016-9244 and https://filippo.io/Ticketbleed/ .
See above.
Check if the server allows client-side initiated renegotiation.
NOT YET IMPLEMENTED Check if the server allows changing the protocol.
Check if target's DH Parameter is less 512 or 2048 bits.
Check if target supports SSTP by accepting method SSTP_DUPLEX_POST.
The check does not send other methods (like CONNECT) to verify if the protocol is fully supported.
Supporting SSTP is considered insecure, because SSTP allows to tunnel other, probably insecure, protocols.
Check that fingerprint is not MD5. Check that certificate private key signature is SHA2 or better.
Provided certificate by target should not be a Root CA.
Certificate should not be self-signed.
The FQDN must be listed in the certificates subjectAltname. The check command +rfc_2818_names is based on the info command +verify_hostname . The check was added in 05/2017 because browsers started to complain if the FQDN is not part of the subjectAltname.
NOT YET IMPLEMENTED
Certificate extension Basic Constraints should be CA:FALSE.
Certificate should contain URL for OCSP and CRL.
Certificates signature key supports encryption.
Certificates signature key encryption algorithm is well known.
Certificates public key supports encryption.
Certificates public key encryption algorithm is well known.
The modulus exponent should be = 65537 as it is a prime number and an easy to calculate exponent. If the exponent is less than 65537, Boradcast attacks are possible.
However, some (mainly historic) SSL implementations may have problems to connect because they are not able to do the crypt mathematics with exponenents larger than 65536.
If ecliptic curves are used, the result for these checks is always no (<<N/A ...).
Serial Number <= 20 octets (RFC5280, 4.1.2.2. Serial Number)
...
The Certificate must provide:
This check is performed according the requirements defined by the CA/ Browser Forum https://www.cabforum.org/contents.html . The certificate must provide:
Required are: /C=, /ST=, /L=
Optional are: /street=, /postalCode=
See LIMITATIONS also.
Using STS is no perfect security. While the very first request using http: is always prone to a MiTM attack, MiTM is possible to following requests again, if STS is not well implemented on the server.
To satisfy the requirements on https://hstspreload.appspot.com/ the HSTS header must:
Additionally, the site must have:
Except the last requirement, +preload will do the checks. Note that +preload is defined in .o-saft.pl only.
TBD - to be described ...
Mainly in the certificate various counts, lengths and sizes of values are checked and reported. All commands for these checks start with +cnt_ or +len_. Up to now, there is no yes or no value for these checks.
Following commands will check the value to be in a specific range to become yes or no:
For some details of these checks, please see the description above at Public Key Modulus Exponent size
The recommendations for DH parameters (RSA and ecliptice curve) are are checked as follows:
The commands for the checks to report yes or no, are +hasalpn and +hasnpn.
Both, the Application Layer Protocol Negotiation (ALPN) and the Next Protocol Negotiation (NPN) will be tested. The commands for that are:
Each, ALPN and NPN, is tested separately with all known protocols. The test sets only one protocol, tries to make a connection and then checks if the protocol was accepted by the server. The collected list of protocols will be printed with the aforementioned commands, or the +info command. Note the difference for the commands +next_protocols and +alpns, where +next_protocols simply reports what the server itself advertises, while +alpns reports what the server supports if asked for.
Note that it is not possible to satisfy all following compliances. Best match is: PSF and ISM and PCI and lazy BSI TR-02102-2. In general it is difficult to satisfy all conditions of a compliance, and it is also difficult to check all these conditions. That is why some compliance checks are not completely implemented. For details see below please.
Also note that in the RC-FILE the output of results for some checks is disabled by default. A !!Hint: message will be printed, if any of these checks are used.
Checks if connection and ciphers are compliant according TR-02102-2, see https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen /TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.pdf?__blob=publicationFile
(following headlines are taken from TR-02102-2 Version 2016-01)
3.1.3 Schlüssellängen bei EC-Verfahren die EC-Verfahren ... und weitere Erläuterungen siehe Bemerkung 4 in Kapitel 3 in [TR-02102-1] .
3.2 SSL/TLS_Versionen
Only TLSv1.2 allowed (except for +tr-02102- which also allows TLSv1.1)
3.3.1 Empfohlene Cipher Suites
Allows only *DHE-*-SHA256, *DHE-*-SHA384, *DH-*-SHA256 and *DH-*-SHA384 ciphers and PSK ciphers with ephermeral keys. For +tr-02102+ they must be AES-GCM, +tr02102- also allows AES-CBC.
3.3.2 Übergangsregelungen
SHA1 temporary allowed. SHA256 and SHA384 recommended. RC4 not reocmmended. Use of SHA1 will only be checked for +tr-02102+
3.4.1 Session Renegotation
Only server-side (secure) renegotiation allowed (see RFC 5746).
3.4.2 Verkürzung der HMAC-Ausgabe
Truncated HMAC according RFC 6066 not recommended.
3.4.3 TLS-Kompression und der CRIME-Angriff
No TLS compression.
3.4.4 Der Lucky13-Angriff 3.4.5 Die Encrypt-then-MAC-Erweiterung
Use of AES-GCM ciphers only. Use of Encrypt-then-MAC according RFC 7366 cannot be checked.
3.4.6 Die Heartbeat-Erweiterung
Target must not support the heartbeat extension.
3.4.7 Die Extended Master Secret Extension
Use of Extended Master Secret Extension according RFC 7627 cannot be checked.
3.5 Authentisierung der Kommunikationspartner
Not checked as only applicable for VPN connections.
3.6 Domainparameter und Schlüssellängen
Check if signature key is > 2048 bits.
3.6.1 Verwendung von elliptischen Kurven
**NOT YET IMPLEMENTED**
Use only following curves according RFC 5639 and RFC 7027: brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
Use of secp256r1 and secp384r1 temporary allowed.
4.1 Schlüsselspeicherung
This requirement is not testable from remote.
4.2 Umgang mit Ephemeralschlüsseln
This requirement is not testable from remote.
4.3 Zufallszahlen
This requirement is not testable from remote.
Checks if connection and ciphers are compliant according TR-03116-4, see https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen /TechnischeRichtlinien/TR03116/BSI-TR-03116-4.pdf?__blob=publicationFile
(following headlines are taken from there)
2.1.1 TLS-Versionen und Sessions
Allows only TLS 1.2.
2.1.2 Cipher Suites
Cipher suites must be ECDHE-ECDSA or -RSA with AES128 and SHA265. For curiosity, stronger cipher suites with AES256 and/or SHA384 are not not allowed. To follow this curiosity the +tr-03116- (lazy) check allows the stronger cipher suites ;-)
2.1.1 TLS-Versionen und Sessions
The TLS session lifetime must not exceed 2 days.
2.1.4.2 Encrypt-then-MAC-Extension
2.1.4.3 OCSP-Stapling
MUST have OCSP Stapling URL.
4.1.1 Zertifizierungsstellen/Vertrauensanker
Certificate must provide all root CAs. (NOT YET IMPLEMENTED).
Should use a small certificate trust chain.
4.1.2 Zertifikate
Must have CRLDistributionPoint or AuthorityInfoAccess.
End-user certificate must not be valid longer than 3 years. Root-CA certificate must not be valid longer than 5 years.
Certificate extension pathLenConstraint must exist, and should be a small value (small is not defined).
All certificates must contain the extension KeyUsage.
Wildcards for CN or Subject or SubjectAltName are not allowed in any certificate.
EV certificates are recommended (NOT YET checked properly).
4.1.3 Zertifikatsverifikation
Must verify all certificates in the chain down to their root-CA. (NOT YET IMPLEMENTED).
Certificate must be valid according issue and expire date.
All Checks must be doen for all certificates in the chain.
4.1.4 Domainparameter und Schlüssellängen
This requirement is not testable from remote.
4 5.2 Zufallszahlen
This requirement is not testable from remote.
Check if the FQDN is listed in the certificates subjectAltname.
Checks values CommonName, Subject and SubjectAltname of the certificate for:
Same as STS header +hsts .
Checks if connection and ciphers are compliant according RFC 7525. See http://tools.ietf.org/rfc/rfc7525.txt (following headlines are taken from there)
3.1.1. SSL/TLS Protocol Versions
SSLv2 and SSLv3 must not be supportetd. TLSv1 should only be supported if there is no TLSv1.1 or TLSv1.2. Either TLSv1.1 or TLSv1.2 must be supported, preferred is TLSv1.2.
3.1.2. DTLS Protocol Versions
DTLSv1 and DTLSv1.1 must not be supported.
3.1.3. Fallback to Lower Versions
(check implecitely done by 3.1.1, see above)
3.2. Strict TLS
Check if server provides Strict Transport Security. (STARTTLS check NOT YET IMPLEMENTED).
3.3. Compression
Compression on TLS must not be supported.
3.4. TLS Session Resumption
Server must support resumtion and random session tickets. (Randomnes of session tickets implemented YET experimental.)
Check if ticket is authenticated and encrypted NOT YET IMPLEMENTED.
3.5. TLS Renegotiation
Server must support renegotiation.
3.6. Server Name Indication
(Check for SNI support implemented experimental.)
4. Recommendations: Cipher Suites
4.1. General Guidelines 4.2. Recommended Cipher Suites
Check for recommended ciphers.
4.3. Public Key Length
DH parameter must be at least 256 bits or 2048 bits with EC. (Check currently, 4/2016, based on openssl which may not provide DH
4.5. Truncated HMAC
TLS extension truncated hmac must not be used.
6. Security Considerations 6.1. Host Name Validation
Given hostname must matches hostname in certificate's subject.
6.2. AES-GCM 6.3. Forward Secrecy 6.4. Diffie-Hellman Exponent Reuse (NOT YET IMPLEMENTED).
6.5. Certificate Revocation
OCSP and CRL Distrbution Point in cetificate must be defined.
All output is designed to make it easily parsable by postprocessors. Following rules are used:
Examples:
For more details on these lines, please refer to RESULTS above.
When used in --legacy=full or --legacy=simple mode, the output may contain formatting lines for better (human) readability.
Errors, warnings and hints may be part of the output as needed. While errors and warnings are printed immediately as they occour during the program flow, hints are printed right after the corresponding result.
Errors and warnings start with a unique 3-digit number.
Hints print an additional explanation of a specific result. They are are defined statically in the program code, or can be added on demand by using the option --cfg-hint=KEY=TEXT .
It is recommended to use the --legacy=quick option, if the output should be postprocessed, as it omits the default separation character (: , see above) and just uses on single tab character (0x09, \t or TAB) to separate the label text from the text of the result. Example:
More examples for postprocessing the output can be found here:
Following exit codes are used:
Following environment variables are incorporated:
This tool can be customised as follows:
Customisation is done by redefining values in internal data structure which are: %cfg, %data, %checks, %text.
Unless used in DEBUG-FILE or USER-FILE, there is no need to know these internal data structures or the names of variables; the options will set the proper values. The key names being part of the option, are printed in output with the --trace-key option.
Texts (values) of keys in %data are those used in output of the Information section. The texts of keys in %checks are used for output in Performed Checks section. Texts of keys in %text are used for additional information lines or texts (mainly beginning with =).
Configuration file vs. RC-FILE vs. DEBUG-FILE
Configuration options are used to redefine texts and labels or score settings used in output. The options are:
KEY is the key used in the internal data structure, and TEXT is the value to be set for this key. Note that unknown keys are ignored silently.
If KEY=TEXT is an existing filename, all lines from that file are read and set. For details see CONFIGURATION FILE below.
CIPHER must be a valid cipher suite name as shown with:
Note that such configuration options should be used before any --help or --help=* option, otherwise the changed setting is not visible.
Note that the file can contain KEY=TEXT pairs for any kind of the configuration as given by the --cfg-CFG option.
For example when used with --cfg-text=FILE only values for %text will be set, when used with --cfg-data=FILE only values for %data will be set, and so on. KEY will not be used when KEY=TEXT is an existing filename. It is recommended to use a non-existing key, for example --cfg-text=my_file=some/path/to/private/file .
The rc-file will be searched for in the working directory only.
The name of the rc-file is the name of the program file prefixed by a . (dot), for example: .o-saft.pl.
A rc-file can contain any of the commands and options valid for the tool itself. The syntax for them is the same as on command-line. Each command or option must be in a single line. Any empty or comment line will be ignored. Comment lines start with # or =.
Note that options with arguments must be used as KEY=VALUE instead of KEY VALUE.
Configurations options must be written like --cfg-CFG=KEY=VALUE. Where CFG is any of: cmd, check, data, text and KEY is any key from internal data structure (see above).
All commands and options given on command-line will overwrite those found in the rc-file.
All debugging functionality is defined in o-saft-dbx.pm , which will be searched for using paths available in @INC variable.
Syntax in this file is Perl code. For details see DEBUG below.
All user functionality is defined in o-saft-usr.pm , which will be searched for using paths available in @INC variable.
Syntax in this file is Perl code.
All functions defined in o-saft-usr.pm are called when the option --usr was given. The functions are defined as empty stub, any code can be inserted as need. Please see perldoc o-saft-usr.pm to see when and how these functions are called.
Configuring the shell environment where the tool is startet, must be done before the tool starts. It isn't a task for the tool itself, but it can simplify your life, somehow.
There exist customisations for some commonly used shells, please see the files in the ./contrib/ directory.
The option --cfg-cmd=CMD=LIST can be used to define own commands. When configuring own commands, CMD must not be one of the commands listed with --help=intern and CMD must constist only of digits and letters.
Examples in .o-saft.pl are +preload and +ciphercheck .
While the SSL/TLS protocol uses integer numbers to identify ciphers, almost all tools use some kind of human readable texts for cipher names.
These numbers (which are most likely written as hex values in source code and documentations) are the only true identifier, and we have to rely on the tools that they use the proper integers.
As such integer or hex numbers are difficult to handle by humans, we decided to use human readable texts. Unfortunately no common standard exists how to construct the names and map them to the correct number. Some, but by far not all, oddities are described in Name Rodeo.
The rules for specifying cipher names are:
[IANA] http://www.iana.org/assignments/tls-parameters/tls-parameters.txt August 2022
[openssl] ... openssl 1.0.1
If in any doubt, use any of the provided commands or options to list to show our known ciphers. For example:
Use --help=regex to see which regex are used to handle all variants of cipher suite names herein.
Mind the traps and dragons with cipher names and what number they are actually mapped to. In particular when --lib, --exe or --openssl options are in use. Always use these options with +list command too.
As said above, the SSL/TLS protocol uses integer numbers to identify ciphers, but almost all tools use some kind of human readable texts for cipher names.
For example the cipher commonly known as DES-CBC3-SHA is identified by 0x020701c0 (in openssl) and has SSL2_DES_192_EDE3_CBC_WITH_SHA as constant name. A definition is missing in IANA, but there is TLS_RSA_WITH_3DES_EDE_CBC_SHA. There is also 0x000A for the same cipher DES-CBC3-SHA. Both are valid, first one if used with SSLv2, and second one when used with SSLv3. It's the responsibility of each tool to map the human readable cipher name to the correct (hex, integer) identifier.
For example Firefox uses dhe_dss_des_ede3_sha, which is what?
Furthermore, there are different acronyms for the same thing in use. For example DHE and EDH both mean Ephemeral Diffie-Hellman. Comments in the openssl(1) sources mention this. And for curiosity these sources use both in cypher names, but allow EDH as shortcut only in openssl's ciphers command. Wonder about (up to 1.0.1h):
Next example is ADH which is also known as DH_anon or DHAnon or DHA or ANON_DH.
You think this is enough? Then have a look how many acronyms are used for Tripple DES.
Compared to above, the interchangeable use of - vs. _ in human readable cipher names is just a very simple one. However, see openssl again what following means (returns):
Looking at all these oddities, it would be nice to have a common unique naming scheme for cipher names. We have not. As the SSL/TLS protocol just uses a number, it would be natural to use the number as uniq key for all cipher names, at least as key in our internal sources.
Unfortunately, the assignment of ciphers to numbers changed over the years, which means that the same number refers to a different cipher depending on the standard, and/or tool, or version of a tool you use.
As a result, we cannot use human readable cipher names as identifier (a.k.a unique key), as there are to many aliases for the same cipher. And also the number cannot be used as unique key, as a key may have multiple ciphers assigned.
The default behaviour will be to use the cipher names like openssl(1) does. If a name is ambigous, the first matching will be choosen. This -first matching- only applies to names provided by the user by option or whatever, internally the latest IANA number will be used, because they have the most less ambiguities.
This section describes knwon problems, and known error messages which may occour when using o-saft.pl. This sections can be used as FAQ too as it gives hints and workarounds.
Sometimes the program terminates with a Segmentation fault. This mainly happens if the target does not return certificate information. If so, the --no-cert option may help.
This most likely occurs when the provided cipher is not accepted by the server, or the server expects client certificates.
This most likely occurs when the openssl(1) executable is used with a very slow connection. Typically the reason is a connection timeout. Try to use --timeout=SEC option. To get more information, use --v --v and/or --trace also.
May occour if ciphers are checked, but no description is available for them herein. This results in printed cipher checks like:
instead of:
This message occours if the underlaying SSL library (i.e. libssl.a) was not able to connect to the target. Known observed reasons are:
More details why the connection failed can be seen using --trace=2 .
The warning message (like follows or similar):
occurs if the target refused a connection on port 80. This is considered a bug in Net::SSLeay(3pm). Workaround to get rid of this message: use --no-http option.
This error may occur on systems where a specific SSL version is not supported. Subject are mainly SSLv2, SSLv3 TLSv1.3 and DTLSv1. For DTLSv1 the full message looks like:
See also Note on SSL versions .
Workaround: use option: --no-sslv2 --no-sslv3 --no-tlsv13 --no-dtlsv1
This warning occours with IO::Socket::SSL 1.967, reason is unknown. It seems not to harm functionality, hence no workaround, just ignore.
Some versions of IO::Socket::SSL return this error message if *-MD5 ciphers are used with other protocols than SSLv2.
Workaround: use --no-md5-cipher option.
Underlaying library doesn't support the required SSL version. See also Note on SSL versions .
Workaround: use --ssl-lazy option, or corresponding --no-SSL option.
Error reported by some Net::SSLeay versions. Reason may be a timeout. This error cannot be omitted or handled properly.
Workaround: try to use same call again (no guarantee, unfortunatelly)
This warning from perl have been observed when the connection to the target to check for supported ciphers cannot be established.
This message can be ignored.
Mismatch of openssl executable and loaded underlaying library. This most likely happens when options --lib=PATH and/or --exe=PATH are used. See also Note on SSL versions .
Hint: use following commands to get information about used libraries:
This error message may occour on 32-bit systems if perl was not com- piled with proper options. I.g. perl automatically converts the value to a floating pont number. Please report a bug with output of following command:
Text may be part of a value. This means that all checks according DH parameters and logkam attack cannot be done.
Workaround: try to use --openssl=TOOL option.
This text may appear in any of the compliance checks (like +rfc7525) which may be a false positive. For these checks openssl is also used to get the DH Parameter.
Workaround: not available yet
On some (mainly Windows-based) systems using
does not print anything.
Workaround: use --v option.
or
Some tools do not display all characters properly, for example some versions of podviewer. It is not the obligation of this tool to fix well known bugs in other tools. However, we can offer workarounds.
Workaround: generate the affected output using --std-format=* options For example:
On some (mainly Windows-based) systems this may happen when calling for example:
which then may produce:
Workaround: use full path to perl.exe, for example
There are various reasons when the program responds slow, or seems to hang. Performance issues are most likely a target-side problem. Most common reasons are (no specific order):
Other options which may help to get closer to the problem's cause: --trace-time, --timeout=SEC, --trace, --trace-cmd
Using --trace-time should show following times:
Some commands cannot be used together with others, for example: +cipher, +ciphers, +list, +libversion, +version, +check, +help, +protocols .
+quick should not be used together with other commands, it returns strange output then. It is the only command which allows +cipher together with other commands.
+protocols requires openssl(1) with support for -nextprotoneg option. Otherwise the value will be empty.
The option --port=PORT must preceed --host=HOST for a target like HOST:PORT .
The characters + and = cannot be used for --separator=CHAR option.
Following strings should not be used in any value for options: +check, +info, +quick, --header as they my trigger the --header option unintentional.
The used timeout(1) command cannot be defined with a full path like openssl(1) can with the --openssl=path/to/openssl .
--cfg-text=FILE cannot be used to redefine the texts yes and no as used in the output for +cipher command.
This check is only done for the certificate provided by the target. All other certificate in the chain are not checked.
This is currently (2018) a limitation in o-saft.pl.
This error message most likely means that the connection to specified target was not possible (firewall or whatever reason).
The systems default capabilities for example libssl.so, openssl, are used to verify the target's certificate chain. Unfortunately various systems have implemented different approaches and rules how identify and how to report a successful verification. Consequently, this tool can only return the same information about the chain verification as the used underlying tools. If that information is trustworthy depends on how trustworthy the tools are.
These limitations apply to following commands:
Following commands and options are useful to get more information:
Please note that there cannot be any guarantee that the code provided in the DEBUG-FILE o-saft-dbx.pm or USER-FILE o-saft-usr.pm will work flawless. Obviously this is the user's responsibility.
Checking the target for supported ciphers may return that a cipher is not supported by the server misleadingly. Reason is most likely an improper timeout for the connection. See --timeout=SEC option.
If the specified targets accepts connections but does not speak SSL, the connection will be closed after the system's TCP/IP-timeout. This script will hang (about 2-3 minutes).
If reverse DNS lookup fails, an error message is returned as hostname, like: <<gethostbyaddr() failed>>. Workaround to get rid of this message: use --no-dns option.
All checks for EV are solely based on the information provided by the certificate.
Some versions of openssl (< 1.x) may not support all required options which results in various error messages, or more worse, may not be visibale at all. Available functionalitity of openssl will be checked for right at the beginning. Proper warnings and hints are printed. Following table shows the openssl option and how to disable it within o-saft.pl:
Sometimes the connection cannot be established. This may have various reasons. Unfortunaly this script seems to hang then. In particular when checking for ciphers with +cipher command. The reason is most likely that the server does not respond to the TCP/IP request, hence the script closes the connection after the configured timeout (please see --timeout=SEC option).
Continous connection attempts can be inhibited with the --ssl-error option, which is set by default. Avoiding further connections results in a loss of information and consequentely, leads to wrong checks.
It is a trade-off to wait for all information done accurately, or to get the results quickly. The logic to stop connecting for --ssl-error can be controlled with following additional options:
This means that no more connections are made when more than
Examples:
no more connections are made if for example any sequence of timeouts occour:
This allows to fine-tune the condition when to stop connecting to the target. For example, continous but not consecutive timeouts may indi- cate a bad or instable network connection, but not that the target to be connected blocks. In such a case sequence of timeouts like follows may be observed (assuming --ssl-error-max=3):
On normal (even slow) network connections dozens of connections per second are usual, hence the timeout is always 0 or 1. Based on that experience --ssl-error is enabled and set with defaults as follows:
Use of openssl(1) is disabled by default on Windows due to various performance problems. It needs to be enabled with --openssl option.
On Windows the usage of openssl s_client needs to be enabled using --s_client option.
On Windows it's a pain to specify a correct path for --openssl=TOOL option. Variants are:
You have to fiddle around to find the proper one.
When both --trace-key and --trace-cmd options are used, output is mixed, obviously. Hint: output for --trace-cmd always contains CMD.
Any --trace* option implies --trace-time .
All Perl modules and all private moduels and files will be searched for using paths available in the @INC variable. @INC will be prepended by following paths:
Where INSTALL_PATH is the path where the tool is installed. To see which files have been included use:
Perl modules loaded and used for some options only:
The tool can be installed in any path. It just requres the modules as described in DEPENDENCIES above. However, it's recommended that the modules Net::SSLhello and Net::SSLinfo are found in the directory ./Net/ where o-saft.pl is installed.
For security reasons, most modern libraries disabled or even removed insecure or dirty functionality. As the purpose of this tool is to detect such insecure settings, functions, etc., it needs these dirty things enabled. It needs (incomplete list):
Therefore we recommend to compile and install at least following:
Please read the SECURITY section first before following the install instructions below.
The script INSTALL.sh provides a quick method to check, compile and install anything needed. Please see:
INSTALL.sh --help
For more details, read on ...
To build openssl following packages are requred (note that the names may differ depending on the used platform):
Also, following Perl modules should be installed:
Currently (since 18.06.18) it is recommend to build openssl using:
Other possibilities are:
The sources are available at
For all following installation examples we assume:
Simply download the tarball or zip file for your platform, unpack it, and install (copy) the binaries into a directory of your choice.
Note that Net::SSLeay needs to be adapted properly then.
OpenSSL can be used from http://openssl.org/ or, as recommended, from https://github.com/PeterMosmans/openssl/ .
OpenSSL-chacha Compiling and installing the later is as simple as:
which will install openssl, libssl.so, libcrypto.so and some include files as well as the include files in /usr/local/ . The shared version of the libraries are necessary for Net::SSLeay.
For a more complete build, plese see: contrib/install_openssl.sh .
OpenSSL.org Building openssl from the offical openssl.org sources requires some patching before compiling and installing the libraries and binaries.
Example with openssl-1.0.2d:
To enable support for ancient protocol versions, Net::SSLeay must be compiled manually after patching SSLeay.xs (see below). Reason is, that Net::SSLeay enables some functionality for SSL/TLS according the identified openssl version. There is, currently (2015), no possibility to enable this functionality by passing options on to the configuration script perl Makefile.PL.
Building our own library and module (with openssl from /usr/local):
SSLeay.xs needs to be changed as follows:
Note that Net::SSLeay will be installed in /usr/local/ then. This can be adapted to your needs by passing another path to the PREFIX and DESTDIR parameter.
Following command can be used to check which methods are avilable in Net::SSLeay, hence above patches can be verified:
After installation as descibed above finished, openssl may be tested:
The difference should be obvious. Note, the commands using ALL:COMPLEMENTOFALL and ALL:eNULL:EXP should return the same result.
As we want to test the separately installed Net::SSLeay, it is best to do it with o-saft.pl itself:
we should see a line similar to follwong at the end of the output:
Now check for supported (known) ciphers:
we should see lines similar to those of the last /usr/local/openssl call. However, it should contain more cipher lines.
Some people asked for a stand-alone executable (mainly for Windows). Even Perl is a scripting language there are situations where a stand- alone executable would be nice, for example if the installed perl and its libraries are outdated, or if perl is missing at all.
Currently (2016) there are following possibilities to generate such a stand-alone executable:
For details on building the executable, for example how to include all required modules, please refer to the documentation of the tool.
Note that pre-build executables (build by perlapp, perl2exe) cannot be provided due to licence problems. Also note that using stand-alone executable have not been tested the same way as the o-saft.pl itself. Use them at your own risk.
This script can be used as CGI application. Output is the same as in common CLI mode. The output will be prefixed with the HTTP header Content-Type:text/plain. The script o-saft.cgi should be used as wrapper for o-saft.pl . The HTML form o-saft.cgi.html which can be generated with:
should be used as front-end for o-saft.cgi.
This form provides following functionality:
In both GUI sections following buttons exist:
In general, command buttons which submit the form are yellow. Buttons which show some help, mainly in a new browser tab, are gray.
The script returns an empty page (HTML body) for following reasons:
For deatils pleasesee
The tool can be used inside a Docker image. To start o-saft.pl inside the Docker image, use following:
For more details, please refer to:
The Docker image can be installed as follows:
The image can also easily be build from the Dockerfile (which is part of the distribution) as follows:
To build the image from the Dockerfile with docker commands, see:
For more details, please refer to:
Automatically detecting the supported SSL versions of the underlaying system is a hard job and not always possible. Reasons could be:
There're some workarounds implemented since version 15.11.15 .
There're some workarounds implemented since version 15.11.15 .
We try to detect unsupported versions and disable them automatically, a warning like follwoing is shown then:
All such warnings look like:
If problems occour with SSL versions, following commands and options may help to get closer to the reason or can be used as workaround:
Checking for SSL version is done at one place in the code, search for
However, there are some dirty hacks where SSLv2 and SSLv3 is checked again.
For all cryptographic functionality the libraries installed on the system will be used. In particular Perl's Net::SSLeay(3pm) module, the system's libssl.so and libcrypt.so and the openssl(1) executable.
It is possible to provide your own libraries, if the Perl module and the executable are linked using dynamic shared objects (a.k.a shared library, position independent code). The appropriate option is --lib=PATH.
On most systems these libraries are loaded at startup of the program. The runtime loader uses a preconfigured list of directories where to find these libraries. Also most systems provide a special environment variable to specify additional paths to directories where to search for libraries, for example the LD_LIBRARY_PATH environment variable. This is the default environment variable used herein. If your system uses another name it must be specified with the --envlibvar=NAME option, where NAME is the name of the environment variable.
If any of --exe=PATH or --lib=PATH is provided, the pragram calls (exec) itself recursively with all given options, except the option itself. The environment variables LD_LIBRARY_PATH and PATH are set before executing as follows:
This is exactly, what Cumbersome Approach below describes. So these option simply provide a shortcut for that.
Note that --openssl=TOOL is a full path to the openssl executable and will not be changed. However, if it is a relative path, it might be searched for using the previously set PATH (see above).
Note that LD_LIBRARY_PATH is the default. It can be changed with the --envlibvar=NAME option.
While --exe mainly impacts the openssl(1) executable, --lib also impacts o-saft.pl itself, as it loads other shared libraries if found.
Bear in mind that all these options can affect the behaviour of the openssl subsystem, influencing both which executable is called and which shared libraries will be used.
Note that no checks are done if the options are set proper. To verify the settings, following commands may be used:
Why so many options? Exactly as described above, these options allow the users to tune the behaviour of the tool to their needs. A common use case is to enable the use of a separate openssl build independent of the openssl package used by the operating system. This allows the user fine grained control over openssl's encryption suites which are compiled/available, without affecting the core system.
Depending on your system and the used modules and executables, it can be tricky to replace the configured shared libraries with own ones. Reasons are:
Only the first one a) can be circumvented. The last one d) can often be ignored as it only prints a warning or error message.
To circumvent the name with version number problem try following:
which returns something like:
Here only the first two libraries are important. Both, libcrypto.so and libssl.so need to be version 0.9.8 (in this example).
or:
This works if openssl(1) uses the same shared libraries as Net::SSLeay(3pm), which most likely is the case.
It's tested with Unix/Linux only. It may work on other platforms also if they support such an environment variable and the installed Net::SSLeay(3pm) and openssl(1) are linked using dynamic shared objects.
Depending on compile time settings and/or the location of the used tool or lib, a warning like following may occur:
This warning can be ignored, usually as req or ca sub commands of openssl is not used here. To fix the problem, either use --openssl-cnf=FILE option or set the the environment variable OPENSSL_CONF properly.
A more cumbersome approach to call this program is to set following environment variables in your shell:
I.g. the used libraries on Windows are libeay32.dll and ssleay32.dll.
Windows also supports the LD_LIBRARY_PATH environment variable. If it does not work as expected with that variable, it might be possible to place the libs in the same directory as the corresponding executable (which is found by the PATH environment variable).
This script can be used as CGI application. Output is the same as in common CLI mode, using Content-Type:text/plain. Keep in mind that the used modules like Net::SSLeay(3pm) will write some debug messages on STDERR instead STDOUT. Therefore multiple --v and/or --trace options behave slightly different.
No additional external files like RC-FILE or DEBUG-FILE are read in CGI mode; they are silently ignored. Some options are disabled in CGI mode because they are dangerous or don't make any sense.
There are no input data validation checks implemented herein. All input data is url-decoded once and then used verbatim. More advanced checks must be done outside before calling this tool.
It is not recommended to run this tool in CGI mode. You have been warned!
There are some functions called within the program flow, which can be filled with any Perl code. Empty stubs of the functions are prepared in o-saft-usr.pm. See also USER-FILE .
Following options and commands are useful for hunting problems with SSL connections and/or this tool. Note that some options can be given multiple times to increase amount of listed information. Also keep in mind that it's best to specify --v as very first argument.
Note that the file o-saft-dbx.pm is required, if any --trace* or --v option is used.
Please see OPTIONS section above for detailed description.
Empty or undefined strings are written as <<undefined>> in texts. Some parameters, in particular those of HTTP responses, are written as <<response>>. Long parameter lists are abbreviated with .... In general, single-line values are always printed, multi-line values are printed with --trace=2 only.
Hint: start with --trace-me, then --trace and finally --trace=2 .
When using --v and/or --trace options, additional output will be prefixed with a # (mainly as first, left-most character. Following formats are used:
This tool was designed to work with old Perl modules too. When using old modules, a proper **WARNING: will be printed. These warinings cannot be switched of using --no-warning . The warning also informs about the missing functionality or check.
I.g. it is best to install newer versions of the module if possible. A good practice to check if modules are available in a proper version is to call:
Following example shows the result without warnings:
Following example shows the result with warnings (line nr. may vary):
Please keep in mind that the shown version numbers and the shown line numbers are examples and may differ on your system.
When starting o-saft.pl with outdated modules, more **WARNING: will be shown. The warnings depend on the installed version of the module.
What is testing? This tool itself is for testing something (TLS etc.), so it needs to be explained what testing here is about. Following testing types are distinguished and then described:
All descriptions below, except User testing, are only intended for development.
During normal use of the tool, testing is only required for hunting problems with the connected target. Following options for tracing and verbosity can be used for that:
Print more information about checks.
Print debugging messages. For more details, please see Options for tracing and debugging .
This section describes developer rather than user testing.
Functional testing mainly means testing the functionality of the tool itself, for example: do the commands and options work as described in the documentation: o-saft.pl --help
Makefiles are used for testing functionality and code quality during development. These tests are implemented in the ./t/ directory, see all Makefile.* there, start with Makefile.pod.
Testing SSL/TLS is a challenging task. Beside the oddities described elsewhere, for example Name Rodeo, there are a bunch of problems and errors which may occour during runtime.
Following options and commands for o-saft.pl are available to improve testing. They mainly can simulate error conditions or stop execution properly (they are not intended for other use cases):
Stop execution after processing all arguments and before precessing any target. The runtime configuration is complete at this point.
Terminate tool at specified KEY. For available KEY, please see:
With this option values in the internal %cfg hash can be set:
Only (perl) scalars or arrays can be set. The type will be detected automatically.
Example, this option can be used to change the text used as prefix in each output line triggerd by the --v option:
or the text used as prefix triggerd by the --trace option:
The options which provide information about internal data structures and alike described below, behave like the command +quit and do not perform any checks on the target(s). See t/Makefile.* how to use these tests.
Print overview of following commands/options.
Print overview of all available commands and checks.
Print internal data strucures %cfg{openssl}, %cfg{ssleay}.
Print internal data according protocols.
Print results for applying various texts to defined regex.
Print ciphers in various formats, please see: OSaft/Ciphers.pm . These options are aliases for: +list --legacy=TYP .
Print some special information, please see: OSaft/Ciphers.pm .
Print parts of data structure %cfg. In contrast to the options described above, --test-init exits straight before performing the specified commands on the target. Therefore it prints the settings in %cfg containing all applied commands and options.
Print overview of variables' memory usage, used for debugging only.
Print available methods for openssl in Net::SSLeay.
Print available options for openssl s_client from Net::SSLeay.
Print SSL protocols constants from Net::SSLeay.
Print information about Net::SSLeay capabilities.
Obsolete, please use:
Finally there should be tests, which prove that the results of o-saft.pl are really what they should be. A test target is necessary therefore, which produces reliable results. However, some of the implemented tests in t/Makefile.* (see section Functional testing above) already work properly. This test coverage needs to be improved ...
(o-saft.pl in all following examples is the name of the tool)
this will show lines containing: #O-Saft CMD: test ...
Documentation is mainly intented for the user, which is provided with
But it may be difficult to find the proper information there. To get more selective documentations, the --help=* options can be used. To get an overview which --help=* options are available, use:
This only provides the complete user documentation, or the well known parts specified by the keyword, (HELP in example above). To find any text with some lines of context, following could be used:
This is simply avaiable with:
In the GUI a more sophisticate search is implemented, see the Help window there:
Documentation for developers is provided in various ways. Information for developers can be found found in:
Using make for development uses additional external tools and/or Perl modules:
Based on ideas (in alphabetical order) of:
@(#) 22.11.22
31. July 2012 Achim Hoffmann
Project Home: https://owasp.org/www-project-o-saft/
Repository Download (stable) Download (newest)