O - S a f t   —   OWASP SSL advanced forensic tool

Help: help commands checks examples options FAQ Glossar ToDo

Hostname:



                 
        
     
     
        
     
           

COMMANDS

There are commands for various tests according the SSL connection to the target, the targets certificate and the used ciphers.

All commands are preceded by a + to easily distinguish from other arguments and options. However, some --OPTIONS options are treated as commands for historical reason or compatibility to other programs.

The most important commands are (in alphabetical order): +check +cipher +info +http +list +quick +sni +sni_check +version

A list of all available commands will be printed with:

o-saft.pl --help=cmd

The description of all other commands will be printed with:

o-saft.pl --header --help=commands

The summary and internal commands return requested information or the results of checks. These are described below.

Note that some commands may be a combination of other commands, see:

o-saft.pl --header --help=intern

The following sub-sections only describe the commands, which do more than giving a simple information from the target. All other commands can be listed with:

o-saft.pl --header --help=commands

The final sub-sections Notes about commands describes some notes about special commands and related commands.

Commands for information about this tool

All these commands will exit after execution (cannot be used together with other commands).

+ciphers

Show ciphers offered by local SSL implementation.

This commands prints the ciphers in a format like openssl ciphers does. It also accepts the -v and -V option. The --legacy=TYPE option can be used as described for +list command. Use +list command for more information according ciphers.

+list

Show all ciphers supported by this tool. This includes cryptogrphic details of the cipher and some internal details about the rating.

In contrast to the +ciphers command, +list uses TAB characters instead of spaces to seperate columns. It also prints table header lines by default.

Different output formats are used for the --legacy option:

  • --legacy=simple tabular output of cipher values
  • --legacy=full as --legacy=simple but more data
  • --legacy=openssl output like with +ciphers command
  • --legacy=ssltest output like ssltest --list
  • +VERSION

    Just show version and exit.

    +version

    Show version information for both the program and the Perl modules that it uses, then exit.

    Use --v option to show more details.

    +libversion

    Show version of openssl.

    +quit

    Show internal data and exit, used for debugging only.

    Commands to check SSL details

    Following (summary and internal) commands are simply a shortcut for a list of other commands. For details of the list use:

    o-saft.pl --help=intern

    +check

    Check the SSL connection for security issues. Implies +cipher .

    +host

    Print details about the targets hostname, DNS, etc. These details are usually printed only for the +check and +info command, but not for any individual command.

    +http

    Perform HTTP checks (like STS, redirects etc.).

    +info

    Overview of most important details of the SSL connection.

    Use --v option to show details also, which span multiple lines.

    +info--v

    Overview of all details of the SSL connection. It is a shortcut for all commands listed below but not including +cipher.

    This command is intended for debugging as it prints some details of the used Net::SSLinfo module.

    +quick

    Quick overview of checks. Implies --enabled and --short.

    +pfs

    Check if servers offers ciphers with prefect forward secrecy (PFS).

    +protocols

    Check for protocols supported by target.

    +vulns

    Check for various vulnerabilities.

    +sts

    +hsts

    Various checks according STS HTTP header. This option implies --http, means that --no-http is ignored.

    +sni

    Check for Server Name Indication (SNI) usage.

    +sni_check

    +check_sni

    Check for Server Name Indication (SNI) usage and validity of all names (CN, subjectAltName, FQDN, etc.).

    +bsi

    Various checks according BSI TR-02102-2 and TR-03116-4 compliance.

    +ev

    Various checks according certificate's extended Validation (EV).

    Hint: use option --v --v to get information about failed checks.

    +sizes

    Check length, size and count of some values in the certificate.

    +s_client

    Dump data retrieved from openssl s_client ... call. This should be used for debugging only. It can be used just like openssl itself, for example:

    openssl s_client -connect host:443 -no_sslv2

    +dump

    Dumps internal data for SSL connection and target certificate. This is mainly for debugging and should not be used together with other commands (except +cipher). Each key-value pair is enclosed in #{ and #} .

    Using --trace --trace dumps data of Net::SSLinfo too.

    +exec

    Command used internally when requested to use other libraries. This command should not be used directly.

    Commands to test ciphers provided by target

    Beside the description of the commands itself here, please see also Notes about commands below.

    +cipher

    Check target for ciphers, either all ciphers, or ciphers specified with --cipher=CIPHER option.

    Note that ciphers not supported by the local SSL implementation are not checked by default, use +cipherall or +cipherraw command.

    Use --v option to see all ciphers being checked.

    +cipherraw

    Check target for all possible ciphers. Does not depend on local SSL implementation.

    In contrast to +cipher this command has some options to tweak the cipher tests, connection results and some strange behaviours of the target. See Options for cipherall command for details.

    +cipherall

    Same as +cipherraw but ouput format similar to +cipher command.

    +cipher-default

    Lists the cipher selected by the server for each protocol sometimes referred to as default cipher.

    For each protocol the two selected ciphers are shown, one returned by the server if the cipher list in the ClientHello is sorted with the strongest cipher first, and one returned if the cipher list in the ClientHello is sorted with strongest cipher last. See Notes about commands for details.

    +cipher-dh

    Checked target for ciphers. All ciphers supported by the server are printed with their DH or ECDH paramaters (if available). ciphers.

    +null

    +cipher-null

    Check if target accepts NULL ciphers.

    +adh

    +cipher-adh

    Check if target accepts ciphers with anonymous key exchange.

    +export

    +cipher-exp

    Check if target accepts EXPORT ciphers.

    +cbc

    +cipher-cbc

    Check if target accepts CBC ciphers.

    +des

    +cipher-des

    Check if target accepts DES ciphers.

    +cipher-rc4

    Check if target accepts RC4 ciphers.

    +edh

    +cipher-edh

    Check if target supports ephemeral ciphers.

    +cipher-pfs

    Check if target supports ciphers with PFS.

    +cipher-strong

    Check if target selects strongest cipher.

    +cipher-weak

    Check if target selects weak cipher (oposite of +cipher-strong).

    Commands to test SSL connection to target

    Please see:

    o-saft.pl --help=commands

    Commands to show certificate details of the target

    Please see:

    o-saft.pl --help=commands

    Notes about commands

    +cipher vs. +cipherall

    +cipher can only check for ciphers - more precise: cipher suites - provided by the local SSL implementation (i.e. libssl). +cipherall can check for any cipher, as it just uses the cipher's integer value in the range 0 .. 65532.

    +cipherall vs. +cipherraw

    These commands are identical, just the output format is different.

    +cipher vs. +cipher-dh

    While +cipher prints checked ciphers, +cipher-dh prints ciphers with their DH or ECDH paramaters (if available) only for supported ciphers.

    +cipher vs. +cipher-default

    Both commands show the default cipher foreach protocol.

    +cipher lists a summary of ciphers selected by the server for each protocol requested by the user (for example by using options like: --sslv3 --tlsv1 etc.). When the --v option is used, all selected ciphers for all known protocols are listed. This summary focuses on counts for various ciphers.

    +cipher-default lists the cipher selected by the server for each protocol.

    +cipher-selected vs. +cipher-default

    +selected lists the cipher selected by the server if no particular protocol was specified and the system's default cipher list is send in the ClientHello to the server.

    +cipher-default lists the cipher selected by the server for each protocol.

    +cipher-strong vs. +cipher-default

    +strong-cipher shows the result of the check if strong ciphers are preferred by the server. It is a check command.

    +cipher-default lists the cipher selected by the server for each protocol. It is a information command.

    It is not possible to check if a server uses SSLHonorCipherOrder. Even if it is used (switched on), it is not possible to check the specified order of the ciphers.

    I. g. it is expected that the order is according the cipher suite's strength, meaning the most strongest first, and the weakest last. It does not make sense to use an order where a weak cipher preceeds a stronger one. Such a (mis-)configuration should be detected.

    Having this in mind, the algorithm to detect a proper cipher order is as simply as follows: 1. pass sorted cipher list with strongest cipher first 2. pass sorted cipher list with strongest cipher last if the server returns the same cipher for both checks, it's assumed that it prefers to use the most strongest cipher. In this case it's obvious that SSLHonorCipherOrder is set (exceptions see below).

    +cipherall uses a more accurate algorithm to detect the server's cipher order.

    Exceptions: If either, the server or the client, uses only one cipher suite in the list, SSLHonorCipherOrder cannot be detected at all. The same happens, if only one cipher in the client's list matches a cipher in the server's list.

    +extensions vs. +tlsextensions

    +extensions shows the Certificate extensions and +tlsextensions will show the TLS protocol extensions. Use +tlsextdebug to show more informations about the TLS protocol extensions.

    +http2 +spdy +spdy3 +spdy31 +spdy4 +prots

    These commands are just an alias for the +protocols command.

    +hostname vs. +wildhost vs. +altname vs. +rfc_2818

    The commands +cn and +altname print the information stored in the certificate. The command +hostname checks if the given hostname matches the CN value in the certificate. Note that wildcard names in the CN, only allow to contain one *. The command +wildcard checks if the given hostname does not match any name specified in the certificate's subjectAltname. This check is usefull if the certificate and the configuration must comply to RFC 6125 or EV certificates.

    OPTIONS

    All options are written in lowercase. Words written in all capital in the description here is text provided by the user.

    Options for help and documentation

    --h

    --help

    WYSIWYG

    --help=cmd

    Show available commands; short form.

    --help=commands

    Show available commands with short description.

    --help=opt

    Show available options; short form.

    --help=options

    Show available options with their description.

    --help=checks

    Show available checks.

    --help=check-cfg

    --help=cfg-check

    Show texts used as labels in output for checks (see +check) ready for use in RC-FILE or as option.

    --help=data

    Show available informations.

    --help=data-cfg

    --help=cfg-data

    --help=cfg-info

    Show texts used as labels in output for data (see +info) ready for use in RC-FILE or as option.

    --help=hint

    Show texts used in hint messages.

    --help=hint-cfg

    --help=cfg-hint

    Show texts used in hint messages ready for use in RC-FILE or as option.

    --help=text

    Show texts used in various messages.

    --help=text-cfg

    --help=cfg-text

    Show texts used in various messages ready for use in RC-FILE or as option.

    --help=legacy

    Show possible legacy formats (used as value in --legacy=TOOL).

    --help=compliance

    Show available compliance checks.

    --help=intern

    Show internal commands.

    --help=alias

    Show alias for commands and options.

    --help=range

    Show list of cipherranges (see --cipherrange=RANGE).

    --help=score

    Show score value for each check. Value is printed in format to be used for --cfg-score=KEY=SCORE.

    Note that the sequence of options is important. Use the options --trace and/or --cfg-score=KEY=SCORE before --help=score.

    --help=toc

    --help=content

    Show headlines from help text. Useful to get an overview.

    --help=SECTION

    Show

    from documentation, see --help=toc for a list. Example:
    o-saft.pl --help=EXAMPLES

    --help=ourstr

    Show regular expressions to match our own strings used in output.

    --help=regex

    Show regular expressions used internally.

    --help=gen-html

    Print documentation in HTML format.

    --help=gen-pod

    Print documentation in POD format.

    --help=gen-wiki

    Print documentation in mediawiki format.

    --help=gen-cgi

    Print documentation in format to be used for CGI.

    --help=error

    --help=warning

    --help=problem

    Show KNOWN PROBLEMS section with description of known error and warning messages.

    --help=faq

    Show KNOWN PROBLEMS and LIMITATIONS section.

    --help=glossary

    Show common abbreviation used in the world of security.

    --help=links

    --help=rfc

    Show list of RFC related to SSL/TLS.

    --help=todo

    Show known problems and bugs.

    --help=program.code

    For developers.

    Options for all commands (general)

    --dns

    Do DNS lookups to map given hostname to IP, do a reverse lookup.

    --no-dns

    Do not make DNS lookups. Note that the corresponding IP and reverse hostname may be missing in some messages then.

    --host=HOST

    Specify HOST as target to be checked. Legacy option.

    --port=PORT

    Specify PORT of target to be used. Legacy option.

    --host=HOST --port=PORT HOST:PORT HOST

    When giving more than one HOST argument, the sequence of the given HOST argument and the given --port=PORT and the given --host=HOST options are important. The rule how ports and hosts are mapped is as follows:

    HOST:PORT arguments are used as is (connection to HOST on PORT) only HOST is given, then previous specified --port=PORT is used

    Note that URLs are treated as HOST:PORT, if they contain a port. Example:

    o-saft.pl +cmd host-1 --port 23 host-2 host-3:42 host-4

    will connect to:

  • host-1:443
  • host-2:23
  • host-3:42
  • host-4:23
  • --proxyhost=PROXYHOST --proxy=PROXYHOST:PROXYPORT

    Make all connection to target using PROXYHOST.

    Also possible is: --proxy=PROXYUSER:PROXYPASS@PROXYHOST:PROXYPORT

    --proxyport=PROXYPORT

    Make all connection to target using PROXYHOST:PROXYPORT.

    --proxyuser=PROXYUSER

    Specify username for proxy authentication.

    --proxypass=PROXYPASS

    Specify password for proxy authentication.

    --starttls

    Use STARTTLS command to start a TLS connection via SMTP. This option is a shortcut for --starttls=SMTP .

    --starttls=SMTP

    --starttls=PROT

    Use STARTTLS command to start a TLS connection via protocol. PORT PORT may be any of: SMTP, IMAP, IMAP2, POP3, FTPS, RDP, LDAP or XMPP .

    For --starttls=SMTP see --dns-mx also to use MX records instead of host

    --starttls-delay=SEC

    Number of seconds to wait before sending a packet, to slow down the STARTTLS requests. Default is 0. This may prevent blocking of requests by the target due to too much or too fast connections. Note: In this case there is an automatic suspension and retry with a longer delay.

    --cgi

    --cgi-exec

    Internal use for CGI mode only.

    Options for SSL tool

    --rc

    Read RC-FILE if exists, from directory where program was found.

    --no-rc

    Do not read RC-FILE.

    --exitcode

    The exit status code will be greater 0, if any of following applies:

  • any check returns no
  • insecure protocols are available
  • insecure ciphers are supported
  • ciphers without PFS are supported (disable with --exitcode-cipher)
  • In particular, the status code will be the total count of all these checks.

    Parts of these checks can be diasabled, see --exitcode-* options below.

    Functionality implemented experimental, may change in future.

    --exitcode-no-checks

    Do not count checks with result no for --exitcode .

    --exitcode-no-low --exitcode-no-weak --exitcode-no-medium

    Do not count LOW, WEAK or MEDIUM security ciphers for --exitcode .

    --exitcode-no-ciphers

    Do not count any ciphers for --exitcode .

    --exitcode-no-ciphers

    Do not count any ciphers for --exitcode .

    --exitcode-no-pfs

    Do not count ciphers without PFS for --exitcode .

    --openssl-s_client --s_client

    Use openssl s_slient ... call to retrieve more information from the SSL connection. This is disabled by default on Windows because of performance problems. Without this option (default on Windows !) following informations are missing:

    compression, expansion, renegotiation, resumption,
    selfsigned, verify, chain, protocols, DH parameters

    See Net::SSLinfo for details.

    If used together with --trace, s_client data will also be printed in debug output of Net::SSLinfo.

    --no-openssl

    Do not use external openssl tool to retrieve information. Use of openssl is disabled by default on Windows. Note that this results in some missing informations, see above.

    --openssl=TOOL

    TOOL can be a path to openssl executable; default: openssl

    --openssl-cnf=FILE --openssl-conf=FILE

    FILE path of directory or full path of openssl.cnf

    If set, environment variable OPENSSL_CONF will be set to given path (or file) when openssl(1) is started. Please see openssl's man page for details about specifying alternate openssl.cnf files.

    --openssl-ciphers --force-openssl

    Use openssl to check for supported ciphers; default: IO::Socket(1)

    This option forces to use openssl s_slient -connect CIPHER .. to check if a cipher is supported by the remote target. This is useful if the --lib=PATH option doesn't work (for example due to changes of the API or other incompatibilities).

    --exe-path=PATH

    --exe=PATH

    PATH is a full path where to find openssl.

    --lib-path=PATH

    --lib=PATH

    PATH is a full path where to find libssl.so, libcrypto.so.

    See HACKER's INFO below for a detailed description how it works.

    --envlibvar=NAME

    NAME is the name of a environment variable containing additional paths for searching dynamic shared libraries. Default is LD_LIBRARY_PATH.

    Check your system for the proper name, i.e.:

    DYLD_LIBRARY_PATH, LIBPATH, RPATH, SHLIB_PATH.

    --ssl-error

    Stop trying to connect to target if --ssl-error-max erros occourd sequentially, or if the total amount of errors --ssl-error-total is reached.

    The connection to a target may fail, or even block, due to various resons, for example lost network at all, blocking at firewall, etc. In particular when checking ciphers with +cipher , this may result in long delays until results are printed. Using this option stops trying to do more connections to the target when --ssl-error-max consecutive errors occoured, or if the total amount of errors increases --ssl-error-total.

    Note that this may result in loss of information and/or checks.

    --ssl-error-max=CNT

    Max. amount of consecutive errors (default: 5).

    --ssl-error-timeout=SEC

    Timeout in seconds when a failed connection is treated as error and then counted (default: 1).

    --ssl-error-total=CNT

    Max. total amount of errors (default: 10).

    --ssl-lazy

    I.g. this tools tries to identify available functionality according SSL versions from the underlaying libraries. Unsupported versions are then disables and a warning is shown. Unfortunately some libraries have not implemented all functions to check availability of a specific SSL version, which then results in a compile error.

    This option disables the strict check of availability. If the underlaying library doesn't support the required SSL version at all, following error may occour:

    Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...

    See Note on SSL versions for a general note about SSL versions. A more detailled description of the problem and how Net::SSLeay be- haves, can be found in the source of o-saft.pl , see section starting at

    #| check for supported SSL versions

    --timeout=SEC

    Timeout in seconds when connecting to the target (default: 2).

    --call=METHOD

    METHOD method to be used for specific functionality

    Available methods:

  • info-socket use internal socket to retrieve information
  • info-openssl use external openssl to retrieve information
  • info-user use usr_getinfo() to retrieve information
  • cipher-socket use internal socket to ckeck for ciphers
  • cipher-openssl use external openssl to ckeck for ciphers
  • cipher-user use usr_getciphers() to ckeck for ciphers
  • Method names starting with:

  • info-
  • are responsible to retrieve information about the SSL connection and the target certificate (i.e. what the +info command provides)
  • cipher-
  • are responsible to connect to the target and test if it supports the specified ciphers (i.e. what the +cipher command provides)
  • check-
  • are responsible for performing the checks (i.e. what's shown with the +check command)
  • score-
  • are responsible to compute the score based on check results

    The second part of the name denotes which kind of method to call:

  • socket the internal functionality with sockets is used
  • openssl the exteranl openssl executable is used
  • user the external special function, as specified in user's
  • o-saft-usr.pm, is used.

    Example:

    --call=cipher-openssl

    will use the external openssl(1) executable to check the target for supported ciphers.

    Default settings are:

    --call=info-socket --call=cipher-socket --call=check-socket

    Just for curiosity, instead of using:

    o-saft.pl --call=info-user --call=cipher-user --call=check-user --call=score-user ...

    consider to use your own script like:

    #!/usr/bin/env perl
    usr_getinfo();usr_getciphers();usr_checkciphers();usr_score();

    :-))

    -v

    Print list of ciphers in style like: openssl ciphers -v. Option used with +ciphers command only.

    -V

    Print list of ciphers in style like: openssl ciphers -V. Option used with +ciphers command only.

    Options for SSL connection to target

    --cipher=CIPHER

  • CIPHER can be any string accepeted by openssl or following:
  • yeast use all ciphers from list defined herein, see +list
  • Beside the cipher names accepted by openssl, CIPHER can be the name of the constant or the (hex) value as defined in openssl's files. Currently supported are the names and constants of openssl 1.0.1k. Example:

  • --cipher=DHE_DSS_WITH_RC4_128_SHA
  • --cipher=0x03000066
  • --cipher=66
  • will be mapped to DHE-DSS-RC4-SHA

    Note: if more than one cipher matches, just one will be selected.

    Default is ALL:NULL:eNULL:aNULL:LOW as specified in Net::SSLinfo.

    --socket-reuse

    TCP socket will be reused for next connection attempt even if SSL connection failed.

    --no-socket-reuse

    Close TCP socket and then reopen for next connection attempt if SSL connection failed.

    This is useful for some servers which may return an TLS alert if the connection fails and then fail again on the same socket.

    --ignore-no-connect

    A simple check if the target can be connected will be performed by default. If this check fails, the target will be ignored, means no more requested checks will be done. As this connection check some- times fails due to various reasons, the check can be disabled using this option.

    --no-md5-cipher

    Do not use *-MD5 ciphers for other protocols than SSLv2. This option is only effective with +cipher command.

    The purpose is to avoid warnings from IO::Socket::SSL(1) like:

    Use of uninitialized value in subroutine entry at lib/IO/Socket/SSL.pm line 430.

    which occours with some versions of IO::Socket::SSL(1) when a *-MD5 ciphers will be used with other protocols than SSLv2.

    Note that these ciphers will be checked for SSLv2 only.

    --sslv2

    --sslv3

    --tlsv1

    --tlsv11

    --tlsv12

    --tlsv13

    --dtlsv09

    --dtlsv1

    --dtlsv11

    --dtlsv12

    --dtlsv13

    --SSL, -protocol SSL

    --no-sslv2

    --no-sslv3

    --no-tlsv1

    --no-tlsv11

    --no-tlsv12

    --no-tlsv13

    --no-dtlsv09

    --no-dtlsv1

    --no-dtlsv11

    --no-dtlsv12

    --no-dtlsv13

    --no-SSL

  • SSL can be any of:
  • ssl, ssl2, ssl3, sslv2, sslv3, tls1, tls1, tls11, tls1.1, tls1-1, tlsv1, tlsv11, tlsv1.1, tlsv1-1 (and similar variants for tlsv1.2). For example: --tls1 --tlsv1 --tlsv1_1 are all the same.

    (--SSL variants): Test ciphers for this SSL/TLS version. (--no-SSL variants): Don't test ciphers for this SSL/TLS version.

    --no-tcp

    Shortcut for: --no-sslv2 --no-sslv3 --no-tlsv1 --no-tlsv11 --no-tlsv12 --no-tlsv13

    --tcp

    Shortcut for: --sslv2 --sslv3 --tlsv1 --tlsv11 --tlsv12 --tlsv13

    --no-udp

    Shortcut for: --no-dtlsv09 --no-dtlsv1 --no-dtlsv11 --no-dtlsv12 --no-dtlsv13

    --udp

    Shortcut for: --dtlsv09 --dtlsv1 --dtlsv11 --dtlsv12 --dtlsv13

    --nullsslv2

    This option forces to assume that SSLv2 is enabled even if the target does not accept any ciphers.

    The target server may accept connections with SSLv2 but not allow any cipher. Some checks verify if SSLv2 is enabled at all, which then would result in a failed test. The default behaviour is to assume that SSLv2 is not enabled if no ciphers are accepted.

    --http

    Make a HTTP request if cipher is supported.

    If used twice debugging will be enabled using environment variable HTTPS_DEBUG.

    --no-http

    Do not make HTTP request.

    --sni

    Make SSL connection in SNI mode.

    --no-sni

    Do not make SSL connection in SNI mode (default: SNI mode).

    --sni-toggle

    --toggle-sni

    Test with and witout SNI mode (+cipherall only).

    --force-sni

    Do not check if SNI seems to be supported by Net::SSLeay(1). Older versions of openssl and its libries do not support SNI or the SNI support is implemented buggy. By default it's checked if SNI is properly supported. With this option this check can be disabled.

    Be warned that this may result in improper results.

    --servername=NAME

    --sni-name=NAME

    If SNI mode is active, see --sni above, NAME is used instead of hostname for connections to the target. If SNI mode is not active, see --no-sni above, NAME is not used. The default is undefined, which forces to use the given FQDN.

    This is useful, for example when an IP instead of a FQDN was given, where a correct hostname (i.g. a FQDN) needs to be specified.

    Note: i.g. there is no need to use this option, as a correct value for the SNI name will be choosen automatically (except for IPs). However, it is kind of fuzzing ... even setting to an empty string is possible.

    Limitation: the same NAME is used for all targets, if more than one target was specified.

    --no-cert

    Do not get data from target's certificate, return empty string.

    --no-cert --no-cert

    Do not get data from target's certificate, return default string of Net::SSLinfo (see --no-cert-text=TEXT option).

    --no-cert-text=TEXT

    Set TEXT to be returned from Net::SSLinfo if no certificate data is collected due to use of --no-cert.

    --ca-depth=INT

    Check certificate chain to depth INT (like openssl's -verify).

    --ca-file=FILE

    Use FILE with bundle of CAs to verify target's certificate chain.

    --ca-path=DIR

    Use DIR where to find CA certificates in PEM format.

    --ca-force

    --force-ca

    NOT YET IMPLEMENTED I. g. openssl uses default settings where to find certificate files. When --ca-file=FILE and/or --ca-path=DIR was used, this default will be overwritten by appropriate options passed to openssl. If the default does not work as expected, --force-ca can be used to force setting of proper values according well known common defaults. See:

    o-saft.pl +version
    o-saft.pl +version --force-ca

    to see the used settings.

    --alpn

    Use -alpn option for openssl.

    --no-alpn

    Do not use -alpn option for openssl.

    --no-npn

    --no-nextprotoneg

    Do not use -nextprotoneg option for openssl.

    --no-reconnect

    Do not use -reconnect option for openssl.

    --no-tlsextdebug

    Do not use -tlsextdebug option for openssl.

    --sclient-opt=VALUE

    Argument or option passed to openssl's s_client command.

    Options for +cipher command

    --connect-delay=SEC

    Additional delay in seconds after each connect for a cipher check. This is useful when connecting to servers which have IPS in place, or are slow in accepting new connections or requests.

    --proto-alpn=NAME

    Name of protocol to be added to list of applcation layer protocols (ALPN), which is used for any connection to the targets. See --cipher-alpn=NAME also.

    --proto-npn=NAME

    Name of protocol to be added to list of next protocol negotiations (NPN), which is used for any connection to the targets. See --cipher-npn=NAME also.

    --cipher-alpn=NAME

    Name of protocol to be added to list of applcation layer protocols (ALPN), which is used for cipher checks.

    --cipher-alpn=, sets empty list. --cipher-alpn=,, sets list to empty element .

    --cipher-npn=NAME

    Name of protocol to be added to list of next protocol negotiations (NPN), which is used for cipher checks.

    --cipher-npn=, sets empty list. --cipher-npn=,, sets list to empty element .

    Note: setting empty list or element most likely does not work with openssl executable (i.e. --force-openssl).

    --cipher-curve=NAME

    Name of ecliptic curve to be added to list of ecliptic curves (EC), which is used for cipher checks.

    --cipher-curve=, sets empty list. --cipher-curve=,, sets list to empty element .

    Note: setting empty list or element most likely does not work with openssl executable (i.e. --force-openssl).

    Options for +cipherall and +cipherraw command

    --range=RANGE

    --cipherrange=RANGE

    Specify range of cipher constants to be tested by +cipherall. Following RANGEs are supported (see also: --cipherrange=RANGE):

  • rfc all ciphers defined in various RFCs
  • shifted rfc, shifted by 64 bytes to the right
  • long like rfc but more lazy list of constants
  • huge all constants 0x03000000 .. 0x0300FFFF
  • safe all constants 0x03000000 .. 0x032FFFFF
  • full all constants 0x03000000 .. 0x03FFFFFF
  • SSLv2 all ciphers according RFC for SSLv2
  • SSLv2_long more lazy list of constants for SSLv2 ciphers
  • Note: SSLv2 is the internal list used for testing SSLv2 ciphers. It does not make sense to use it for other protocols; however ...

    --slow-server-delay=SEC

    Additional delay in seconds after the server is connected using a proxy or before starting STARTTLS. This is useful when connecting via slow proxy chains or connecting to slow servers before sending the STARTTLS sequence.

    --ssl-maxciphers=CNT

    Maximal number of ciphers sent in a sslhello (default: 32).

    --ssl-double-reneg

    Send SSL extension reneg_info even if list of ciphers includes TLS_EMPTY_RENEGOTIATION_INFO_SCSV (default: do not include)

    --ssl-nodata-nocipher

    Some servers do not answer (i.g. they disconnect) if none of the offered ciphers is supported by the server.

    Continue testing with next ciphers when the target disconnects or does not send data within specified timeout (see --timeout). Useful for TLS intolerant servers.

    --no-ssl-nodata-nocipher

    Abort testing with next ciphers when the target disconnects.

    --ssl-use-ecc

    Use supported elliptic curves. Default on.

    --ssl-use-ec-point

    Use TLS ec_point_formats extension. Default on.

    --ssl-use-reneg

    Test for ciphers with secure renegotiation flag set. Default: don't set secure renegotiation flag.

    --ssl-retry=CNT

    Number of retries when connection timed-out (default: 2).

    --ssl-timeout=SEC

    Number of seconds to wait until connection is qualified as timeout.

    --dns-mx

    --mx

    Get DNS MX records for given target and check the returned targets. (only useful with --starttls=SMTP).

    Options for checks and results

    Options used for +check command:

    --enabled

    Only print result for ciphers accepted by target.

    --disabled

    Only print result for ciphers not accepted by target.

    --ignorecase

    Checks are done case insensitive.

    --no-ignorecase

    Checks are done case sensitive. Default: case insensitive. Currently only checks according CN, alternate names in the target's certificate compared to the given hostname are effected.

    --ignore-no-reply

    When checking for the TLS heartbeat extension, the server may not respond at all, which would result in a no reply message. This marks the check for +heartbleed as no. I.g. a server is not vulnerable to the heartbleed attack if the TLS heartbeat extension is disabled. Hence the check result no may be mis-leading. This option treats the no reply result as not vulnerable and returns yes then.

    Note: if the server does not respond for this check, does not mean that the heartbeat extension is switched off. So if unsure, disable this lazy check with --no-ignore-no-reply .

    Options for output format

    --short

    Use short, less descriptive, text labels for +check and +info command.

    --legacy=TOOL

    For compatibility with other tools, the output format used for the result of the +cipher command can be adjusted to mimic the format of other SSL testing tools.

    The argument to the --legacy=TOOL option is the name of the tool to be simulated.

    Following TOOLs are supported:

  • sslaudit format of output similar to sslaudit
  • sslcipher format of output similar to ssl-cipher-check
  • ssldiagnos format of output similar to ssldiagnos
  • sslscan format of output similar to sslscan
  • ssltest format of output similar to ssltest
  • ssltestg format of output similar to ssltest -g
  • ssltest-g format of output similar to ssltest -g
  • sslyze format of output similar to sslyze
  • ssl-cipher-check same as sslcipher
  • ssl-cert-check format of output similar to ssl-cert-check
  • testsslserver format of output similar to TestSSLServer.jar
  • thcsslcHeck format of output similar to THCSSLCheck
  • Note that these legacy formats only apply to output of the checked ciphers. Other texts like headers and footers are adapted slightly.

    Please do not expect identical output as the TOOL when using these options, it's a best guess and should be parsable in a very similar way.

    --legacy=compact

    Internal format: mainly avoid tabs and spaces format is as follows: Some Label:<-- anything right of colon is data

    --legacy=full

    Internal format: pretty print each label in its own line, followed by data prepended by tab character (useful for +info only).

    --legacy=quick

    Internal format: use tab as separator; ciphers are printed with bit length (implies --tab).

    --legacy=simple

    Internal default format.

    --legacy=key

    Internal format: print name of key instead of text as label. Key is that of the internal data structure(s). For ciphers and protocols, the corresponding hex value is used as key. Note that these values are unique.

    --format=0x

    --format=\x

    --format=/x

    --format=hex

    --format=raw

    This option is used to specify the format of the result lines. This covers the value of the result line only.

  • raw Print raw data as passed from Net::SSLinfo.
  • Note: all data will be printed as is, without additional label or formatting. It's recommended to use the option in conjunction with exactly one command. Otherwise the user needs to know how to read the printed data.

  • hex Convert some data to hex: 2 bytes separated by :.
  • 0x Convert some data with hex values:
  • 2 bytes preceded by 0x and separated by a space.
  • /x Same as --format=\x
  • \x Convert some data with hex values:
  • 2 bytes preceded by \x and no separating char.

    --header

    Print formatting header. Default for +check, +info, +quick and and +cipher only.

    --no-header

    Do not print formatting header. Usefull if raw output should be passed to other programs.

    Note: must be used on command line to inhibit all header lines.

    --ignore-cmd=CMD

    --ignore-output=CMD

    --no-cmd=CMD

    --no-output=CMD

    Do not print output (data or check result) for command CMD. CMD is any valid command, see COMMANDS , without leading +. Option can be used multiple times.

    --score

    Print scoring results. Default for +check.

    --no-score

    Do not print scoring results.

    --separator=CHAR

    --sep=CHAR

    CHAR will be used as separator between label and value of the printed results. Default is :.

    --tab

    TAB character (0x09, \t) will be used as separator between label and value of the printed results. As label and value are already separated by a TAB character, this options is only useful in conjunction with the --legacy=compact option.

    --showhost

    Prefix each printed line with the given hostname (target). The hostname will be followed by the separator character.

    --std-format=utf8

    --std-format=crnl

    --std-format=raw

    --std-format=unix

    --std-format=CHARSET

    This option is used to specify the general output format for STDOUT and STDERR. All results are written to STDOUT, errors and warnings may also be written to STDERR . The default is :unix:utf8, which is the perlish definition used internally.

    Following values are supported:

  • raw
  • unix Print raw data, binary in bytes without conversion.
  • Note: binary here just means characters (as all output is text).

  • utf8 Convert all characters to UTF-8.
  • crnl Use CR LF as end of line.
  • CHARSET CHARSET can be any of the local installed character
  • sets, like UTF-8, UTF-16LE, CP1252, iso-8859-7, etc.. This conversion may print its own warnings.

    The option can be used multiple times with different values. To reset the default behaviour, either raw or unix must be used. Obviously, they must be used first. All other values are used additionally. Note: utf8 just defines the format of the characters, it does no further checks on the converted characters. In contrast, UTF-8 is used as real encoding and does some checks.

    Currently (Jan. 2018), these options must be used before any --help option.

    --win-CR

    Obsolete, please use --std-format=crnl .

    Options for compatibility with other programs

    Please see other programs for detailed description (if not obvious:). Note that often only the long form options are accepted as most short form options are ambiguous. If other programs use the same option,but with a different behaviour, then thes other options are not supported. For a list of supported options, please see:

    o-saft.pl --help=alias

    Following list contains only those options not shown with:

    o-saft.pl --help=alias

    Tool's Option (Tool) o-saft.pl Option

  • --checks CMD (TLS-Check.pl) same as +CMD
  • -h, -h=HOST (various tools) same as --host HOST
  • -p, -p=PORT (various tools) same as --port PORT
  • -t HOST (ssldiagnos) same as --host HOST
  • --UDP (ssldiagnos) same as --udp
  • --timeout, --grep (ssltest.pl) ignored
  • -r, -s, -t, -x (ssltest.pl) ignored
  • --insecure (cnark.pl) ignored
  • --nopct --nocolor (ssldiagnos) ignored
  • -connect, -H, -u, -url, -U ignored
  • -noSSL same as --no-SSL
  • -no_SSL same as --no-SSL
  • For definition of SSL see --SS and I--no-SSL above.

    Options for customization

    For general descriptions please see CUSTOMIZATION section below.

    --cfg_cmd=CMD=LIST

    --cfg-cmd=CMD=LIST

    Redefine list of commands. Sets %cfg{cmd-CMD} to LIST. Commands can be written without the leading +. If CMD is any of the known internal commands, it will be redifned. If CMD is a unknown command, it will be created.

    Example:

    --cfg-cmd=sni="sni hostname"
    An example +preload can be found in .o-saft.pl .

    To get a list of commands and their settings, use:

    o-saft.pl --help=intern

    Main purpose is to reduce list of commands or to print them sorted.

    --cfg-score=KEY=SCORE

    Redefine value for scoring. Sets %checks{KEY}{score} to SCORE. Most score values are set to 10 by default. Values 0 .. 100 are allowed.

    To get a list of current score settings, use:

    o-saft.pl --help=score

    For deatils how scoring works, please see SCORING section.

    Use the --trace-key option for the +info and/or +check command to get the values for KEY.

    --cfg_checks=KEY=TEXT

    --cfg-checks=KEY=TEXT

    --cfg_data=KEY=TEXT

    --cfg-data=KEY=TEXT

    Redefine texts used for labels in output. Sets %data{KEY}{txt} or %checks{KEY}{txt} to TEXT.

    To get a list of preconfigured labels, use:

    o-saft.pl --help=cfg-checks
    o-saft.pl --help=cfg-data

    --cfg-cipher=CIPHER=value

    Redefine the security value (i.e. HIGH) in the cipher description. Example:

    --cfg-cipher=NULL-MD5=no-security-at-all

    --cfg_text=KEY=TEXT

    --cfg-text=KEY=TEXT

    Redefine general texts used in output. Sets %text{KEY} to TEXT.

    To get a list of preconfigured texts, use:

    o-saft.pl --help=cfg-text

    Note that \n, \r and \t are replaced by the corresponding character when read from RC-FILE.

    --cfg-hint=KEY=TEXT

    Redefine texts used for hints. Sets %cfg{hints}{KEY} to TEXT.

    To get a list of preconfigured texts, use:

    o-saft.pl --help=cfg-hint

    --call=METHOD

    See Options for SSL tool.

    --usr

    Execute functions defined in o-saft-usr.pm.

    --usr-*

    --user-*

    Options ignored, but stored as is internal in $cfg{usr-args} . These options can be used in o-saft-usr.pm or o-saft-dbx.pm.

    --experimental

    Use experimental functionality. Some functionality of this tool is under development and only used when this option is given.

    Options for tracing and debugging

    --n

    Do not execute, just show commands (only useful in conjunction with using openssl).

    Difference --trace vs. --v

    While --v is used to print more data, --trace is used to print more information about internal data such as procedure names and/or variable names and program flow.

    --v

    --verbose

    Print more information about checks.

    Note that this option should be first otherwise some debug messages are missing.

    Note that --v is different from -v (see above).

    --v --v

    Print remotely checked ciphers.

    --v-cipher --cipher-v

    Print remotely checked ciphers. In contrast to --v --v above, this just prints the ciphers while while being checked, but no other verbose messages.

    --trace

    Print debugging messages.

    --trace --trace

    Print more debugging messages and pass trace=2 to Net::SSLeay and Net::SSLinfo.

    --trace --trace --trace

    Print more debugging messages and pass trace=3 to Net::SSLeay and Net::SSLinfo.

    --trace --trace --trace --trace

    Print processing of all command line arguments.

    --trace-cli

    Print complete command line first. Used for internal testing.

    --trace-arg

    --trace--

    Print command line argument processing.

    --trace-cmd

    Trace execution of command processing (those given as +*).

    --trace-key

    --trace@

    Print some internal variable names in output texts (labels). Variable names are prefixed to printed line and enclosed in # . Example without --trace-key :

    Certificate Serial Number: deadbeef

    Example with --trace-key :

    #serial# Certificate Serial Number: deadbeef

    --trace=VALUE

    Trace Option Alias Option

  • --trace=1 same as --trace
  • --trace=2 same as --trace --trace
  • --trace=arg same as --trace-arg
  • --trace=cmd same as --trace-cmd
  • --trace=key same as --trace-key
  • --trace-time

    Prints trace output with timestamps. More timestamps are printed if used together with --trace-cmd.

    --trace=FILE

    Use FILE instead of the default RC-FILE, i.e. .o-saft.pl.

    --trace-me

    Print debugging messages for o-saft.pl only, but not any modules.

    --trace-not-me

    Print debugging messages for modules only, but not o-saft.pl itself.

    --trace-sub

    +traceSUB

    Print formatted list of internal functions with their description. Not to be intended in conjunction with any target check.

    --hint

    Print hint messages (!!Hint:).

    --no-hint

    Do not print hint messages (!!Hint:).

    --warning

    Print warning messages (**WARNING:).

    --no-warning

    Do not print warning messages (**WARNING:).

    --exit=KEY

    For debugging only: terminate o-saft.pl at specified KEY. For KEY please see: grep exit= o-saft.pl

    Options vs. Commands

    For compatibility with other programs and lazy users, some arguments looking like options are silently taken as commands. This means that --THIS becomes +THIS then. These options are:

  • --help
  • --abbr
  • --todo
  • --chain
  • --default
  • --fingerprint
  • --list
  • --version
  • Take care that this behaviour may be removed in future versions as it conflicts with those options and commands which actually exist, like:

    --sni vs. +sni


    Repository   Download (stable)
    O-Saft Home

    © sic[✓]sec GmbH, 2012 - 2017