[Ach] Audit tool to audit your ciphers: OWASP 'O-Saft' [Update]

Torsten Gigler torsten.gigler at owasp.org
Sat Jul 5 20:17:06 CEST 2014


I added STARTTLS-support to the SSL checking tool 'o-saft'.It supports 8 
protocols: SMTP and experimental: ACAP, IMAP, POP3, FTPS, LDAP, RDP, XMPP.
I'd be happy if you test it and could send me your experiences.

Alpha Release Code:

Usage Examples:
./o-saft.pl +cipherraw --nodns jabber.org:5222 --starttls=XMPP 
./o-saft.pl +cipherraw --nodns jabber.org:5222 --starttls=XMPP 
--experimental --trace=2 (including a lot of trace information, more with 3)

More Information:
The Option '+cipherraw' uses a 'SSLhello'-Simulation to check all 
possible ciphers (even those, that are not yet defined by IANA). This 
works independantly from the libraries you have installed on your local 
You can even check the ciphers of sites that are protected by a client 
certificate, as the simulation ends before you need it.

Podcast with the Main Developer Achim Hoffman: 

Kind regards

Am 04.06.2014 11:42, schrieb Torsten Gigler:
> Hi Aaron,
> thanks for your Information. It seems to support a lot of protocols. 
> I'll have a look on it
> O-saft has been developped and maintained by Achim since December 2012 
> (https://github.com/OWASP/O-Saft) .
> I am just helping him with the SSLhello.pm 
> <https://github.com/OWASP/O-Saft/blob/master/Net/SSLhello.pm>-Module, 
> to be able to check ciphers and protocols that are not supported by 
> your local libraries of the Audit-PC.
> We check ciphers, that are even not (yet) defined or have been only 
> defined in DRAFTS.
> Kind regards
> Torsten

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140705/0ce0487f/attachment.html>

More information about the Ach mailing list