[Ach] Audit tool to audit your ciphers: OWASP 'O-Saft' [Update]
Torsten Gigler
torsten.gigler at owasp.org
Sat Jul 5 20:17:06 CEST 2014
Hi,
I added STARTTLS-support to the SSL checking tool 'o-saft'.It supports 8
protocols: SMTP and experimental: ACAP, IMAP, POP3, FTPS, LDAP, RDP, XMPP.
I'd be happy if you test it and could send me your experiences.
Alpha Release Code:
https://github.com/OWASP/O-Saft/archive/master.zip
Usage Examples:
./o-saft.pl +cipherraw --nodns jabber.org:5222 --starttls=XMPP
--experimental
./o-saft.pl +cipherraw --nodns jabber.org:5222 --starttls=XMPP
--experimental --trace=2 (including a lot of trace information, more with 3)
More Information:
The Option '+cipherraw' uses a 'SSLhello'-Simulation to check all
possible ciphers (even those, that are not yet defined by IANA). This
works independantly from the libraries you have installed on your local
client
(see:http://lists.owasp.org/pipermail/owasp-leaders/2014-June/011911.html).
You can even check the ciphers of sites that are protected by a client
certificate, as the simulation ends before you need it.
Podcast with the Main Developer Achim Hoffman:
https://soundcloud.com/owasp-podcast/achim-hoffman
Kind regards
Torsten
Am 04.06.2014 11:42, schrieb Torsten Gigler:
> Hi Aaron,
>
> thanks for your Information. It seems to support a lot of protocols.
> I'll have a look on it
>
> O-saft has been developped and maintained by Achim since December 2012
> (https://github.com/OWASP/O-Saft) .
> I am just helping him with the SSLhello.pm
> <https://github.com/OWASP/O-Saft/blob/master/Net/SSLhello.pm>-Module,
> to be able to check ciphers and protocols that are not supported by
> your local libraries of the Audit-PC.
> We check ciphers, that are even not (yet) defined or have been only
> defined in DRAFTS.
>
> Kind regards
> Torsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140705/0ce0487f/attachment.html>
More information about the Ach
mailing list