O - S a f t -- OWASP - SSL advanced forensic tool

Host[:Port]::

Simple GUI

                 
           
        
     
     
           
        
        
              
^
Full GUI Commands & Options

COMMANDS

There are commands for various tests according the SSL connection to the target, the targets certificate and the used ciphers.

All commands are prepended by a + character to easily distinguish from other arguments and options. However, some --OPTIONS options are treated as commands for historical reason or compatibility with other programs.

The most important commands are (in alphabetical order): +check +cipher +info +http +list +quick +sni +sni_check +version

A brief list of all available commands will be printed with: cmd

o-saft.pl --help=cmd

The description of all other commands will be printed with: commands

o-saft.pl --header --help=commands

The summary and internal commands return requested information or the results of checks. These are described below.

Note that some commands may be a combination of other commands, see: intern

o-saft.pl --header --help=intern

The following sub-sections only describe the commands, which do more than giving a simple information from the target. All other commands can be listed with: commands

o-saft.pl --header --help=commands

The final sub-sections Notes about commands describes some notes about special commands and related commands.

^

Commands for information about this tool

All these commands will exit after execution (cannot be used together with other commands).

  

Show known ciphers in format like openssl ciphers. It also accepts the -v and -V option (like openssl). Use +list command for more information according ciphers.

  

Show all ciphers supported by this tool. This includes cryptogrphic details of the cipher and some internal details.

Different output formats are used for the --legacy=* option:

  • --legacy=simple – simple space-separated output
  • --legacy=full – TAB-separated output with more data
  • --legacy=owasp – simple output sorted according OWASP scoring
  • --legacy=openssl – output same as with +ciphers command
  • --legacy=ssltest – output like ssltest --list
  •   

    Just show version and exit.

      

    Show version information for both the program and the Perl modules that it uses, then exit.

    Use --v option to show more details.

      

    Show version of openssl.

      

    Show internal data and exit, used for testing and debugging only. Please see TESTING below.

    ^

    Commands to check SSL details

    Following (summary and internal) commands are simply a shortcut for a list of other commands. For details of the list use: intern

    o-saft.pl --help=intern

      

    Check the SSL connection for security issues. Implies +cipher .

      

    Print details about the targets hostname, DNS, etc. These details are usually printed only for the +check and +info command, but not for any individual command.

      

    Perform HTTP checks (like STS, redirects etc.).

      

    Overview of most important details of the SSL connection.

    Use --v option to show details also, which span multiple lines.

      

    Quick overview of checks. Implies --enabled and --label=short.

      

    Check if servers offers ciphers with prefect forward secrecy (PFS). Same as: +cipher-pfs +cipher-pfsall +session_random

      

    Check for protocols supported by target.

      

    Check for various vulnerabilities.

      

      

    Various checks according STS HTTP header. This option implies --http, means that --no-http is ignored.

      

    Check for Server Name Indication (SNI) usage.

      

      

    Check for Server Name Indication (SNI) usage and validity of all names (CN, subjectAltName, FQDN, etc.).

      

    Various checks according BSI TR-02102-2 and TR-03116-4 compliance.

      

    Various checks according certificate's extended Validation (EV).

    Hint: use option --v --v to get information about failed checks.

      

    Check length, size and count of some values in the certificate.

      

    Dump data retrieved from openssl s_client ... call. This should be used for debugging only. It can be used just like openssl itself, for example:

    openssl s_client -connect host:443 -no_sslv2

      

    Dumps internal data for SSL connection and target certificate. This is mainly for debugging and should not be used together with other commands (except +cipher). Each key-value pair is enclosed in #{ and #} .

    Using --trace --trace dumps data of lib/SSLinfo too.

      

    Command used internally when requested to use other libraries. This command should not be used directly.

    ^

    Commands to test ciphers provided by target

    Beside the description of the commands itself here, please see also Notes about commands below.

      

    Check target for ciphers, either all ciphers, or ciphers specified with --cipher=CIPHER option.

    Use --v option to see all ciphers being checked.

      

    Lists the cipher selected by the server for each protocol sometimes referred to as default cipher.

    For each protocol the two selected ciphers are shown, one returned by the server if the cipher list in the ClientHello is sorted with the strongest cipher first, and one returned if the cipher list in the ClientHello is sorted with strongest cipher last. See Notes about commands for details.

      

    Checked target for ciphers. All ciphers supported by the server are printed with their DH or ECDH paramaters (if available). ciphers.

      

      

    Check if target accepts NULL ciphers.

      

      

    Check if target accepts ciphers with anonymous key exchange.

      

      

    Check if target accepts EXPORT ciphers.

      

      

    Check if target accepts CBC ciphers.

      

      

    Check if target accepts DES ciphers.

      

      

    Check if target accepts RC4 ciphers.

      

      

    Check if target supports ephemeral ciphers.

      

    Check if target supports ciphers with PFS.

      

    Check if target selects strongest cipher.

      

    Check if target selects weak cipher (oposite of +cipher-strong).

    ^

    Commands to show results of checked connection and certificate details

       Certificate CN without SNI
       Certificate PEM
       Certificate PEM decoded
       Certificate Common Name
       Certificate Subject
       Certificate Issuer
       Certificate Subject's Alternate Names
       Selected Cipher
       Local SSLlib Ciphers
       Client Ciphers
       Certificate Validity (date)
       Certificate valid since
       Certificate valid until
       Certificate Trust Information
       Certificate Email Addresses
       Certificate Public Key
       Certificate Public Key Algorithm
       Certificate Public Key Value
       Certificate Public Key Length
       Certificate Public Key Modulus
       Certificate Public Key Exponent
       Certificate Serial Number
       Certificate Serial Number (hex)
       Certificate Serial Number (int)
       Certificate Version
       Certificate Signature (hexdump)
       Certificate Signature Key Length
       Certificate Signature Algorithm
       Certificate Signature Key Value
       Certificate trusted
       Certificate extensions
       TLS extensions (debug)
       TLS extensions
       Certificate extensions Authority Information Access
       Certificate extensions Authority key Identifier
       Certificate extensions Basic Constraints
       Certificate extensions Certificate Policies
       Certificate extensions Certificate Policies: CPS
       Certificate extensions Certificate Policies: Policy
       Certificate extensions Certificate Policies: User Notice
       Certificate extensions CRL Distribution Points
       Certificate extensions Subject Key Identifier
       Certificate extensions Key Usage
       Certificate extensions Extended Key Usage
       Certificate extensions Netscape Cert Type
       Certificate extensions Issuer Alternative Name
       Certificate OCSP Responder URL
       Certificate OCSP Hashes
       Certificate OCSP Subject Hash
       Certificate OCSP Public Key Hash
       Target's OCSP Response
       Target's OCSP Response Data
       Target's OCSP Response Status
       Target's OCSP Response Cert Status
       Target's OCSP Response Next Update
       Target's OCSP Response This Update
       Certificate Subject Name Hash
       Certificate Issuer Name Hash
       Certificate Validity (signature)
       Certificate Fingerprint Algorithm
       Certificate Fingerprint Hash Value
       Certificate Fingerprint SHA2
       Certificate Fingerprint SHA1
       Certificate Fingerprint MD5
       Certificate Fingerprint
       Certificate Type (bitmask)
       Selected SSL Protocol
       Target supports Resumption
       Target supports Renegotiation
       Target supports Compression
       Target supports Expansion
       Target supports Krb5
       Target supports PSK Identity Hint
       Target supports PSK
       Target supports SRP
       Target supports Heartbeat
       Target supports Extended Master Secret
       Target's advertised protocols
       Target's selected protocol (ALPN)
       Target's selected protocol (NPN)
       Target's supported ALPNs
       Target's supported NPNs
       Target's Master-Key
       Target's Server public key length
       Target's Resumption PSK
       Target's Session-ID
       Target's Session-ID-ctx
       Target's selected SSL Protocol
       Target's TLS Session Ticket
       Target's TLS Session Ticket Lifetime
       Target's TLS Session Timeout
       Target's TLS Session Start Time EPOCH
       Target's TLS Session Start Time locale
       Target's DH Parameter
       Certificate Chain
       CA Chain Verification (trace)
       Validity Certificate Chain
       CA Chain Verification error
       CA Chain Verification error in level
       Validity Alternate Names
       Validity Hostname
       HTTPS Alternate-Protocol
       HTTPS Content-Encoding header
       HTTPS Transfer-Encoding header
       HTTPS Alt-Svc header
       HTTPS Status line
       HTTPS Server banner
       HTTPS Location header
       HTTPS Refresh header
       HTTPS Error alerts
       HTTPS Public-Key-Pins header
       HTTPS Body
       HTTPS STS header
       HTTPS STS in http-equiv
       HTTPS STS MaxAge
       HTTPS STS include sub-domains
       HTTPS STS preload
       HTTP Alternate-Protocol
       HTTP Alt-Svc header
       HTTP Status line
       HTTP Location header
       HTTP Refresh header
       HTTP STS header
       internal used SSL options bitmask
       Target's fallback SSL Protocol
       certificate validity in years
       certificate validity in months
       certificate validity in days
       dummy used for printing DNS stuff
    ^

    Commands to show results of checked certificate data

       Certificate chain validated
       Certificate Fingerprint is not MD5
       Certificate is valid
       Certificate is not expired
       Certificate is valid according given hostname
       Certificate's wildcard does not match hostname
       Certificate does not contain wildcards
       Certificate is not root CA
       Certificate is not self-signed
       Certificate Domain Validation (DV)
       Certificate strict Extended Validation (EV)
       Certificate lazy Extended Validation (EV)
       Certificate has OCSP Responder URL
       Certificate has Certification Practice Statement
       Certificate has CRL Distribution Points
       Certificate has (TLS extension) compression
       Certificate has (GnuTLS extension) compression
       Certificate has (TLS extension) authentication
       Certificate has valid OCSP URL
       Certificate has valid CPS URL
       Certificate has valid CRL URL
       Certificate Serial Number size RFC 5280
       Certificate Basic Constraints is false
       Certificate Private Key Signature SHA2
       Certificate Public Key Modulus Exponent <>1
       Certificate Public Key Modulus >16385 bits
       Certificate Public Key Modulus Exponent =65537
       Certificate Public Key Modulus Exponent >65537
       Certificate Public Key with Encryption
       Certificate Public Key Encryption known
       Certificate Private Key with Encryption
       Certificate Private Key Encryption known
       Certificate Names compliant to RFC 6125
       Certificate subjectAltNames compliant to RFC 2818
       Certificate does not contain non-printable characters
       Certificate does not contain CR, NL, NULL characters
       Certificate has no invalid characters in extensions
    ^

    Commands to show results of checked connection data

       Given hostname is same as reverse resolved hostname
       Connected hostname equals certificate's Subject
       Connection is safe against BEAST attack (any cipher)
       Connection is safe against BREACH attack
       Connection is safe against CCS Injection attack
       Connection is safe against CRIME attack
       Connection is safe against DROWN attack
       Connection is safe against TIME attack
       Connection is safe against FREAK attack
       Connection is safe against Heartbleed attack
       Connection is safe against Logjam attack
       Connection is safe against Lucky 13 attack
       Connection is safe against POODLE attack
       Connection is safe against RC4 attack
       Connection is safe against ROBOT attack
       Connection is safe against SLOTH attack
       Connection is safe against Sweet32 attack
       Connection is not based on SNI
    ^

    Commands to show results of checked target (connection) data

       Target supports Server Gated Cryptography (SGC)
       Target does not support SSLv2
       Target does not support SSLv3
       Target does not supports TLSv1
       Target does not supports TLSv1.1
       Target supports TLSv1
       Target supports TLSv1.1
       Target supports TLSv1.2
       Target supports TLSv1.3
       Target supports DTLSv1
       Target supports DTLSv1.2
       Target supports DTLSv1.3
       Target supports ALPN
       Target supports NPN
       Target selects strongest cipher
       Target does not honors client's cipher order
       Target does not accept weak cipher
       Target does not accept NULL ciphers
       Target does not accept ADH ciphers
       Target does not accept EXPORT ciphers
       Target does not accept CBC ciphers
       Target does not accept DES ciphers
       Target does not accept RC4 ciphers
       Target supports EDH ciphers
       Target supports PFS (selected cipher)
       Target supports PFS (all ciphers)
       Target understands TLS closure alerts
       Target does not support Compression
       Target supports fallback from TLSv1.1
       Target is ISM compliant (ciphers only)
       Target is PCI compliant (ciphers only)
       Target is FIPS-140 compliant
       Target is strict TR-02102-2 compliant
       Target is lazy TR-02102-2 compliant
       Target is strict TR-03116-4 compliant
       Target is lazy TR-03116-4 compliant
       Target is RFC 7525 compliant
       Target does not support method SSTP
       Target supports Resumption
       Target supports Secure Renegotiation
       Target supports Krb5
       Target supports PSK Identity Hint
       Target supports PSK
       Target supports SRP
       Target supports OCSP Stapling
       Target supports Extended Master Secret
       Target supports TLS Session Ticket
       Target TLS Session Ticket Lifetime
       Target TLS Session Start Time match
       Target TLS Session Ticket is random
       Target does not support heartbeat extension
       Target does not support SCSV
       Target DH Parameter >= 512 bits
       Target DH Parameter >= 2048 bits
       Target DH Parameter >= 256 bits (ECDH)
       Target DH Parameter >= 512 bits (ECDH)
    ^

    Commands to show results of checked length and count data

       Certificate PEM (base64) size
       Certificate PEM (binary) size
       Certificate Subject size
       Certificate Issuer size
       Certificate CPS size
       Certificate CRL size
       Certificate CRL data size
       Certificate OCSP size
       Certificate OIDs size
       Certificate Public Key size
       Certificate Signature Key size
       Certificate Subject Altname size
       Certificate Chain size
       Certificate Serial Number size
       Certificate Subject Altname count
       Certificate Wildcards count
       Certificate Chain Depth count
       Total number of checked ciphers
       Total number of accepted ciphers
       Total number of check results 'no(<<)'
       Total number of check results 'no'
       Total number of check results 'yes'
       Total number of insecure checks
    ^

    Commands to show results of checked HTTP vs. HTTPS data

       STS max-age not reset
       STS max-age less than one day
       STS max-age less than one month
       STS max-age less than one year
       STS max-age more than one year
       STS max-age more than 18 weeks
       STS max-age < certificate's validity
       Target sends STS header
       Target sends STS header with proper max-age
       Target sends STS header with includeSubdomain
       Target sends STS header with preload
       Target redirects with status code 301
       Target redirects not with 30x status code
       Target redirect matches given host
       Target redirects HTTP to HTTPS
       Target sends STS and no Location header
       Target sends STS and no Refresh header
       Target redirects HTTP without STS header
       Target redirects HTTP to HTTPS same host
       Target does not send STS header for IP
       Target does not send STS in meta tag
       Target sends Public-Key-Pins header

    ^

    Notes about commands

      

    While +cipher prints checked ciphers, +cipher-dh prints ciphers with their DH or ECDH paramaters (if available) only for supported ciphers.

      

    Both commands show the default cipher foreach protocol.

    +cipher lists a summary of ciphers selected by the server for each protocol requested by the user (for example by using options like: --sslv3 --tlsv1 etc.). When the --v option is used, all selected ciphers for all known protocols are listed. This summary focuses on counts for various ciphers.

    +cipher-default lists the cipher selected by the server for each protocol.

      

    +selected lists the cipher selected by the server if no particular protocol was specified and the system's default cipher list is send in the ClientHello to the server.

    +cipher-default lists the cipher selected by the server for each protocol.

      

    +strong-cipher shows the result of the check if strong ciphers are preferred by the server. It is a check command.

    +cipher-default lists the cipher selected by the server for each protocol. It is a information command.

    It is not possible to check if a server uses SSLHonorCipherOrder. Even if it is used (switched on), it is not possible to check the specified order of the ciphers.

    I. g. it is expected that the order is according the cipher suite's strength, meaning the most strongest first, and the weakest last. It doesn't make sense to use an order where a weak cipher preceds a stronger one. Such a (mis-)configuration should be detected.

    Having this in mind, the algorithm to detect a proper cipher order is as simply as follows:

  • 1. pass sorted cipher list with strongest cipher first
  • 2. pass sorted cipher list with strongest cipher last
  • if the server returns the same cipher for both checks, it's assumed that it prefers to use the most strongest cipher. In this case it's obvious that SSLHonorCipherOrder is set (exceptions see below).

    Exceptions: If either, the server or the client, uses only one cipher suite in the list, SSLHonorCipherOrder cannot be detected at all. The same happens, if only one cipher in the client's list matches a cipher in the server's list.

      

      

      

    Certificate extensions are shown with +extensions while the TLS protocol extensions are shown with +tlsextensions. Use +tlsextdebug to show more information about the TLS protocol extensions.

      

    These commands are just an alias for the +protocols command.

      

      

    The commands +cn and +altname print the information stored in the certificate. The command +hostname checks if the given hostname matches the CN value in the certificate. Note that wildcard names in the CN, only allow to contain one *. The command +wildcard checks if the given hostname does not match any name specified in the certificate's subjectAltname. This check is useful if the certificate and the configuration must comply to RFC 6125 or EV certificates.

    OPTIONS

    All options are written in lowercase. Words written in all capital in the description here is text provided by the user.

    ^

    Options for help and documentation

      

    Brief documentation of --help* options/commands.

    --help

      

    Complete user documentation.

    --help*

      

    cmd

      

    Show a brief list of all available commands.

    commands

      

    Show available commands with short description.

    opts

      

    Show available options; short form.

    options

      

    Show available options with their description.

    cmds

      

    Show available internal commands with short description.

    checks

      

    Show available commands for checks.

    data

      

    info

      

    Show available commands for information.

    tools

      

    Description of tools around O-Saft, when, where and how to use.

    cfg-cmd

      

    Show additional and user specified commands. Output can be used in rc-file or as option.

    check-cfg

      

    cfg-check

      

    Show texts used as labels in output for checks (see +check) ready for use in rc-file or as option.

    data-cfg

      

    cfg-data

      

    cfg-info

      

    Show texts used as labels in output for data (see +info) ready for use in rc-file or as option.

    hint

      

    Show texts used in hint messages.

    hint-cfg

      

    cfg-hint

      

    Show texts used in hint messages ready for use in the rc-file or as option.

    text

      

    Show texts used in various messages.

    text-cfg

      

    cfg-text

      

    Show texts used in various messages ready for use in the rc-file or as option.

    legacy

      

    Show possible legacy formats (used as value in --legacy=TOOL).

    compliance

      

    Show available compliance checks.

    intern

      

    Show all internal commands and command lists.

    alias

      

    Show alias for commands and options.

    pattern

      

    Show list of cipher pattern (used for --cipher=CIPHER).

    range

      

    Show list of cipherranges (see --cipherrange=RANGE).

    toc

      

    content

      

    Show headlines from help text. Useful to get an overview.

    SECTION

    toc Show SECTION from documentation, see --help=toc for a list. Example: EXAMPLES

    o-saft.pl --help=EXAMPLES

    ourstr

      

    Show regular expressions to match our own strings used in output.

    regex

      

    Show regular expressions used internally.

    gen-html

      

    Print documentation in HTML format.

    gen-pod

      

    Print documentation in POD format.

    gen-wiki

      

    Print documentation in mediawiki format.

    gen-cgi

      

    Print HTML form to be used for CGI.

    error

      

    problem

      

    Show KNOWN PROBLEMS section with description of known error and warning messages.

    faq

      

    Show KNOWN PROBLEMS and LIMITATIONS section.

    glossary

      

    Show common abbreviation used in the world of security.

    links

      

    rfc

      

    Show list of RFC related to SSL/TLS.

    todo

      

    Show known problems and bugs.

    exit

      

    Show possible --exit=KEY options. Used for debugging only.

    warnings

      

    Show warning messages defined in code.

    program.code

      

    For developers.

    ^

    Options for all commands (general)

      

    Do DNS lookups to map given hostname to IP, do a reverse lookup.

      

    Do not make DNS lookups. Note that the corresponding IP and reverse hostname may be missing in some messages then.

    Specify HOST as target to be checked. Legacy option.

    Specify PORT of target to be used. Legacy option.

    When giving more than one HOST argument, the sequence of the given HOST argument and the given --port=PORT and the given --host=HOST options are important. The rule how ports and hosts are mapped is as follows:

  • HOST:PORT arguments are used as is (connection to HOST on PORT)
  • only HOST is given, then previous specified PORT is used
  • Note that URLs are treated as HOST:PORT, if they contain a port. Example:

    o-saft.pl +cmd host-1 --port 23 host-2 host-3:42 host-4

    will connect to:

  • host-1:443
  • host-2:23
  • host-3:42
  • host-4:23
  • Make all connection to target using PROXYHOST.

    Also possible is: --proxy=PROXYUSER:PROXYPASS@PROXYHOST:PROXYPORT

    Make all connection to target using PROXYHOST:PROXYPORT.

    Specify username for proxy authentication.

    Specify password for proxy authentication.

      

    Use STARTTLS command to start a TLS connection via SMTP. This option is a shortcut for --starttls=SMTP .

    Use STARTTLS command to start a TLS connection via protocol. PROT may be any of: SMTP, IMAP, IMAP2, POP3, FTPS, RDP, LDAP or XMPP .

    For --starttls=SMTP see --dns-mx also to use MX records instead of host

    Number of seconds to wait before sending a packet, to slow down the STARTTLS requests. Default is 0. This may prevent blocking of requests by the target due to too much or too fast connections. Note: In this case there is an automatic suspension and retry with a longer delay.

      

      

    Internal use for CGI mode only.

    ^

    Options for SSL tool

      

    Read rc-file if exists, from directory where program was found.

      

    Do not read rc-file.

    Use FILE instead of the default rc-file .o-saft.pl.

      

    The exit status code will be greater 0, if any of following applies:

  • any check returns no, except if no (<<...>>)
  • insecure protocols are available
  • insecure ciphers are supported
  • ciphers without PFS are supported, disable with --exitcode-cipher
  • In particular, the status code will be the total count of all these checks. The status code will also be printed at end, like:

    # EXIT 23

    Parts of these checks can be diasabled, see --exitcode-* options below.

    Use --v or --exitcode-v to see details about the performed checks.

    Functionality implemented experimental, may change in future.

      

    Print information about performed checks.

      

    Do not print status code at end, like # EXIT 23.

      

    Do not count checks with result no for --exitcode .

      

    Do not count LOW, WEAK or MEDIUM security ciphers for --exitcode .

      

    Do not count any ciphers for --exitcode .

      

    Do not count ciphers without PFS for --exitcode .

      

    Use openssl s_slient ... call to retrieve more information from the SSL connection. This is disabled by default on Windows because of performance problems. Without this option (default on Windows !) following information are missing:

    compression, expansion, renegotiation, resumption,
    selfsigned, verify, chain, protocols, DH parameters

    See lib/SSLinfo for details.

    If used together with --trace, s_client data will also be printed in debug output of lib/SSLinfo.

      

    Do not use external openssl tool to retrieve information. Use of openssl is disabled by default on Windows. Note that this results in some missing information, see above.

    TOOL can be a path to openssl executable; default: openssl

    FILE path of directory or full path of openssl.cnf

    If set, environment variable OPENSSL_CONF will be set to given path (or file) when openssl(1) is started. Please see openssl's man page for details about specifying alternate openssl.cnf files.

      

    Options are obsolete. Please use --ciphermode=openssl instead.

    PATH is a full path where to find openssl.

    PATH is a full path where to find libssl.so, libcrypto.so.

    See HACKER's INFO below for a detailed description how it works.

    NAME is the name of a environment variable containing additional paths for searching dynamic shared libraries. Default is LD_LIBRARY_PATH.

    Check your system for the proper name, for example:

    DYLD_LIBRARY_PATH, LIBPATH, RPATH, SHLIB_PATH.

    PATH is a full path where to find additional Perl modules

    This option is not avaliable as --inc PATH.

    REGEX all paths matching this RegEx are removed from @INC

    This option is not avaliable as --no-inc REGEX. See HACKER's INFO below for a detailed description.

      

    The connection to a target may fail, or even block, due to various reasons for example lost network at all, blocking at firewall, etc. In particular when checking ciphers with +cipher , this may result in long delays until results are printed. Using this option stops trying to do more connections to the target when --ssl-error-max=CNT consecutive errors occurred, or when the total amount of errors increases --ssl-error-total=CNT.

    Note that this may result in loss of information and/or checks.

    Max. amount of consecutive errors (default: 5).

    Timeout in seconds when a failed connection is treated as error and then counted (default: 1).

    Max. total amount of errors (default: 10).

      

    I.g. this tools tries to identify available functionality according SSL versions from the underlaying libraries. Unsupported versions are then disables and a warning is shown. Unfortunately some libraries have not implemented all functions to check availability of a specific SSL version, which then results in a compile error.

    This option disables the strict check of availability. If the underlaying library doesn't support the required SSL version at all, following error may occur:

    Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...

    See Note on SSL versions for a general note about SSL versions. A more detailled description of the problem and how Net::SSLeay be- haves, can be found in the source of o-saft.pl , see section starting at

    #| check for supported SSL versions

    Timeout in seconds when connecting to the target (default: 2).

    METHOD method to be used for specific functionality

    Available methods:

  • info-socket – use internal socket to retrieve information
  • info-openssl – use external openssl to retrieve information
  • info-user – use usr_getinfo() to retrieve information
  • cipher-socket – use internal socket to ckeck for ciphers
  • cipher-openssl – use external openssl to ckeck for ciphers
  • cipher-user – use usr_getciphers() to ckeck for ciphers
  • Method names starting with:

  • info-
  • are responsible to retrieve information about the SSL connection
  • and the target certificate (i.e. what the +info command provides)
  • cipher-
  • are responsible to connect to the target and test if it supports
  • the specified ciphers (i.e. what the +cipher command provides)
  • check-
  • are responsible for performing the checks (i.e. what's shown with
  • the +check command)
  • score-
  • are responsible to compute the score based on check results
  • The second part of the name denotes which kind of method to call:

  • socket – the internal functionality with sockets is used
  • openssl – the exteranl openssl executable is used
  • user – the external special function, as specified in
  • user's lib/OUsr.pm, is used.
  • Example:

    --call=cipher-openssl

    will use the external openssl(1) executable to check the target for supported ciphers.

    Default settings are:

    --call=info-socket --call=cipher-socket --call=check-socket

    Just for curiosity, instead of using:

    o-saft.pl --call=info-user --call=cipher-user --call=check-user --call=score-user ...

    consider to use your own script like:

    #!/usr/bin/env perl
    usr_getinfo();usr_getciphers();usr_checkciphers();usr_score();

    :-))

      

    Print list of ciphers in style like: openssl ciphers -v. Option used with +ciphers command only.

      

    Print list of ciphers in style like: openssl ciphers -V. Option used with +ciphers command only.

    ^

    Options for SSL connection to target

      

      

      

      

    Following MODEs are supported for scanning ciphers:

  • intern – scan for ciphers using internal method; (default)
  • openssl – scan for ciphers using external openssl executable
  • socket – scan for ciphers using IO::Socket::SSL
  • dump – same as intern but print all cipher information,
  • useful when postprocessed by usr/* tools
  • intern uses a socket connection to the target which provides all ciphers of the specified range. The amount of provided ciphers will be reduced and tested in chunks if the target returns errors. This is the fastest mode for most targets.

    socket uses a new socket connection to the target for each cipher of the specified range. It provides only this cipher.

    openssl uses openssl s_slient -connect CIPHER ... to check if a cipher is supported by the remote target. It may be useful if the target behaves strange (warnings, hints are printed), or if option --lib=PATH doesn't work (for example due to changes of the API). Note that this mode is very slow, compared to the others, because an external executable must be called and a timeout of at least one second is necessary for each cipher check (due to restrictions with openssl 3.x). Consider to use another cipher range than the default rfc, for example with --cipherrange=openssl .

      

    TCP socket will be reused for next connection attempt even if SSL connection failed.

      

    Close TCP socket and then reopen for next connection attempt if SSL connection failed.

    This is useful for some servers which may return an TLS alert if the connection fails and then fail again on the same socket.

      

    A simple check if the target can be connected will be performed by default. If this check fails, the target will be ignored, means no more requested checks will be done. As this connection check some- times fails due to various reasons, the check can be disabled using this option.

      

    Do not use *-MD5 ciphers for other protocols than SSLv2. This option is only effective with +cipher command.

    The purpose is to avoid warnings from IO::Socket::SSL(3pm) like:

    Use of uninitialized value in subroutine entry at lib/IO/Socket/SSL.pm line 430.

    which occurs with some versions of IO::Socket::SSL(3pm) when a *-MD5 ciphers will be used with other protocols than SSLv2.

    Note that these ciphers will be checked for SSLv2 only.

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

      

  • SSL can be any of:
  • ssl, ssl2, ssl3, sslv2, sslv3, tls1, tls1, tls11, tls1.1, tls1-1,
  • tlsv1, tlsv11, tlsv1.1, tlsv1-1 (and similar variants for tlsv1.2
  • and tlsv1.3), dtls1, dtls12, dtls13.
  • For example: --tls1 --tlsv1 --tlsv1_1 are all the same.

    (--SSL variants): Test ciphers for this SSL/TLS version. (--no-SSL variants): Don't test ciphers for this SSL/TLS version.

      

      

    Shortcut for: --no-sslv2 --no-sslv3 --no-tlsv1 --no-tlsv11 --no-tlsv12 --no-tlsv13

      

      

    Shortcut for: --sslv2 --sslv3 --tlsv1 --tlsv11 --tlsv12 --tlsv13

      

      

    Shortcut for: --no-dtlsv09 --no-dtlsv1 --no-dtlsv11 --no-dtlsv12 --no-dtlsv13

      

      

    Shortcut for: --dtlsv09 --dtlsv1 --dtlsv11 --dtlsv12 --dtlsv13

      

    This option forces to assume that SSLv2 is enabled even if the target does not accept any ciphers.

    The target server may accept connections with SSLv2 but not allow any cipher. Some checks verify if SSLv2 is enabled at all, which then would result in a failed test. The default behaviour is to assume that SSLv2 is not enabled if no ciphers are accepted.

      

    Make a HTTP request if cipher is supported.

    If used twice debugging will be enabled using environment variable HTTPS_DEBUG.

      

    Do not make HTTP request.

    Use UA for HTTP header User-Agent: in HTTP(s) requests.

      

    Make SSL connection in SNI mode.

      

    Do not make SSL connection in SNI mode (default: SNI mode).

      

      

    Test with and witout SNI mode.

      

    Do not check if SNI seems to be supported by Net::SSLeay(3pm). Older versions of openssl and its libries do not support SNI or the SNI support is implemented buggy. By default it's checked if SNI is properly supported. With this option this check can be disabled.

    Be warned that this may result in improper results.

    If SNI mode is active, see --sni above, NAME is used instead of hostname for connections to the target. If SNI mode is not active, see --no-sni above, NAME is not used. The default is undefined, which forces to use the given FQDN.

    This is useful, for example when an IP instead of a FQDN was given, where a correct hostname (i.g. a FQDN) needs to be specified.

    Note: i.g. there is no need to use this option, as a correct value for the SNI name will be choosen automatically (except for IPs). However, it is kind of fuzzing ... even setting to an empty string is possible.

    Limitation: the same NAME is used for all targets, if more than one target was specified.

      

    Do not get data from target's certificate, return empty string.

      

    Do not get data from target's certificate, return default string of lib/SSLinfo (see --no-cert-text=TEXT option).

    Set TEXT to be returned from lib/SSLinfo if no certificate data is collected due to use of --no-cert.

    Check certificate chain to depth INT (like openssl's -verify).

    Use FILE with bundle of CAs to verify target's certificate chain.

    Use DIR where to find CA certificates in PEM format.

      

      

    NOT YET IMPLEMENTED I. g. openssl uses default settings where to find certificate files. When --ca-file=FILE and/or --ca-path=DIR was used, this default will be overwritten by appropriate options passed to openssl. If the default does not work as expected, --force-ca can be used to force setting of proper values according well known common defaults. See:

    o-saft.pl +version
    o-saft.pl +version --force-ca

    to see the used settings.

      

    Use -alpn option for openssl.

      

    Do not use -alpn option for openssl.

      

      

    Do not use -nextprotoneg option for openssl.

    Name of protocol to be added to list of applcation layer protocols (ALPN), which is used for any connection to the targets. See --cipher-alpn=NAME also.

    Name of protocol to be added to list of next protocol negotiations (NPN), which is used for any connection to the targets. See --cipher-npn=NAME also.

      

    Use SSL option compression for connection.

      

    Use SSL option no compression for connection (default: don't use)

      

    Do not use -reconnect option for openssl.

      

    Do not use -tlsextdebug option for openssl.

    Argument or option passed to openssl's s_client command.

    ^

    Options for +cipher command

    Additional delay in seconds after each connect for a cipher check. This is useful when connecting to servers which have IPS in place, or are slow in accepting new connections or requests.

    Only check for CIPHER instead of using ciphers from internal list (default). Multiple options can be specified.

    CIPHER can be any cipher suite name or (internal) hex key, see:

    o-saft.pl +list

    for known, valid keys and cipher names.

    CIPHER can also be any of the internal defined patterns, see:

    cipherpattern

    o-saft.pl --header --help=cipherpattern

    If CIPHER does not match a hex key, i.e. 0x03000035, it is used as pattern (RegEx) to match cipher suite names. For example: AES256-SHA matches 28 cipher suites, while AES256-SHA$ matches 14 ciphers, see:

    lib/Ciphers.pm find-names=AES256-SHA
    lib/Ciphers.pm find-names=AES256-SHA$

    To be sure that exactly one cipher suite matches, use for example:

    --cipher=^AES256-SHA$
    --cipher=0x03000035

    Hex keys must be specified with a leading 0x followed by exactly 8 uper case hex characters [0-9A-F].

    The pattern can be common RegEx like GCM|CHACHA. Simple OpenSSL- style pattern are also accepted, for example: AES:ECDH.

    When --ciphermode=openssl or --ciphermode=socket is used, CIPHER can only be any string or a hex key accepted by openssl. Examples:

  • --cipher=DHE_DSS_WITH_RC4_128_SHA
  • --cipher=0x03000066
  • will be mapped to DHE-DSS-RC4-SHA

    CIPHER can also be any pattern accepted by openssl, for example:

  • --cipher=!DES:!ADH:!aNULL
  • Default is ALL:NULL:eNULL:aNULL:LOW:EXP as specified in lib/SSLinfo.

    See LIMITATIONS also.

    Name of protocol to be added to list of applcation layer protocols (ALPN), which is used for cipher checks.

  • --cipher-alpn=, – sets empty list.
  • --cipher-alpn=,, – sets list to empty element .
  • Name of protocol to be added to list of next protocol negotiations (NPN), which is used for cipher checks.

  • --cipher-npn=, – sets empty list.
  • --cipher-npn=,, – sets list to empty element .
  • Note: setting empty list or element most likely does not work with openssl executable, for example --ciphermode=openssl .

    Name of ecliptic curve to be added to list of ecliptic curves (EC), which is used for cipher checks.

  • --cipher-curve=, – sets empty list.
  • --cipher-curve=,, – sets list to empty element .
  • Note: setting empty list or element most likely does not work with openssl executable, for example --ciphermode=openssl .

    Specify range of cipher constants to be tested with +cipher . Following RANGEs are supported:

  • rfc – all ciphers defined in various RFCs including
  • all reserverd and some unassigned constants
  • shifted rfc + some constants shifted by 64 bytes to
  • the right
  • intern rfc + shifted
  • long – like rfc but more lazy list of constants
  • huge – all constants 0x03000000 .. 0x0300FFFF
  • safe – all constants 0x03000000 .. 0x032FFFFF
  • full – all constants 0x03000000 .. 0x03FFFFFF
  • SSLv2 – all ciphers according RFC for SSLv2, see [v2]
  • SSLv2_long – more lazy list of constants for SSLv2
  • SSLv3 – all ciphers according RFC for SSLv3
  • SSLv3_SSLv2 – all ciphers for SSLv3 with SSLv2
  • TLSv10 – empty list (see [v1] below)
  • TLSv11 – empty list (see [v1] below)
  • TLSv12 – all ciphers according RFC for TLSv12
  • TLSv13 – all ciphers according RFC for TLSv13
  • GREASE – all GREASE ciphers according RFC
  • IANA – all ciphers recommended by IANA, see
  • https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
  • c0xx – ECC ciphers, constants 0x0300C000 .. 0x0300C0FF
  • ccxx – ECC ciphers, constants 0x0300CC00 .. 0x0300CCFF
  • ecc – all constants for ciphers using ECC
  • openssl – all ciphers known by openssl
  • note that this requires an openssl executable
  • [v2]: SSLv2 is the internal list used for testing SSLv2 ciphers. It does not make sense to use it for other protocols; however ... [v1]: There are no ciphers officially assignd to TLSv10 or TLSv11.

    For the full list and details about the ranges, please see:

    range

    o-saft.pl --header --help=range

    If any --cipher=CIPHER is used, --cipherrange=RANGE is ignored. See LIMITATIONS also.

    Additional delay in seconds after the server is connected using a proxy or before starting STARTTLS. This is useful when connecting via slow proxy chains or connecting to slow servers before sending the STARTTLS sequence.

    Maximal number of ciphers sent in a sslhello (default: 32).

      

    Send SSL extension reneg_info even if list of ciphers includes TLS_EMPTY_RENEGOTIATION_INFO_SCSV (default: do not include)

      

    Some servers do not answer (i.g. they disconnect) if none of the offered ciphers is supported by the server.

    Continue testing with next ciphers when the target disconnects or does not send data within specified timeout (see --timeout). Useful for TLS intolerant servers.

      

    Abort testing with next ciphers when the target disconnects.

      

    Use supported elliptic curves. Default on.

      

    Use TLS ec_point_formats extension. Default on.

      

    Test for ciphers with secure renegotiation flag set. Default: don't set secure renegotiation flag.

    Number of retries when connection timed-out (default: 2).

    Number of seconds to wait until connection is qualified as timeout.

      

      

    Get DNS MX records for given target and check the returned targets. (only useful with --starttls=SMTP).

    ^

    Options for checks and results

    Options used for +check command:

      

    Only print result for ciphers accepted by target.

      

    Only print result for ciphers not accepted by target.

      

    Prints HTTP response body of the target also, if requested with +https_body , which is disabled by default (because it may be huge amount of data not related to SSL/TLS).

      

    Checks are done case-insensitive.

      

    Checks are done case-sensitive. Default: case-insensitive. Currently only checks according CN, alternate names in the target's certificate compared to the given hostname are effected.

      

    When checking for the TLS heartbeat extension, the server may not respond at all, which would result in a no reply message. This marks the check for +heartbleed as no. I.g. a server is not vulnerable to the heartbleed attack if the TLS heartbeat extension is disabled. Hence the check result no may be mis-leading. This option treats the no reply result as not vulnerable and returns yes then.

    Note: if the server does not respond for this check, does not mean that the heartbeat extension is switched off. If unsure, disable this lazy check with --no-ignore-no-reply .

    ^

    Options for output format

    Defines the format of the descriptive text (label) for +check and +info command.

    Following TYPEs are supported:

      

    Prints full text for labels:

    Certificate Common Name: some.tld

      

    Prints short less descriptive text for labels:

    Common Name: some.tld

      

    Internal format: print name of key instead of text as label. Key is Prints name of key instead of text as label. The key is that of the internal data structure(s).

    [cn] some.tld

    For ciphers and protocols, the corresponding hex value is used as key. Note that these values are unique.

      

    For compatibility with other tools, the output format used for the result of the +cipher command can be adjusted to mimic the format of other SSL testing tools.

    The argument to the --legacy=TOOL option is the name of the tool who's format of output is to be simulated.

    Following TOOLs are supported:

  • sslaudit – similar to sslaudit
  • sslcipher – similar to ssl-cipher-check
  • ssldiagnos – similar to ssldiagnos
  • sslscan – similar to sslscan
  • ssltest – similar to ssltest
  • ssltestg – similar to ssltest -g
  • ssltest-g – similar to ssltest -g
  • sslyze – similar to sslyze
  • ssl-cipher-check – same as sslcipher
  • ssl-cert-check – similar to ssl-cert-check
  • testsslserver – similar to TestSSLServer.jar
  • thcsslcHeck – similar to THCSSLCheck
  • Note that these legacy formats only apply to output of the checked ciphers. Other texts like headers and footers are adapted slightly.

    When using ths option, please do not expect identical output as the TOOL. It is a best guess and should be parsable in a very similar way.

      

    Internal format: mainly avoid tabs and spaces format is as follows:

    Some Label:<-- anything right of colon is data

      

    Internal format: pretty print each label in its own line, followed by data prepended by tab character (useful for +info only).

      

    Results for cipher checks use rating from OWASP Cipher Cheat Sheet.

      

    Internal format: use tab as separator; ciphers are printed with bit length (implies --tab).

      

    Internal default format.

      

      

      

      

    This option is used to specify the format of the result lines. This covers the value of the result line only.

  • raw – Print raw data as passed from lib/SSLinfo.
  • Note: all data will be printed as is, without additional label
  • or formatting. It's recommended to use the option in conjunction
  • with exactly one command. Otherwise the user needs to know how
  • to read the printed data.
  • hex – Convert some data to hex: 2 bytes separated by :.
  • 0x – Convert some data with hex values:
  • 2 bytes prepended by 0x and separated by a space.
  • /x – Same as --format=\x
  • \x – Convert some data with hex values:
  • 2 bytes prepended by \x and no separating char.
  •   

      

    Get the screen width and then adapt output of documentation to fit to that width. If the environment variable COLUMNS is not set the command tput or stty of system is used to get the screen width.

    It's a very simple approach to make texts better readable on narrow devices like tablets. For more details, please see:

    perdoc o-saft.pl # the section Note:tty there

    Set the screen width to NN characters (see --format-tty also). Default will be calculated automatically.

    Set the amount of spaces used for identation (see --tty also). Default is 2.

    Set the additional chacacter when lines are split. Default: ↲

      

    Print formatting header. Default for +check, +info, +quick and and +cipher only.

      

    Do not print formatting header. Usefull if raw output should be passed to other programs.

    Note: must be used on command-line to inhibit all header lines.

    Do not print output (data or check result) for command CMD. CMD is any valid command, see COMMANDS , without leading +. Option can be used multiple times.

    --ignore-out=, sets empty list.

      

    Print scoring results. Default for +check.

      

    Do not print scoring results.

    CHAR will be used as separator between label and value of the

  • printed results. Default is :.
  •   

    TAB character (0x09, \t) will be used as separator between label and value of the printed results. As label and value are already separated by a TAB character, this options is only useful in conjunction with the --legacy=compact option.

      

    Prefix each printed line with the given hostname (target). The hostname will be followed by the separator character. Example without --showhost :

    Certificate Common Name: localhost

    Example with --showhost :

    localhost:443:Certificate Serial Number: localhost

      

    Print some internal variable names in output texts (labels). Variable names are prefixed to printed line and enclosed in # . Example without --showkey :

    Certificate Serial Number: deadbeef

    Example with --showkey :

    #[serial]: Certificate Serial Number: deadbeef

      

      

      

      

      

    This option is used to specify the general output format for STDOUT and STDERR. All results are written to STDOUT, errors and warnings may also be written to STDERR . The default is :unix:utf8, which is the perlish definition used internally.

    Following values are supported:

  • raw
  • unix – Print raw data, binary in bytes without conversion.
  • Note: binary here means that each byte is a character.
  • utf8 – Convert detected bytes to UTF-8 characters.
  • crlf – Use CR LF as end of line.
  • CHARSET – can be any of the local installed character sets,
  • like UTF-8, UTF-16LE, CP1252, iso-8859-7, etc..
  • This conversion may print its own warnings.
  • The option can be used multiple times with different values. To reset the default behaviour, either raw or unix must be used. Obviously, they must be used first. All other values are used additionally. Note: utf8 just defines the format of the characters, it does no further checks on the converted characters. In contrast, UTF-8 is used as real encoding and does some checks. However, the difference is importand on STDIN only.

    For more details, please see perldoc -f binmode . For the tools default behaviour, please SEE Perl:binmode()

    Currently (in 2024), these options must be used before any --help option.

      

    Obsolete, please use --std-format=crlf .

    ^

    Options for compatibility with other programs

    Please see other programs for detailed description (if not obvious:). Note that often only the long form options are accepted as most short form options are ambiguous. If other programs use the same option,but with a different behaviour, then thes other options are not supported. For a list of supported options, please see:

    alias

    o-saft.pl --help=alias

    Following list contains only those options not shown with:

    alias

    o-saft.pl --help=alias

  • # Tool's Option | (Tool) o-saft.pl Option
  • #-----------------------+--------------+------------------------
  • --checks CMD – (TLS-Check.pl) same as +CMD
  • -h, -h=HOST – (various tools) same as --host HOST
  • -p, -p=PORT – (various tools) same as --port PORT
  • -t HOST – (ssldiagnos) same as --host HOST
  • --UDP – (ssldiagnos) same as --udp
  • --timeout, --grep – (ssltest.pl) ignored
  • -r, -s, -t, -x – (ssltest.pl) ignored
  • --insecure – (cnark.pl) ignored
  • --nopct --nocolor – (ssldiagnos) ignored
  • -connect, -H, -u, -url, -U ignored
  • -noSSL – same as --no-SSL
  • -no_SSL – same as --no-SSL
  • #-----------------------+--------------+------------------------
  • For definition of SSL see --SSL and --no-SSL above.

    ^

    Options for customisation

      

    Option for customisation have the general from: --cfg-CFG=KEY=TEXT For general descriptions please see CUSTOMISATION section below.

    Redefine list of commands. Sets %cfg{cmd-CMD} to LIST. Commands can be written without the leading +. If CMD is any of the known internal commands, it will be redifned. If CMD is a unknown command, it will be created.

    Example:

    --cfg-cmd=sni="sni hostname"
    An example +preload can be found in .o-saft.pl .

    To get a list of commands and their settings, use: intern

    o-saft.pl --help=intern

    Main purpose is to reduce list of commands or to print them sorted.

    Redefine texts used for labels in output. Sets %data{KEY}{txt} or %checks{KEY}{txt} to TEXT.

    To get a list of preconfigured labels, use: cfg-checks

    o-saft.pl --help=cfg-checks
    cfg-data
    o-saft.pl --help=cfg-data

    Redefine the security value (i.e. HIGH) in the cipher description. Example:

    --cfg-cipher=NULL-MD5=no-security-at-all

    Redefine general texts used in output. Sets %text{KEY} to TEXT.

    To get a list of preconfigured texts, use: cfg-text

    o-saft.pl --help=cfg-text

    Note that \n, \r and \t are replaced by the corresponding character when read from rc-file.

    Read definitions for %text{KEY}=my text from file FILE.

    Redefine texts used for hints. Sets %cfg{hints}{KEY} to TEXT.

    To get a list of preconfigured texts, use: cfg-hint

    o-saft.pl --help=cfg-hint

    Set the internal %cfg hash. This options is intended for testing and debugging only. Please see TESTING below.

    See Options for SSL tool.

      

      

    Execute functions defined in lib/OUsr.pm.

      

      

    Options ignored, but stored as is internal in $cfg{usr-args} . These options can be used in lib/OUsr.pm or lib/OTrace.pm.

      

    Use experimental functionality. Some functionality of this tool is under development and only used when this option is given.

    ^

    Options for tracing and debugging

    The terms trace and debug are used interchangeable herein. The functionality enabled by the options described below is more likely considered tracing.

      

    Do not execute, just show commands (only useful in conjunction with using openssl).

    --v prints more information what actually is done. --trace prints more information about internal data such as procedure names and/or variable names with their values.

      

      

    Print more information about checks.

    Note that --v is different from -v (see above).

      

      

    Print each cipher being checked (with --ciphermode=openssl only).

      

    Print debugging messages, function names, variable names or values.

      

    Print more debugging messages and pass trace=2 to Net::SSLeay and lib/SSLinfo.

      

    Print more debugging messages and pass trace=3 to Net::SSLeay and lib/SSLinfo.

      

    Print processing of all command-line arguments.

      

    Print complete command-line first. Used for internal testing.

      

      

    Print command-line argument processing.

      

    Option obsolete since Version 23.11.23. Please use --v instead.

      

      

    Same as --showkey .

      

    Prints trace output with timestamps.

    Alias for --trace-VALUE options (see above).

  • # Trace Option | Alias Option
  • #-------------------+-----------------------------
  • --trace=1 – same as --trace
  • --trace=2 – same as --trace --trace
  • --trace=arg – same as --trace-arg
  • --trace=cli – same as --trace-cli
  • --trace=key – same as --trace-key
  • --trace=time – same as --trace-time
  • #-------------------+-----------------------------
  •   

    Print hint messages (!!Hint:).

      

    Do not print hint messages (!!Hint:).

      

    Print warning messages (**WARNING:).

      

    Do not print warning messages (**WARNING:).

      

      

    Do not suppress duplicate warning messages (**WARNING:). Warning messages not printed multiple times by default: 303 304 412

    Supress printing of warning messages with number NNN (**WARNING:). It also supresses hint messages if they begin with number NNN. Mainly used for internal testing.

      

      

    Shortcut for: --no-warnings --no-hints .

    Terminate o-saft.pl at specified KEY. Please see TESTING below.

    ^

    Options vs. Commands

    For compatibility with other programs and lazy users, some arguments looking like options are silently taken as commands or vice versa. This means that --THIS becomes +THIS then. These options are:

  • --help
  • --abbr
  • --todo
  • --chain
  • --default
  • --fingerprint
  • --list
  • --test*
  • --version
  • Take care that this behaviour may be removed in future versions as it conflicts with those options and commands which actually exist, like:

    --sni vs. +sni


    X

    O-Saft as CGI

    This is a sample implementation to show O-Saft's functionality.

    It is not intended to be used for regular tests of foreign servers.

    The server may be slow and is short on memory, so please don't expect miracles.

    Repository   Download (stable) Download (newest)

    O-Saft Home

    © Achim Hoffmann 2023