OWASP - SSL advanced forensic tool is an easy to use tool to check various SSL/TLS related configurations, behaviours and vulnerabilities. It’s a standalone tool and can be used in closed and very restricted environments.
Currently the tool is developed and maintained by a very small team. There is just enough time to keep the check up-to-date, accommodating new vulnerabilities, behaviours, etc.
The Working Session will focus on the internal redesign and some improvements the tool needs to bring full power to its users.
- Improve checking of certificates
- Implement state-of-the-art checking of OCSP
- Improve checking of DH parameters and EC parameters
- Write post processors for formatting the output; a lot of code is already there, it needs to be extracted in new tools
- Implement fuzzing features using TLS-attacker
- Build a test suite, run automated tests
- Build a sophisticated knowledge database with search capabilities (probably using Python NLTK)
- Is there a need for a GTK-based GUI (i.e. using YAD)?
- Updated and more efficient O-Saft
- Improved tools
- New knowledge base
The target audience for this Working Session is:
- contributors to the tool
- users in general and users having special requirements
Draft for all the topics to be discused and worked on during the session in google docs.
See “Working materials” above.
Create a slack team, feel free to join the O-Saft team with your @owasp.org address (unfortunately slack is toooo stupid to accept @gmail.com addresses).
Related Working Session(s)
Back to list of all Working Sessions and Tracks
Edit this page here