OWASP - SSL advanced forensic tool is an easy to use tool to check various SSL/TLS related configurations, behaviours and vulnerabilities. It’s a standalone tool and can be used in closed and very restricted environments.


Currently the tool is developed and maintained by a very small team. There is just enough time to keep the check up-to-date, accommodating new vulnerabilities, behaviours, etc.

The Working Session will focus on the internal redesign and some improvements the tool needs to bring full power to its users.


  • Improve checking of certificates
  • Implement state-of-the-art checking of OCSP
  • Improve checking of DH parameters and EC parameters
  • Write post processors for formatting the output; a lot of code is already there, it needs to be extracted in new tools
  • Implement fuzzing features using TLS-attacker
  • Build a test suite, run automated tests
  • Build a sophisticated knowledge database with search capabilities (probably using Python NLTK)
  • Is there a need for a GTK-based GUI (i.e. using YAD)?


  • Updated and more efficient O-Saft
  • Improved tools
  • New knowledge base


The target audience for this Working Session is:

  • contributors to the tool
  • users in general and users having special requirements

Working materials

There is a docs directory with documentation for developers at github.

Draft for all the topics to be discused and worked on during the session in google docs.


See “Working materials” above.

Create a slack team, feel free to join the O-Saft team with your @owasp.org address (unfortunately slack is toooo stupid to accept @gmail.com addresses).

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here