1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627 1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458 2459 2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470 2471 2472 2473 2474 2475 2476 2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488 2489 2490 2491 2492 2493 2494 2495 2496 2497 2498 2499 2500 2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512 2513 2514 2515 2516 2517 2518 2519 2520 2521 2522 2523 2524 2525 2526 2527 2528 2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539 2540 2541 2542 2543 2544 2545 2546 2547 2548 2549 2550 2551 2552 2553 2554 2555 2556 2557 2558 2559 2560 2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573 2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587 2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602 2603 2604 2605 2606 2607 2608 2609 2610 2611 2612 2613 2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656 2657 2658 2659 2660 2661 2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677 2678 2679 2680 2681 2682 2683 2684 2685 2686 2687 2688 2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829 2830 2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853 2854 2855 2856 2857 2858 2859 2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 3301 3302 3303 3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350 3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361 3362 3363 3364 3365 3366 3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378 3379 3380 3381 3382 3383 3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396 3397 3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409 3410 3411 3412 3413 3414 3415 3416 3417 3418 3419 3420 3421 3422 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3467 3468 3469 3470 3471 3472 3473 3474 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562 3563 3564 3565 3566 3567 3568 3569 3570 3571 3572 3573 3574 3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603 3604 3605 3606 3607 3608 3609 3610 3611 3612 3613 3614 3615 3616 3617 3618 3619 3620 3621 3622 3623 3624 3625 3626 3627 3628 3629 3630 3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 3673 3674 3675 3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 3742 3743 3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 3771 3772 3773 3774 3775 3776 3777 3778 3779 3780 3781 3782 3783 3784 3785 3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811 3812 3813 3814 3815 3816 3817 3818 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830 3831 3832 3833 3834 3835 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848 3849 3850 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889 3890 3891 3892 3893 3894 3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930 3931 3932 3933 3934 3935 3936 3937 3938 3939 3940 3941 3942 3943 3944 3945 3946 3947 3948 3949 3950 3951 3952 3953 3954 3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974 3975 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 3987 3988 3989 3990 3991 3992 3993 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4016 4017 4018 4019 4020 4021 4022 4023 4024 4025 4026 4027 4028 4029 4030 4031 4032 4033 4034 4035 4036 4037 4038 4039 4040 4041 4042 4043 4044 4045 4046 4047 4048 4049 4050 4051 4052 4053 4054 4055 4056 4057 4058 4059 4060 4061 4062 4063 4064 4065 4066 4067 4068 4069 4070 4071 4072 4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 4086 4087 4088 4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 4127 4128 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 4167 4168 4169 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4189 4190 4191 4192 4193 4194 4195 4196 4197 4198 4199 4200 4201 4202 4203 4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216 4217 4218 4219 4220 4221 4222 4223 4224 4225 4226 4227 4228 4229 4230 4231 4232 4233 4234 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 4249 4250 4251 4252 4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 4334 4335 4336 4337 4338 4339 4340 4341 4342 4343 4344 4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370 4371 4372 4373 4374 4375 4376 4377 4378 4379 4380 4381 4382 4383 4384 4385 4386 4387 4388 4389 4390 4391 4392 4393 4394 4395 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406 4407 4408 4409 4410 4411 4412 4413 4414 4415 4416 4417 4418 4419 4420 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437 4438 4439 4440 4441 4442 4443 4444 4445 4446 4447 4448 4449 4450 4451 4452 4453 4454 4455 4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485 4486 4487 4488 4489 4490 4491 4492 4493 4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512 4513 4514 4515 4516 4517 4518 4519 4520 4521 4522 4523 4524 4525 4526 4527 4528 4529 4530 4531 4532 4533 4534 4535 4536 4537 4538 4539 4540 4541 4542 4543 4544 4545 4546 4547 4548 4549 4550 4551 4552 4553 4554 4555 4556 4557 4558 4559 4560 4561 4562 4563 4564 4565 4566 4567 4568 4569 4570 4571 4572 4573 4574 4575 4576 4577 4578 4579 4580 4581 4582 4583 4584 4585 4586 4587 4588 4589 4590 4591 4592 4593 4594 4595 4596 4597 4598 4599 4600 4601 4602 4603 4604 4605 4606 4607 4608 4609 4610 4611 4612 4613 4614 4615 4616 4617 4618 4619 4620 4621 4622 4623 4624 4625 4626 4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4647 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 4725 4726 4727 4728 4729 4730 4731 4732 4733 4734 4735 4736 4737 4738 4739 4740 4741 4742 4743 4744 4745 4746 4747 4748 4749 4750 4751 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761 4762 4763 4764 4765 4766 4767 4768 4769 4770 4771 4772 4773 4774 4775 4776 4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4795 4796 4797 4798 4799 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4849 4850 4851 4852 4853 4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4894 4895 4896 4897 4898 4899 4900 4901 4902 4903 4904 4905 4906 4907 4908 4909 4910 4911 4912 4913 4914 4915 4916 4917 4918 4919 4920 4921 4922 4923 4924 4925 4926 4927 4928 4929 4930 4931 4932 4933 4934 4935 4936 4937 4938 4939 4940 4941 4942 4943 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958 4959 4960 4961 4962 4963 4964 4965 4966 4967 4968 4969 4970 4971 4972 4973 4974 4975 4976 4977 4978 4979 4980 4981 4982 4983 4984 4985 4986 4987 4988 4989 4990 4991 4992 4993 4994 4995 4996 4997 4998 4999 5000 5001 5002 5003 5004 5005 5006 5007 5008 5009 5010 5011 5012 5013 5014 5015 5016 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 5335 5336 5337 5338 5339 5340 5341 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403 5404 5405 5406 5407 5408 5409 5410 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 5424 5425 5426 5427 5428 5429 5430 5431 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5448 5449 5450 5451 5452 5453 5454 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478 5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489 5490 5491 5492 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543 5544 5545 5546 5547 5548 5549 5550 5551 5552 5553 5554 5555 5556 5557 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5592 5593 5594 5595 5596 5597 5598 5599 5600 5601 5602 5603 5604 5605 5606 5607 5608 5609 5610 5611 5612 5613 5614 5615 5616 5617 5618 5619 5620 5621 5622 5623 5624 5625 5626 5627 5628 5629 5630 5631 5632 5633 5634 5635 5636 5637 5638 5639 5640 5641 5642 5643 5644 5645 5646 5647 5648 5649 5650 5651 5652 5653 5654 5655 5656 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5668 5669 5670 5671 5672 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683 5684 5685 5686 5687 5688 5689 5690 5691 5692 5693 5694 5695 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5742 5743 5744 5745 5746 5747 5748 5749 5750 5751 5752 5753 5754 5755 5756 5757 5758 5759 5760 5761 5762 5763 5764 5765 5766 5767 5768 5769 5770 5771 5772 5773 5774 5775 5776 5777 5778 5779 5780 5781 5782 5783 5784 5785 5786 5787 5788 5789 5790 5791 5792 5793 5794 5795 5796 5797 5798 5799 5800 5801 5802 5803 5804 5805 5806 5807 5808 5809 5810 5811 5812 5813 5814 5815 5816 5817 5818 5819 5820 5821 5822 5823 5824 5825 5826 5827 5828 5829 5830 5831 5832 5833 5834 5835 5836 5837 5838 5839 5840 5841 5842 5843 5844 5845 5846 5847 5848 5849 5850 5851 5852 5853 5854 5855 5856 5857 5858 5859 5860 5861 5862 5863 5864 5865 5866 5867 5868 5869 5870 5871 5872 5873 5874 5875 5876 5877 5878 5879 5880 5881 5882 5883 5884 5885 5886 5887 5888 5889 5890 5891 5892 5893 5894 5895 5896 5897 5898 5899 5900 5901 5902 5903 5904 5905 5906 5907 5908 5909 5910 5911 5912 5913 5914 5915 5916 5917 5918 5919 5920 5921 5922 5923 5924 5925 5926 5927 5928 5929 5930 5931 5932 5933 5934 5935 5936 5937 5938 5939 5940 5941 5942 5943 5944 5945 5946 5947 5948 5949 5950 5951 5952 5953 5954 5955 5956 5957 5958 5959 5960 5961 5962 5963 5964 5965 5966 5967 5968 5969 5970 5971 5972 5973 5974 5975 5976 5977 5978 5979 5980 5981 5982 5983 5984 5985 5986 5987 5988 5989 5990 5991 5992 5993 5994 5995 5996 5997 5998 5999 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013 6014 6015 6016 6017 6018 6019 6020 6021 6022 6023 6024 6025 6026 6027 6028 6029 6030 6031 6032 6033 6034 6035 6036 6037 6038 6039 6040 6041 6042 6043 6044 6045 6046 6047 6048 6049 6050 6051 6052 6053 6054 6055 6056 6057 6058 6059 6060 6061 6062 6063 6064 6065 6066 6067 6068 6069 6070 6071 6072 6073 6074 6075 6076 6077 6078 6079 6080 6081 6082 6083 6084 6085 6086 6087 6088 6089 6090 6091 6092 6093 6094 6095 6096 6097 6098 6099 6100 6101 6102 6103 6104 6105 6106 6107 6108 6109 6110 6111 6112 6113 6114 6115 6116 6117 6118 6119 6120 6121 6122 6123 6124 6125 6126 6127 6128 6129 6130 6131 6132 6133 6134 6135 6136 6137 6138 6139 6140 6141 6142 6143 6144 6145 6146 6147 6148 6149 6150 6151 6152 6153 6154 6155 6156 6157 6158 6159 6160 6161 6162 6163 6164 6165 6166 6167 6168 6169 6170 6171 6172 6173 6174 6175 6176 6177 6178 6179 6180 6181 6182 6183 6184 6185 6186 6187 6188 6189 6190 6191 6192 6193 6194 6195 6196 6197 6198 6199 6200 6201 6202 6203 6204 6205 6206 6207 6208 6209 6210 6211 6212 6213 6214 6215 6216 6217 6218 6219 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6232 6233 6234 6235 6236 6237 6238 6239 6240 6241 6242 6243 6244 6245 6246 6247 6248 6249 6250 6251 6252 6253 6254 6255 6256 6257 6258 6259 6260 6261 6262 6263 6264 6265 6266 6267 6268 6269 6270 6271 6272 6273 6274 6275 6276 6277 6278 6279 6280 6281 6282 6283 6284 6285 6286 6287 6288 6289 6290 6291 6292 6293 6294 6295 6296 6297 6298 6299 6300 6301 6302 6303 6304 6305 6306 6307 6308 6309 6310 6311 6312 6313 6314 6315 6316 6317 6318 6319 6320 6321 6322 6323 6324 6325 6326 6327 6328 6329 6330 6331 6332 6333 6334 6335 6336 6337 6338 6339 6340 6341 6342 6343 6344 6345 6346 6347 6348 6349 6350 6351 6352 6353 6354 6355 6356 6357 6358 6359 6360 6361 6362 6363 6364 6365 6366 6367 6368 6369 6370 6371 6372 6373 6374 6375 6376 6377 6378 6379 6380 6381 6382 6383 6384 6385 6386 6387 6388 6389 6390 6391 6392 6393 6394 6395 6396 6397 6398 6399 6400 6401 6402 6403 6404 6405 6406 6407 6408 6409 6410 6411 6412 6413 6414 6415 6416 6417 6418 6419 6420 6421 6422 6423 6424 6425 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6437 6438 6439 6440 6441 6442 6443 6444 6445 6446 6447 6448 6449 6450 6451 6452 6453 6454 6455 6456 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6470 6471 6472 6473 6474 6475 6476 6477 6478 6479 6480 6481 6482 6483 6484 6485 6486 6487 6488 6489 6490 6491 6492 6493 6494 6495 6496 6497 6498 6499 6500 6501 6502 6503 6504 6505 6506 6507 6508 6509 6510 6511 6512 6513 6514 6515 6516 6517 6518 6519 6520 6521 6522 6523 6524 6525 6526 6527 6528 6529 6530 6531 6532 6533 6534 6535 6536 6537 6538 6539 6540 6541 6542 6543 6544 6545 6546 6547 6548 6549 6550 6551 6552 6553 6554 6555 6556 6557 6558 6559 6560 6561 6562 6563 6564 6565 6566 6567 6568 6569 6570 6571 6572 6573 6574 6575 6576 6577 6578 6579 6580 6581 6582 6583 6584 6585 6586 6587 6588 6589 6590 6591 6592 6593 6594 6595 6596 6597 6598 6599 6600 6601 6602 6603 6604 6605 6606 6607 6608 6609 6610 6611 6612 6613 6614 6615 6616 6617 6618 6619 6620 6621 6622 6623 6624 6625 6626 6627 6628 6629 6630 6631 6632 6633 6634 6635 6636 6637 6638 6639 6640 6641 6642 6643 6644 6645 6646 6647 6648 6649 6650 6651 6652 6653 6654 6655 6656 6657 6658 6659 6660 6661 6662 6663 6664 6665 6666 6667 6668 6669 6670 6671 6672 6673 6674 6675 6676 6677 6678 6679 6680 6681 6682 6683 6684 6685 6686 6687 6688 6689 6690 6691 6692 6693 6694 6695 6696 6697 6698 6699 6700 6701 6702 6703 6704 6705 6706 6707 6708 6709 6710 6711 6712 6713 6714 6715 6716 6717 6718 6719 6720 6721 6722 6723 6724 6725 6726 6727 6728 6729 6730 6731 6732 6733 6734 6735 6736 6737 6738 6739 6740 6741 6742 6743 6744 6745 6746 6747 6748 6749 6750 6751 6752 6753 6754 6755 6756 6757 6758 6759 6760 6761 6762 6763 6764 6765 6766 6767 6768 6769 6770 6771 6772 6773 6774 6775 6776 6777 6778 6779 6780 6781 6782 6783 6784 6785 6786 6787 6788 6789 6790 6791 6792 6793 6794 6795 6796 6797 6798 6799 6800 6801 6802 6803 6804 6805 6806 6807 6808 6809 6810 6811 6812 6813 6814 6815 6816 6817 6818 6819 6820 6821 6822 6823 6824 6825 6826 6827 6828 6829 6830 6831 6832 6833 6834 6835 6836 6837 6838 6839 6840 6841 6842 6843 6844 6845 6846 6847 6848 6849 6850 6851 6852 6853 6854 6855 6856 6857 6858 6859 6860 6861 6862 6863 6864 6865 6866 6867 6868 6869 6870 6871 6872 6873 6874 6875 6876 6877 6878 6879 6880 6881 6882 6883 6884 6885 6886 6887 6888 6889 6890 6891 6892 6893 6894 6895 6896 6897 6898 6899 6900 6901 6902 6903 6904 6905 6906 6907 6908 6909 6910 6911 6912 6913 6914 6915 6916 6917 6918 6919 6920 6921 6922 6923 6924 6925 6926 6927 6928 6929 6930 6931 6932 6933 6934 6935 6936 6937 6938 6939 6940 6941 6942 6943 6944 6945 6946 6947 6948 6949 6950 6951 6952 6953 6954 6955 6956 6957 6958 6959 6960 6961 6962 6963 6964 6965 6966 6967 6968 6969 6970 6971 6972 6973 6974 6975 6976 6977 6978 6979 6980 6981 6982 6983 6984 6985 6986 6987 6988 6989 6990 6991 6992 6993 6994 6995 6996 6997 6998 6999 7000 7001 7002 7003 7004 7005 7006 7007 7008 7009 7010 7011 7012 7013 7014 7015 7016 7017 7018 7019 7020 7021 7022 7023 7024 7025 7026 7027 7028 7029 7030 7031 7032 7033 7034 7035 7036 7037 7038 7039 7040 7041 7042 7043 7044 7045 7046 7047 7048 7049 7050 7051 7052 7053 7054 7055 7056 7057 7058 7059 7060 7061 7062 7063 7064 7065 7066 7067 7068 7069 7070 7071 7072 7073 7074 7075 7076 7077 7078 7079 7080 7081 7082 7083 7084 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7097 7098 7099 7100 7101 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7113 7114 7115 7116 7117 7118 7119 7120 7121 7122 7123 7124 7125 7126 7127 7128 7129 7130 7131 7132 7133 7134 7135 7136 7137 7138 7139 7140 7141 7142 7143 7144 7145 7146 7147 7148 7149 7150 7151 7152 7153 7154 7155 7156 7157 7158 7159 7160 7161 7162 7163 7164 7165 7166 7167 7168 7169 7170 7171 7172 7173 7174 7175 7176 7177 7178 7179 7180 7181 7182 7183 7184 7185 7186 7187 7188 7189 7190 7191 7192 7193 7194 7195 7196 7197 7198 7199 7200 7201 7202 7203 7204 7205 7206 7207 7208 7209 7210 7211 7212 7213 7214 7215 7216 7217 7218 7219 7220 7221 7222 7223 7224 7225 7226 7227 7228 7229 7230 7231 7232 7233 7234 7235 7236 7237 7238 7239 7240 7241 7242 7243 7244 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7259 7260 7261 7262 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7279 7280 7281 7282 7283 7284 7285 7286 7287 7288 7289 7290 7291 7292 7293 7294 7295 7296 7297 7298 7299 7300 7301 7302 7303 7304 7305 7306 7307 7308 7309 7310 7311 7312 7313 7314 7315 7316 7317 7318 7319 7320 7321 7322 7323 7324 7325 7326 7327 7328 7329 7330 7331 7332 7333 7334 7335 7336 7337 7338 7339 7340 7341 7342 7343 7344 7345 7346 7347 7348 7349 7350 7351 7352 7353 7354 7355 7356 7357 7358 7359 7360 7361 7362 7363 7364 7365 7366 7367 7368 7369 7370 7371 7372 7373 7374 7375 7376 7377 7378 7379 7380 7381 7382 7383 7384 7385 7386 7387 7388 7389 7390 7391 7392 7393 7394 7395 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 7407 7408 7409 7410 7411 7412 7413 7414 7415 7416 7417 7418 7419 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 7440 7441 7442 7443 7444 7445 7446 7447 7448 7449 7450 7451 7452 7453 7454 7455 7456 7457 7458 7459 7460 7461 7462 7463 7464 7465 7466 7467 7468 7469 7470 7471 7472 7473 7474 7475 7476 7477 7478 7479 7480 7481 7482 7483 7484 7485 7486 7487 7488 7489 7490 7491 7492 7493 7494 7495 7496 7497 7498 7499 7500 7501 7502 7503 7504 7505 7506 7507 7508 7509 7510 7511 7512 7513 7514 7515 7516 7517 7518 7519 7520 7521 7522 7523 7524 7525 7526 7527 7528 7529 7530 7531 7532 7533 7534 7535 7536 7537 7538 7539 7540 7541 7542 7543 7544 7545 7546 7547 7548 7549 7550 7551 7552 7553 7554 7555 7556 7557 7558 7559 7560 7561 7562 7563 7564 7565 7566 7567 7568 7569 7570 7571 7572 7573 7574 7575 7576 7577 7578 7579 7580 7581 7582 7583 7584 7585 7586 7587 7588 7589 7590 7591 7592 7593 7594 7595 7596 7597 7598 7599 7600 7601 7602 7603 7604 7605 7606 7607 7608 7609 7610 7611 7612 7613 7614 7615 7616 7617 7618 7619 7620 7621 7622 7623 7624 7625 7626 7627 7628 7629 7630 7631 7632 7633 7634 7635 7636 7637 7638 7639 7640 7641 7642 7643 7644 7645 7646 7647 7648 7649 7650 7651 7652 7653 7654 7655 7656 7657 7658 7659 7660 7661 7662 7663 7664 7665 7666 7667 7668 7669 7670 7671 7672 7673 7674 7675 7676 7677 7678 7679 7680 7681 7682 7683 7684 7685 7686 7687 7688 7689 7690 7691 7692 7693 7694 7695 7696 7697 7698 7699 7700 7701 7702 7703 7704 7705 7706
|
#!/usr/bin/env perldoc
#?
# Generated by o-saft.pl .
# Unfortunatelly the format in @help is incomplete, for example proper =over
# and corresponding =back paragraph is missing. It is mandatory arround =item
# paragraphs. However, to avoid tools complaining about that, =over and =back
# are added to each =item to avoid error messages in the viewer tools.
# Hence the additional identations for text following the =item are missing.
# Tested viewers: podviewer, perldoc, pod2usage, tkpod
=pod
=encoding utf8
=head1 NAME
O-Saft - OWASP SSL advanced forensic tool
OWASP SSL audit for testers
=head1 DESCRIPTION
This tools lists information about remote target's SSL certificate
and tests the remote target according given list of ciphers.
Note: Throughout this description C<$0> is used as an alias for the
program name C<o-saft.pl>.
=head1 SYNOPSIS
o-saft.pl [COMMANDS ..] [OPTIONS ..] target [target target ...]
where [COMMANDS] and [OPTIONS] are described below and target is
a hostname either as full qualified domain name or as IP address.
Multiple commands and targets may be combined.
All commands and options can also be specified in a rc-file, see
L</RC-FILE> below.
I.g. all commands start with a C<+> character and options start with
C<-> or C<--> characters. Anything else is treated as target name.
=head1 QUICKSTART
Before going into a detailed description of the purpose and usage,
here are some examples of the most common use cases:
=over
=item * Show supported (enabled) ciphers of target:
=back
o-saft.pl +cipher --enabled example.tld
=over
=item * Show supported (enabled) ciphers with their DH parameters:
=back
o-saft.pl +cipher-dh example.tld
=over
=item * Test all ciphers, even if not supported by local SSL implementation:
=back
o-saft.pl +cipherall example.tld
=over
=item * Show details of certificate and connection of target:
=back
o-saft.pl +info example.tld
=over
=item * Check certificate, ciphers and SSL connection of target:
=back
o-saft.pl +check example.tld
=over
=item * Check connection to target for vulnerabilities:
=back
o-saft.pl +vulns example.tld
=over
=item * Check for all known ciphers (independant of SSL library):
=back
o-saft.pl +cipherraw example.tld --range=full
checkAllCiphers.pl example.tld
checkAllCiphers.pl example.tld I--range=full& I&--v&&
=over
=item * Get the certificate's Common Name for a bunch of servers:
=back
o-saft.pl +cn example.tld some.tld other.tld
=over
=item * List more usage examples
=back
o-saft.pl --help=examples
=over
=item * List all available commands:
=back
o-saft.pl --help=commands
=over
=item * Get table of contents for complete help
=back
o-saft.pl --help=toc
=over
=item * Show just one section, for example SECURITY, from help
=back
o-saft.pl --help=SECURITY
=over
=item * Start the simple GUI
=back
o-saft.tcl
=over
=item * Start the simple GUI which uses o-saft.pl in a Docker image
=back
o-saft.tcl I--docker&&
For more specialised test cases, refer to the sections L</COMMANDS> and
L</OPTIONS> below. For more examples please refer to L</EXAMPLES> section.
For more details, please see L</Requirements> and L</INSTALLATION> below.
=head1 WHY?
Why a new tool for checking SSL security and configuration when there
are already a dozen or more such good tools in existence (in 2012)?
Unique features:
=over
=item * working in closed environments, i.e. without internet connection
=back
=over
=item * checking availability of ciphers independent of installed library
=back
=over
=item * checking for all possible ciphers (up to 65535 per SSL protocol)
=back
=over
=item * mainly same results on all platforms.
=back
Currently available tools suffer from some or all of following issues:
=over
=item * lack of tests of unusual SSL certificate configurations
=back
=over
=item * may return different results for the same checks on given target
=back
=over
=item * missing tests for modern SSL/TLS functionality
=back
=over
=item * missing tests for specific, known SSL/TLS vulnerabilities
=back
=over
=item * no support for newer, advanced, features e.g. CRL, OCSP, EV
=back
=over
=item * limited capability to create your own customised tests
=back
Other reasons or problems are that other tools are either binary or
use additional binaries and hence are not portable to other platforms.
In contrast to (all?) most other tools, including L<openssl(1)|openssl(1)>, it can
be used to "ask simple questions" like "does target support STS" just
by calling:
o-saft.pl +hsts_sts example.tld
For more, please see L</EXAMPLES> section below.
If it should run on systems with old software (perl or perl modules),
please see L</DEBUG> section below.
=head1 SECURITY
This tool is designed to be used by people doing security or forensic
analyses. Hence no malicious input is expected.
There are no special security checks implemented. Some parameters are
roughly sanatised according unwanted characters. In particular there
are no checks according any kind of code injection.
Care should be taken, when additional tools and modules are installed
as described in L</INSTALLATION> below. In particular it is recommended
to do these installations into directoies specially prepared for use
with o-saft.pl . No other tools of your system should use these installations
i.e. by accident or because your environment variables point to them.
Note that compilation and installation of additional tools (openssl,
Net::SSLeay, etc.) uses known insecure configurations and features!
This is essential to make o-saft.pl able to check for such insecurities.
It is highly recommended to do these installations and use the tools
on a separate testing system.
B<DO NOT USE THESE INSTALLATIONS ON PRODUCTIVE SYTEMS.>
=head1 CONCEPTS
The purpose of O-Saft is to do the work, not to force the user to
learn a new tool or to install "newer" software first.
However, the user "should do something" if necessary depending on the
reported results.
=head2 Results
Results of checks are marked C<yes> or C<no>. This leaves the proper
interpretation, if the result is "good" or "bad", to the user.
Background: it is not always possible to rate a result as "good" or
"bad" or "insecure" or whatever. That's why O-Saft can not give the
"the best" or a "proper" recomendation. In practice it depends on the
context what a recomendation, or countermeasure should be. That's why
all results are marked C<yes> or C<no> if considered "questionable"
or "not good" (for example according other checks).
... more comming soon ...
=head1 TECHNICAL INFORMATION
It is important to understand, which provided information is based on
data returned by underlaying (used) libraries and the information
computed directly.
=head2 OpenSSL, libssl, libcrypto
In general the tool uses perl's L<Net::SSLeay(1)|Net::SSLeay(1)> module which itself
is based on libssl and/or libssleay library of the operating system.
It's possible to use other versions of these libraries, see options:
=over
=item * --exe-path=PATH --exe=PATH
=back
=over
=item * --lib-path=PATH --lib=PATH
=back
=over
=item * --envlibvar=NAME
=back
The external L<openssl(1)|openssl(1)> is called to extract some information from
its output. The version of openssl can be controlled with following
options:
=over
=item * --openssl=TOOL
=back
=over
=item * --no-openssl
=back
=over
=item * --force-openssl
=back
=over
=item * --exe-path=PATH --exe=PATH
=back
Above applies to all commands except I<+cipherall> and I<+cipherraw> which
uses no other libraries.
OpenSSL is recommended to be used for libssl and libcrypto. Versions
0.9.8k to 1.0.2e (Jan. 2016) are known to work. However, versions be-
for 1.0.0 may not provide all informations.
LibreSSL is not recommended, because some functionallity considered
insecure, has been removed.
For more details, please see L</INSTALLATION> below.
=head2 Certificates and CA
All checks according the validity of the certificate chain are based
on the root CAs installed on the system. NOTE that L<Net::SSLeay(1)|Net::SSLeay(1)> and
L<openssl(1)|openssl(1)> may have their own rules where to find the root CAs.
Please refer to the documentation on your system for these tools.
However, there are folloing options to tweak these rules:
=over
=item * --ca-file=FILE
=back
=over
=item * --ca-path=DIR
=back
=over
=item * --ca-depth=INT
=back
=head2 Commands and options
All arguments starting with C<+> are considered L</COMMANDS> for this
tool. All arguments starting with C<--> are considered L</OPTIONS> for
this tool.
Reading any data from STDIN or here-documents is not yet supported.
It's reserved for future use.
=head2 Environment variables
Following environment variables are incorporated:
=over
=item * LD_LIBRARY_PATH - used and extended with definitions from options
=back
=over
=item * OPENSSL - if set, full path to openssl executable
=back
=over
=item * OPENSSL_CONF - if set, full path to openssl's openssl.cnf or
=back
directory where to find openssl.cnf
=head2 Requirements
For checking all ciphers and all protocols with I<+cipherall> command,
just perl (5.x) without any modules is required.
For I<+info> and I<+check> (and all related) commands, perl (5.x) with
following modules (minimal version) is recommended:
=over
=item * IO 1.25 (2011)
=back
=over
=item * IO::Socket::INET 1.37 (2011)
=back
=over
=item * IO::Socket::SSL 1.90 (2013)
=back
=over
=item * Net::DNS 0.66 (2011)
=back
=over
=item * Net::SSLeay 1.49 (2012)
=back
However, it is recommended to use the most recent version of the mod-
ules which then gives more accurate results and less warnings. If the
modules are missing, they can be installed i.e. with:
cpan Net::SSLeay
Note: if you want to use advanced features of openssl or Net::SSLeay,
please see L</INSTALLATION> section how to compile and install the tools
fully customized.
Also an openssl executable should be available, but is not mandatory.
For checking DH parameters of ciphers, openssl 1.0.2 or newer should
be available. If an older version of openssl is found, we try hard to
extract the DH parameters from the data returned by the server, see
I<+cipher-dh> command.
If you need to run on systems with older perl or perl module versions
please refer to the L</DEBUG> section for more inofrmation.
=head1 RESULTS
All output is designed to be easily parsed by postprocessors. Please
see L</OUTPUT> section below for details.
For the results, we have to distinguish those returned by I<+cipher>
command and those from all other tests and checks like I<+check> or
I<+info> command.
=head3 +cipher
The cipher checks will return one line for each tested cipher. It
contains at least the cipher name, C<yes> or C<no> whether it is
supported or not, and a security qualification. It may look like:
AES256-SHA yes HIGH
NULL-SHA no weak
Depending on the used I<--legacy=*> option the format may differ and
also contain more information. For details see I<--legacy=*> option
below.
The text for security qualifications are (mainly) those returned by
openssl (version 1.0.1): LOW, MEDIUM, HIGH and WEAK.
The same texts, but with all lower case characters, are used if the
qualification was adapted herein. Following rules for adjusting the
qualification were used:
=over
=item * weak:
=back
=over
=item ** all *NULL* ciphers
=back
=over
=item ** all *RC2* and *RC4* ciphers
=back
=over
=item ** all *EXPORT* ciphers
=back
=over
=item ** all *anon* (aka ADH aka DHA) ciphers
=back
=over
=item ** all *CBC* and *CBC3* (aka 3DES) and DES ciphers
=back
=over
=item * low:
=back
=over
=item * high:
=back
=over
=item ** all *AES(128|256)* ciphers
=back
=over
=item ** all *CAMELLIA* ciphers
=back
=head3 +check
These tests return a line with a label describing the test and a
test result for it. The idea is to report C<yes> if the result is
considered "secure" otherwise report C<no> followed by the reason
why it's considered insecure. Example of a check considered secure:
Label of the performed check: yes
Example of a check considered insecure:
Label of the performed check: no (reason why)
Note that there are tests where the results appear confusing when
first viewed, like for www.wi.ld:
Certificate is valid according given hostname: no (*.wi.ld)
Certificate's wildcard does not match hostname: yes
This can for example occur with:
Certificate Common Name: *.wi.ld
Certificate Subject's Alternate Names: DNS:www.wi.ld
Please check the result with the I<+info> command also to verify if
the check sounds reasonable.
=head3 +info
The test result contains detailed information. The labels there are
mainly the same as for the I<+check> command.
=head1 COMMANDS
There are commands for various tests according the SSL connection to
the target, the targets certificate and the used ciphers.
All commands are preceded by a C<+> to easily distinguish from other
arguments and options. However, some I<--OPTIONS> options are treated as
commands for historical reason or compatibility to other programs.
The most important commands are (in alphabetical order):
I<+check> I<+cipher> I<+info> I<+http> I<+list> I<+quick> I<+sni> I<+sni_check> I<+version>
A list of all available commands will be printed with:
o-saft.pl --help=cmds
The description of all other commands will be printed with:
o-saft.pl --header --help=commands
The summary and internal commands return requested information or the
results of checks. These are described below.
Note that some commands may be a combination of other commands, see:
o-saft.pl --header --help=intern
The following sub-sections only describe the commands, which do more
than giving a simple information from the target. All other commands
can be listed with:
o-saft.pl --header --help=commands
The final sub-sections L</Notes about commands> describes some notes
about special commands and related commands.
=head2 Commands for information about this tool
All these commands will exit after execution (cannot be used together
with other commands).
=head3 +ciphers
Show ciphers offered by local SSL implementation.
This commands prints the ciphers in a format like "openssl ciphers"
does. It also accepts the -v and -V option. The I<--legacy=TYPE>
option can be used as described for I<+list> command.
Use I<+list> command for more information according ciphers.
=head3 +list
Show all ciphers supported by this tool. This includes cryptogrphic
details of the cipher and some internal details about the rating.
In contrast to the I<+ciphers> command, I<+list> uses TAB characters
instead of spaces to seperate columns. It also prints table header
lines by default.
Different output formats are used for the I<--legacy> option:
=over
=item * --legacy=simple tabular output of cipher values
=back
=over
=item * --legacy=full as --legacy=simple but more data
=back
=over
=item * --legacy=openssl output like with +ciphers command
=back
=over
=item * --legacy=ssltest output like "ssltest --list"
=back
=head3 +VERSION
Just show version and exit.
=head3 +version
Show version information for both the program and the Perl modules
that it uses, then exit.
Use I<--v> option to show more details.
=head3 +libversion
Show version of openssl.
=head3 +quit
Show internal data and exit, used for testing and debugging only.
Please see L</TESTING> below.
=head2 Commands to check SSL details
Following (summary and internal) commands are simply a shortcut for a
list of other commands. For details of the list use:
o-saft.pl --help=intern
=head3 +check
Check the SSL connection for security issues. Implies I<+cipher> .
=head3 +host
Print details about the targets hostname, DNS, etc.
These details are usually printed only for the I<+check> and I<+info>
command, but not for any individual command.
=head3 +http
Perform HTTP checks (like STS, redirects etc.).
=head3 +info
Overview of most important details of the SSL connection.
Use I<--v> option to show details also, which span multiple lines.
=head3 +info--v
Overview of all details of the SSL connection. It is a shortcut for
all commands listed below but not including I<+cipher>.
This command is intended for debugging as it prints some details of
the used L<Net::SSLinfo|Net::SSLinfo> module.
=head3 +quick
Quick overview of checks. Implies I<--enabled> and I<--label=short>.
=head3 +pfs
Check if servers offers ciphers with prefect forward secrecy (PFS).
=head3 +protocols
Check for protocols supported by target.
=head3 +vulns
Check for various vulnerabilities.
=head3 +sts
=head3 +hsts
Various checks according STS HTTP header.
This option implies I<--http>, means that I<--no-http> is ignored.
=head3 +sni
Check for Server Name Indication (SNI) usage.
=head3 +sni_check
=head3 +check_sni
Check for Server Name Indication (SNI) usage and validity of all
names (CN, subjectAltName, FQDN, etc.).
=head3 +bsi
Various checks according BSI TR-02102-2 and TR-03116-4 compliance.
=head3 +ev
Various checks according certificate's extended Validation (EV).
Hint: use option I<--v> I<--v> to get information about failed checks.
=head3 +sizes
Check length, size and count of some values in the certificate.
=head3 +s_client
Dump data retrieved from "openssl s_client ..." call. This should
be used for debugging only.
It can be used just like openssl itself, for example:
openssl s_client -connect host:443 -no_sslv2
=head3 +dump
Dumps internal data for SSL connection and target certificate. This
is mainly for debugging and should not be used together with other
commands (except I<+cipher>).
Each key-value pair is enclosed in C<#{> and C<#}> .
Using I<--trace> I<--trace> dumps data of L<Net::SSLinfo|Net::SSLinfo> too.
=head3 +exec
Command used internally when requested to use other libraries.
This command should not be used directly.
=head2 Commands to test ciphers provided by target
Beside the description of the commands itself here, please see also
L</Notes about commands> below.
=head3 +cipher
Check target for ciphers, either all ciphers, or ciphers specified
with I<--cipher=CIPHER> option.
Note that ciphers not supported by the local SSL implementation are
not checked by default, use I<+cipherall> or I<+cipherraw> command.
Use I<--v> option to see all ciphers being checked.
=head3 +cipherraw
Check target for all possible ciphers.
Does not depend on local SSL implementation.
In contrast to I<+cipher> this command has some options to tweak the
cipher tests, connection results and some strange behaviours of the
target. See L</Options for cipherall and cipherraw command> for
details.
=head3 +cipherall
Same as I<+cipherraw> but ouput format similar to I<+cipher> command.
=head3 +cipher-default
Lists the cipher selected by the server for each protocol sometimes
referred to as "default cipher".
For each protocol the two selected ciphers are shown, one returned
by the server if the cipher list in the ClientHello is sorted with
the strongest cipher first, and one returned if the cipher list in
the ClientHello is sorted with strongest cipher last.
See L</Notes about commands> for details.
=head3 +cipher-dh
Checked target for ciphers. All ciphers supported by the server are
printed with their DH or ECDH paramaters (if available).
ciphers.
=head3 +null
=head3 +cipher-null
Check if target accepts NULL ciphers.
=head3 +adh
=head3 +cipher-adh
Check if target accepts ciphers with anonymous key exchange.
=head3 +export
=head3 +cipher-exp
Check if target accepts EXPORT ciphers.
=head3 +cbc
=head3 +cipher-cbc
Check if target accepts CBC ciphers.
=head3 +des
=head3 +cipher-des
Check if target accepts DES ciphers.
=head3 +cipher-rc4
Check if target accepts RC4 ciphers.
=head3 +edh
=head3 +cipher-edh
Check if target supports ephemeral ciphers.
=head3 +cipher-pfs
Check if target supports ciphers with PFS.
=head3 +cipher-strong
Check if target selects strongest cipher.
=head3 +cipher-weak
Check if target selects weak cipher (oposite of I<+cipher-strong>).
=head2 Discrete commands to test SSL connection and certificate details
Discrete commands, please see:
o-saft.pl --help=commands
=head2 Notes about commands
=head3 +cipher vs. +cipherall
I<+cipher> can only check for ciphers - more precise: cipher suites -
provided by the local SSL implementation (i.e. libssl).
I<+cipherall> can check for any cipher, as it just uses the cipher's
integer value in the range 0 .. 65532.
=head3 +cipherall vs. +cipherraw
These commands are identical, just the output format is different.
=head3 +cipher vs. +cipher-dh
While I<+cipher> prints checked ciphers, I<+cipher-dh> prints ciphers
with their DH or ECDH paramaters (if available) only for supported
ciphers.
=head3 +cipher vs. +cipher-default
Both commands show the default cipher foreach protocol.
I<+cipher> lists a summary of ciphers selected by the server for each
protocol requested by the user (for example by using options like:
I<--sslv3> I<--tlsv1> etc.). When the I<--v> option is used, all selected
ciphers for all known protocols are listed. This summary focuses on
counts for various ciphers.
I<+cipher-default> lists the cipher selected by the server for each
protocol.
=head3 +cipher-selected vs. +cipher-default
I<+selected> lists the cipher selected by the server if no particular
protocol was specified and the system's default cipher list is send
in the ClientHello to the server.
I<+cipher-default> lists the cipher selected by the server for each
protocol.
=head3 +cipher-strong vs. +cipher-default
I<+strong-cipher> shows the result of the check if strong ciphers are
preferred by the server. It is a check command.
I<+cipher-default> lists the cipher selected by the server for each
protocol. It is a information command.
It is not possible to check if a server uses C<SSLHonorCipherOrder>.
Even if it is used (switched on), it is not possible to check the
specified order of the ciphers.
I. g. it is expected that the order is according the cipher suite's
strength, meaning the most strongest first, and the weakest last.
It does not make sense to use an order where a weak cipher preceeds
a stronger one. Such a (mis-)configuration should be detected.
Having this in mind, the algorithm to detect a proper cipher order
is as simply as follows:
1. pass sorted cipher list with strongest cipher first
2. pass sorted cipher list with strongest cipher last
if the server returns the same cipher for both checks, it's assumed
that it prefers to use the most strongest cipher. In this case it's
obvious that C<SSLHonorCipherOrder> is set (exceptions see below).
I<+cipherall> uses a more accurate algorithm to detect the server's
cipher order.
Exceptions:
If either, the server or the client, uses only one cipher suite in
the list, SSLHonorCipherOrder cannot be detected at all.
The same happens, if only one cipher in the client's list matches a
cipher in the server's list.
=head3 +extensions vs. +tlsextensions
I<+extensions> shows the "Certificate extensions" and I<+tlsextensions>
will show the TLS protocol extensions.
Use I<+tlsextdebug> to show more informations about the TLS protocol
extensions.
=head3 +http2 +spdy +spdy3 +spdy31 +spdy4 +prots
These commands are just an alias for the I<+protocols> command.
=head3 +hostname vs. +wildhost vs. +altname vs. +rfc_2818
The commands I<+cn> and I<+altname> print the information stored in
the certificate.
The command I<+hostname> checks if the given hostname matches the CN
value in the certificate. Note that wildcard names in the CN, only
allow to contain one C<*>.
The command I<+wildcard> checks if the given hostname does not match
any name specified in the certificate's "subjectAltname". This check
is usefull if the certificate and the configuration must comply to
RFC 6125 or EV certificates.
=head1 OPTIONS
All options are written in lowercase. Words written in all capital in
the description here is text provided by the user.
=head2 Options for help and documentation
=head3 --h
=head3 --help
B<WYSIWYG>
=head3 --help=cmds
Show available commands; short form.
=head3 --help=commands
Show available commands with short description.
=head3 --help=opt
Show available options; short form.
=head3 --help=options
Show available options with their description.
=head3 --help=checks
Show available checks.
=head3 --help=tools
Description of tools around O-Saft, when, where and how to use.
=head3 --help=cmd
Show additional and user specified commands.
=head3 --help=cfg-cmd
Show additional and user specified commands. Output can be use in
L</RC-FILE> or as option.
=head3 --help=check-cfg
=head3 --help=cfg-check
Show texts used as labels in output for checks (see I<+check>) ready
for use in L</RC-FILE> or as option.
=head3 --help=data
Show available informations.
=head3 --help=data-cfg
=head3 --help=cfg-data
=head3 --help=cfg-info
Show texts used as labels in output for data (see I<+info>) ready
for use in L</RC-FILE> or as option.
=head3 --help=hint
Show texts used in hint messages.
=head3 --help=hint-cfg
=head3 --help=cfg-hint
Show texts used in hint messages ready for use in L</RC-FILE> or as
option.
=head3 --help=text
Show texts used in various messages.
=head3 --help=text-cfg
=head3 --help=cfg-text
Show texts used in various messages ready for use in L</RC-FILE> or
as option.
=head3 --help=legacy
Show possible legacy formats (used as value in I<--legacy=TOOL>).
=head3 --help=compliance
Show available compliance checks.
=head3 --help=intern
Show internal commands.
=head3 --help=alias
Show alias for commands and options.
=head3 --help=pattern
Show list of cipher pattern (used for I<--cipher=CIPHER>).
=head3 --help=range
Show list of cipherranges (see I<--cipherrange=RANGE>).
=head3 --help=score
Show score value for each check.
Value is printed in format to be used for I<--cfg-score=KEY=SCORE>.
Note that the sequence of options is important. Use the options
I<--trace> and/or I<--cfg-score=KEY=SCORE> before I<--help=score>.
=head3 --help=toc
=head3 --help=content
Show headlines from help text. Useful to get an overview.
=head3 --help=SECTION
Show C<SECTION> from documentation, see I<--help=toc> for a list.
Example:
o-saft.pl --help=EXAMPLES
=head3 --help=ourstr
Show regular expressions to match our own strings used in output.
=head3 --help=regex
Show regular expressions used internally.
=head3 --help=gen-html
Print documentation in HTML format.
=head3 --help=gen-pod
Print documentation in POD format.
=head3 --help=gen-wiki
Print documentation in mediawiki format.
=head3 --help=gen-cgi
Print documentation in format to be used for CGI.
=head3 --help=error
=head3 --help=warning
=head3 --help=problem
Show L</KNOWN PROBLEMS> section with description of known error and
warning messages.
=head3 --help=faq
Show L</KNOWN PROBLEMS> and L</LIMITATIONS> section.
=head3 --help=glossary
Show common abbreviation used in the world of security.
=head3 --help=links
Show list of URLs related to SSL/TLS.
=head3 --help=rfc
Show list of RFC related to SSL/TLS.
=head3 --help=todo
Show known problems and bugs.
=head3 --help=exit
Show possible I<--exit=KEY> options. Used for debugging only.
=head3 --help=program.code
For developers.
=head2 Options for all commands (general)
=head3 --dns
Do DNS lookups to map given hostname to IP, do a reverse lookup.
=head3 --no-dns
Do not make DNS lookups.
Note that the corresponding IP and reverse hostname may be missing
in some messages then.
=head3 --host=HOST
Specify HOST as target to be checked. Legacy option.
=head3 --port=PORT
Specify PORT of target to be used. Legacy option.
=head3 --host=HOST --port=PORT HOST:PORT HOST
When giving more than one HOST argument, the sequence of the given
HOST argument and the given I<--port=PORT> and the given I<--host=HOST>
options are important.
The rule how ports and hosts are mapped is as follows:
HOST:PORT arguments are used as is (connection to HOST on PORT)
only HOST is given, then previous specified I<--port=PORT> is used
Note that URLs are treated as HOST:PORT, if they contain a port.
Example:
o-saft.pl +cmd host-1 --port 23 host-2 host-3:42 host-4
will connect to:
=over
=item * host-1:443
=back
=over
=item * host-2:23
=back
=over
=item * host-3:42
=back
=over
=item * host-4:23
=back
=head3 --proxyhost=PROXYHOST --proxy=PROXYHOST:PROXYPORT
Make all connection to target using PROXYHOST.
Also possible is: I<--proxy=PROXYUSER:PROXYPASS@PROXYHOST:PROXYPORT>
=head3 --proxyport=PROXYPORT
Make all connection to target using PROXYHOST:PROXYPORT.
=head3 --proxyuser=PROXYUSER
Specify username for proxy authentication.
=head3 --proxypass=PROXYPASS
Specify password for proxy authentication.
=head3 --starttls
Use C<STARTTLS> command to start a TLS connection via SMTP.
This option is a shortcut for I<--starttls=SMTP> .
=head3 --starttls=SMTP
=head3 --starttls=PROT
Use C<STARTTLS> command to start a TLS connection via protocol.
C<PROT> may be any of: C<SMTP>, C<IMAP>, C<IMAP2>, C<POP3>, C<FTPS>,
C<RDP>, C<LDAP> or C<XMPP> .
For I<--starttls=SMTP> see I<--dns-mx> also to use MX records instead
of host
=head3 --starttls-delay=SEC
Number of seconds to wait before sending a packet, to slow down the
C<STARTTLS> requests. Default is 0.
This may prevent blocking of requests by the target due to too much
or too fast connections.
Note: In this case there is an automatic suspension and retry with
a longer delay.
=head3 --cgi
=head3 --cgi-exec
Internal use for CGI mode only.
=head2 Options for SSL tool
=head3 --rc
Read L</RC-FILE> if exists, from directory where program was found.
=head3 --no-rc
Do not read L</RC-FILE>.
=head3 --exitcode
The exit status code will be greater 0, if any of following applies:
=over
=item * any check returns C<no>
=back
=over
=item * insecure protocols are available
=back
=over
=item * insecure ciphers are supported
=back
=over
=item * ciphers without PFS are supported (disable with --exitcode-cipher)
=back
In particular, the status code will be the total count of all these
checks.
Parts of these checks can be diasabled, see I<--exitcode-*> options
below.
Functionality implemented experimental, may change in future.
=head3 --exitcode-no-checks
Do not count checks with result C<no> for I<--exitcode> .
=head3 --exitcode-no-low --exitcode-no-weak --exitcode-no-medium
Do not count LOW, WEAK or MEDIUM security ciphers for I<--exitcode> .
=head3 --exitcode-no-ciphers
Do not count any ciphers for I<--exitcode> .
=head3 --exitcode-no-ciphers
Do not count any ciphers for I<--exitcode> .
=head3 --exitcode-no-pfs
Do not count ciphers without PFS for I<--exitcode> .
=head3 --openssl-s_client --s_client
Use "openssl s_slient ..." call to retrieve more information from
the SSL connection. This is disabled by default on Windows because
of performance problems. Without this option (default on Windows !)
following informations are missing:
compression, expansion, renegotiation, resumption,
selfsigned, verify, chain, protocols, DH parameters
See L<Net::SSLinfo|Net::SSLinfo> for details.
If used together with I<--trace>, s_client data will also be printed
in debug output of L<Net::SSLinfo|Net::SSLinfo>.
=head3 --no-openssl
Do not use external "openssl" tool to retrieve information. Use of
"openssl" is disabled by default on Windows.
Note that this results in some missing informations, see above.
=head3 --openssl=TOOL
C<TOOL> can be a path to openssl executable; default: openssl
=head3 --openssl-cnf=FILE --openssl-conf=FILE
C<FILE> path of directory or full path of openssl.cnf
If set, environment variable OPENSSL_CONF will be set to given path
(or file) when L<openssl(1)|openssl(1)> is started. Please see openssl's man page
for details about specifying alternate openssl.cnf files.
=head3 --openssl-ciphers --force-openssl
Use openssl to check for supported ciphers; default: L<IO::Socket(1)|IO::Socket(1)>
This option forces to use "openssl s_slient -connect CIPHER .." to
check if a cipher is supported by the remote target. This is useful
if the I<--lib=PATH> option doesn't work (for example due to changes
of the API or other incompatibilities).
=head3 --exe-path=PATH
=head3 --exe=PATH
C<PATH> is a full path where to find openssl.
=head3 --lib-path=PATH
=head3 --lib=PATH
C<PATH> is a full path where to find libssl.so, libcrypto.so.
See L</HACKER's INFO> below for a detailed description how it works.
=head3 --envlibvar=NAME
C<NAME> is the name of a environment variable containing additional
paths for searching dynamic shared libraries.
Default is LD_LIBRARY_PATH.
Check your system for the proper name, i.e.:
DYLD_LIBRARY_PATH, LIBPATH, RPATH, SHLIB_PATH.
=head3 --ssl-error
The connection to a target may fail, or even block, due to various
reasons for example lost network at all, blocking at firewall, etc.
In particular when checking ciphers with I<+cipher> , this may result
in long delays until results are printed.
Using this option stops trying to do more connections to the target
when I<--ssl-error-max=CNT> consecutive errors occoured, or when the
total amount of errors increases I<--ssl-error-total=CNT>.
Note that this may result in loss of information and/or checks.
=head3 --ssl-error-max=CNT
Max. amount of consecutive errors (default: 5).
=head3 --ssl-error-timeout=SEC
Timeout in seconds when a failed connection is treated as error and
then counted (default: 1).
=head3 --ssl-error-total=CNT
Max. total amount of errors (default: 10).
=head3 --ssl-lazy
I.g. this tools tries to identify available functionality according
SSL versions from the underlaying libraries. Unsupported versions
are then disables and a warning is shown.
Unfortunately some libraries have not implemented all functions to
check availability of a specific SSL version, which then results in
a compile error.
This option disables the strict check of availability.
If the underlaying library doesn't support the required SSL version
at all, following error may occour:
Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...
See L</Note on SSL versions> for a general note about SSL versions.
A more detailled description of the problem and how Net::SSLeay be-
haves, can be found in the source of o-saft.pl ,
see section starting at
#| check for supported SSL versions
=head3 --timeout=SEC
Timeout in seconds when connecting to the target (default: 2).
=head3 --call=METHOD
C<METHOD> method to be used for specific functionality
Available methods:
=over
=item * info-socket use internal socket to retrieve information
=back
=over
=item * info-openssl use external openssl to retrieve information
=back
=over
=item * info-user use usr_getinfo() to retrieve information
=back
=over
=item * cipher-socket use internal socket to ckeck for ciphers
=back
=over
=item * cipher-openssl use external openssl to ckeck for ciphers
=back
=over
=item * cipher-user use usr_getciphers() to ckeck for ciphers
=back
Method names starting with:
=over
=item * info-
=back
are responsible to retrieve information about the SSL connection
and the target certificate (i.e. what the I<+info> command provides)
=over
=item * cipher-
=back
are responsible to connect to the target and test if it supports
the specified ciphers (i.e. what the I<+cipher> command provides)
=over
=item * check-
=back
are responsible for performing the checks (i.e. what's shown with
the I<+check> command)
=over
=item * score-
=back
are responsible to compute the score based on check results
The second part of the name denotes which kind of method to call:
=over
=item * socket the internal functionality with sockets is used
=back
=over
=item * openssl the exteranl openssl executable is used
=back
=over
=item * user the external special function, as specified in user's
=back
o-saft-usr.pm, is used.
Example:
--call=cipher-openssl
will use the external L<openssl(1)|openssl(1)> executable to check the target for
supported ciphers.
Default settings are:
--call=info-socket --call=cipher-socket --call=check-socket
Just for curiosity, instead of using:
o-saft.pl --call=info-user --call=cipher-user --call=check-user --call=score-user ...
consider to use your own script like:
#!/usr/bin/env perl
usr_getinfo();usr_getciphers();usr_checkciphers();usr_score();
:-))
=head3 -v
Print list of ciphers in style like: "openssl ciphers -v".
Option used with I<+ciphers> command only.
=head3 -V
Print list of ciphers in style like: "openssl ciphers -V".
Option used with I<+ciphers> command only.
=head2 Options for SSL connection to target
=head3 --cipher=CIPHER
=over
=item * C<CIPHER> can be any string accepeted by openssl or following:
=back
=over
=item * C<yeast> use all ciphers from list defined herein, see +list
=back
Beside the cipher names accepted by openssl, CIPHER can be the name
of the constant or the (hex) value as defined in openssl's files.
Currently supported are the names and constants of openssl 1.0.1k.
Example:
=over
=item * --cipher=DHE_DSS_WITH_RC4_128_SHA
=back
=over
=item * --cipher=0x03000066
=back
=over
=item * --cipher=66
=back
will be mapped to C<DHE-DSS-RC4-SHA>
Note: if more than one cipher matches, just one will be selected.
Default is C<ALL:NULL:eNULL:aNULL:LOW> as specified in L<Net::SSLinfo|Net::SSLinfo>.
=head3 --socket-reuse
TCP socket will be reused for next connection attempt even if SSL
connection failed.
=head3 --no-socket-reuse
Close TCP socket and then reopen for next connection attempt if SSL
connection failed.
This is useful for some servers which may return an "TLS alert" if
the connection fails and then fail again on the same socket.
=head3 --ignore-no-connect
A simple check if the target can be connected will be performed by
default. If this check fails, the target will be ignored, means no
more requested checks will be done. As this connection check some-
times fails due to various reasons, the check can be disabled using
this option.
=head3 --no-md5-cipher
Do not use *-MD5 ciphers for other protocols than SSLv2.
This option is only effective with I<+cipher> command.
The purpose is to avoid warnings from L<IO::Socket::SSL(1)|IO::Socket::SSL(1)> like:
Use of uninitialized value in subroutine entry at lib/IO/Socket/SSL.pm line 430.
which occours with some versions of L<IO::Socket::SSL(1)|IO::Socket::SSL(1)> when a *-MD5
ciphers will be used with other protocols than SSLv2.
Note that these ciphers will be checked for SSLv2 only.
=head3 --sslv2
=head3 --sslv3
=head3 --tlsv1
=head3 --tlsv11
=head3 --tlsv12
=head3 --tlsv13
=head3 --dtlsv09
=head3 --dtlsv1
=head3 --dtlsv11
=head3 --dtlsv12
=head3 --dtlsv13
=head3 --SSL, -protocol SSL
=head3 --no-sslv2
=head3 --no-sslv3
=head3 --no-tlsv1
=head3 --no-tlsv11
=head3 --no-tlsv12
=head3 --no-tlsv13
=head3 --no-dtlsv09
=head3 --no-dtlsv1
=head3 --no-dtlsv11
=head3 --no-dtlsv12
=head3 --no-dtlsv13
=head3 --no-SSL
=over
=item * C<SSL> can be any of:
=back
ssl, ssl2, ssl3, sslv2, sslv3, tls1, tls1, tls11, tls1.1, tls1-1,
tlsv1, tlsv11, tlsv1.1, tlsv1-1 (and similar variants for tlsv1.2).
For example: I<--tls1> I<--tlsv1> I<--tlsv1_1> are all the same.
(--SSL variants): Test ciphers for this SSL/TLS version.
(--no-SSL variants): Don't test ciphers for this SSL/TLS version.
=head3 --no-tcp
Shortcut for:
I<--no-sslv2> I<--no-sslv3> I<--no-tlsv1> I<--no-tlsv11> I<--no-tlsv12> I<--no-tlsv13>
=head3 --tcp
Shortcut for: I<--sslv2> I<--sslv3> I<--tlsv1> I<--tlsv11> I<--tlsv12> I<--tlsv13>
=head3 --no-udp
Shortcut for:
I<--no-dtlsv09> I<--no-dtlsv1> I<--no-dtlsv11> I<--no-dtlsv12> I<--no-dtlsv13>
=head3 --udp
Shortcut for: I<--dtlsv09> I<--dtlsv1> I<--dtlsv11> I<--dtlsv12> I<--dtlsv13>
=head3 --nullsslv2
This option forces to assume that SSLv2 is enabled even if the
target does not accept any ciphers.
The target server may accept connections with SSLv2 but not allow
any cipher. Some checks verify if SSLv2 is enabled at all, which
then would result in a failed test.
The default behaviour is to assume that SSLv2 is not enabled if no
ciphers are accepted.
=head3 --http
Make a HTTP request if cipher is supported.
If used twice debugging will be enabled using environment variable
C<HTTPS_DEBUG>.
=head3 --no-http
Do not make HTTP request.
=head3 --sni
Make SSL connection in SNI mode.
=head3 --no-sni
Do not make SSL connection in SNI mode (default: SNI mode).
=head3 --sni-toggle
=head3 --toggle-sni
Test with and witout SNI mode (+cipherall only).
=head3 --force-sni
Do not check if SNI seems to be supported by L<Net::SSLeay(1)|Net::SSLeay(1)>.
Older versions of openssl and its libries do not support SNI or the
SNI support is implemented buggy. By default it's checked if SNI is
properly supported. With this option this check can be disabled.
Be warned that this may result in improper results.
=head3 --servername=NAME
=head3 --sni-name=NAME
If SNI mode is active, see I<--sni> above, C<NAME> is used instead of
hostname for connections to the target. If SNI mode is not active,
see I<--no-sni> above, C<NAME> is not used. The default is undefined,
which forces to use the given FQDN.
This is useful, for example when an IP instead of a FQDN was given,
where a correct hostname (i.g. a FQDN) needs to be specified.
Note: i.g. there is no need to use this option, as a correct value
for the SNI name will be choosen automatically (except for IPs).
However, it is kind of fuzzing ... even setting to an empty string
is possible.
Limitation: the same C<NAME> is used for all targets, if more than
one target was specified.
=head3 --no-cert
Do not get data from target's certificate, return empty string.
=head3 --no-cert --no-cert
Do not get data from target's certificate, return default string
of L<Net::SSLinfo|Net::SSLinfo> (see I<--no-cert-text=TEXT> option).
=head3 --no-cert-text=TEXT
Set C<TEXT> to be returned from L<Net::SSLinfo|Net::SSLinfo> if no certificate data
is collected due to use of I<--no-cert>.
=head3 --ca-depth=INT
Check certificate chain to depth C<INT> (like openssl's -verify).
=head3 --ca-file=FILE
Use C<FILE> with bundle of CAs to verify target's certificate chain.
=head3 --ca-path=DIR
Use C<DIR> where to find CA certificates in PEM format.
=head3 --ca-force
=head3 --force-ca
B<NOT YET IMPLEMENTED>
I. g. openssl uses default settings where to find certificate files.
When I<--ca-file=FILE> and/or I<--ca-path=DIR> was used, this default
will be overwritten by appropriate options passed to openssl. If the
default does not work as expected, I<--force-ca> can be used to force
setting of proper values according well known common defaults. See:
o-saft.pl +version
o-saft.pl +version --force-ca
to see the used settings.
=head3 --alpn
Use -alpn option for openssl.
=head3 --no-alpn
Do not use -alpn option for openssl.
=head3 --no-npn
=head3 --no-nextprotoneg
Do not use -nextprotoneg option for openssl.
=head3 --proto-alpn=NAME
Name of protocol to be added to list of applcation layer protocols
(ALPN), which is used for any connection to the targets.
See I<--cipher-alpn=NAME> also.
=head3 --proto-npn=NAME
Name of protocol to be added to list of next protocol negotiations
(NPN), which is used for any connection to the targets.
See I<--cipher-npn=NAME> also.
=head3 --ssl-compression --compression
Use SSL option "compression" for connection.
=head3 --no-ssl-compression --no-compression
Use SSL option "no compression" for connection (default: don't use)
=head3 --no-reconnect
Do not use -reconnect option for openssl.
=head3 --no-tlsextdebug
Do not use -tlsextdebug option for openssl.
=head3 --sclient-opt=VALUE
Argument or option passed to openssl's s_client command.
=head2 Options for +cipher command
=head3 --connect-delay=SEC
Additional delay in seconds after each connect for a cipher check.
This is useful when connecting to servers which have IPS in place,
or are slow in accepting new connections or requests.
=head3 --cipher-alpn=NAME
Name of protocol to be added to list of applcation layer protocols
(ALPN), which is used for cipher checks.
I<--cipher-alpn=>, sets empty list.
I<--cipher-alpn=>,, sets list to empty element "".
=head3 --cipher-npn=NAME
Name of protocol to be added to list of next protocol negotiations
(NPN), which is used for cipher checks.
I<--cipher-npn=>, sets empty list.
I<--cipher-npn=>,, sets list to empty element "".
Note: setting empty list or element most likely does not work with
openssl executable (i.e. I<--force-openssl>).
=head3 --cipher-curve=NAME
Name of ecliptic curve to be added to list of ecliptic curves (EC),
which is used for cipher checks.
I<--cipher-curve=>, sets empty list.
I<--cipher-curve=>,, sets list to empty element "".
Note: setting empty list or element most likely does not work with
openssl executable (i.e. I<--force-openssl>).
=head2 Options for cipherall and cipherraw command
=head3 --range=RANGE
=head3 --cipherrange=RANGE
Specify range of cipher constants to be tested by I<+cipherall>.
Following RANGEs are supported:
=over
=item * C<rfc> all ciphers defined in various RFCs
=back
=over
=item * C<shifted> C<rfc>, shifted by 64 bytes to the right
=back
=over
=item * C<long> like C<rfc> but more lazy list of constants
=back
=over
=item * C<huge> all constants 0x03000000 .. 0x0300FFFF
=back
=over
=item * C<safe> all constants 0x03000000 .. 0x032FFFFF
=back
=over
=item * C<full> all constants 0x03000000 .. 0x03FFFFFF
=back
=over
=item * C<SSLv2> all ciphers according RFC for SSLv2
=back
=over
=item * C<SSLv2_long> more lazy list of constants for SSLv2 ciphers
=back
Note: C<SSLv2> is the internal list used for testing SSLv2 ciphers.
It does not make sense to use it for other protocols; however ...
=head3 --slow-server-delay=SEC
Additional delay in seconds after the server is connected using a
proxy or before starting C<STARTTLS>.
This is useful when connecting via slow proxy chains or connecting
to slow servers before sending the C<STARTTLS> sequence.
=head3 --ssl-maxciphers=CNT
Maximal number of ciphers sent in a sslhello (default: 32).
=head3 --ssl-double-reneg
Send SSL extension C<reneg_info> even if list of ciphers includes
C<TLS_EMPTY_RENEGOTIATION_INFO_SCSV> (default: do not include)
=head3 --ssl-nodata-nocipher
Some servers do not answer (i.g. they disconnect) if none of the
offered ciphers is supported by the server.
Continue testing with next ciphers when the target disconnects or
does not send data within specified timeout (see I<--timeout>).
Useful for TLS intolerant servers.
=head3 --no-ssl-nodata-nocipher
Abort testing with next ciphers when the target disconnects.
=head3 --ssl-use-ecc
Use supported elliptic curves. Default on.
=head3 --ssl-use-ec-point
Use TLS C<ec_point_formats> extension. Default on.
=head3 --ssl-use-reneg
Test for ciphers with "secure renegotiation" flag set.
Default: don't set "secure renegotiation" flag.
=head3 --ssl-retry=CNT
Number of retries when connection timed-out (default: 2).
=head3 --ssl-timeout=SEC
Number of seconds to wait until connection is qualified as timeout.
=head3 --dns-mx
=head3 --mx
Get DNS MX records for given target and check the returned targets.
(only useful with I<--starttls=SMTP>).
=head2 Options for checks and results
Options used for I<+check> command:
=head3 --enabled
Only print result for ciphers accepted by target.
=head3 --disabled
Only print result for ciphers not accepted by target.
=head3 --ignorecase
Checks are done case insensitive.
=head3 --no-ignorecase
Checks are done case sensitive. Default: case insensitive.
Currently only checks according CN, alternate names in the target's
certificate compared to the given hostname are effected.
=head3 --ignore-no-reply
When checking for the TLS "heartbeat" extension, the server may not
respond at all, which would result in a "no reply" message. This
marks the check for I<+heartbleed> as C<no>.
I.g. a server is not vulnerable to the heartbleed attack if the
TLS "heartbeat" extension is disabled. Hence the check result C<no>
may be mis-leading. This option treats the "no reply" result as
"not vulnerable" and returns C<yes> then.
Note: if the server does not respond for this check, does not mean
that the "heartbeat" extension is switched off. If unsure, disable
this lazy check with I<--no-ignore-no-reply> .
=head2 Options for output format
=head3 --label=TYPE
Defines the format of the descriptive text (label) for I<+check> and
I<+info> command.
Following C<TYPE>s are supported:
=head3 --label=long
Prints full text for labels:
Certificate Common Name: some.tld
=head3 --label=short
Prints short less descriptive text for labels:
Common Name: some.tld
=head3 --label=key
Internal format: print name of key instead of text as label. Key is
Prints name of key instead of text as label. The key is that of the
internal data structure(s).
[cn] some.tld
For ciphers and protocols, the corresponding hex value is used as
key. Note that these values are unique.
=head3 --legacy=TOOL
For compatibility with other tools, the output format used for the
result of the I<+cipher> command can be adjusted to mimic the format
of other SSL testing tools.
The argument to the I<--legacy=TOOL> option is the name of the tool
to be simulated.
Following TOOLs are supported:
=over
=item * C<sslaudit> format of output similar to sslaudit
=back
=over
=item * C<sslcipher> format of output similar to ssl-cipher-check
=back
=over
=item * C<ssldiagnos> format of output similar to ssldiagnos
=back
=over
=item * C<sslscan> format of output similar to sslscan
=back
=over
=item * C<ssltest> format of output similar to ssltest
=back
=over
=item * C<ssltestg> format of output similar to ssltest -g
=back
=over
=item * C<ssltest-g> format of output similar to ssltest -g
=back
=over
=item * C<sslyze> format of output similar to sslyze
=back
=over
=item * C<ssl-cipher-check> same as sslcipher
=back
=over
=item * C<ssl-cert-check> format of output similar to ssl-cert-check
=back
=over
=item * C<testsslserver> format of output similar to TestSSLServer.jar
=back
=over
=item * C<thcsslcHeck> format of output similar to THCSSLCheck
=back
Note that these legacy formats only apply to output of the checked
ciphers. Other texts like headers and footers are adapted slightly.
Please do not expect identical output as the TOOL when using these
options, it's a best guess and should be parsable in a very similar
way.
=head3 --legacy=TYPE
=head3 --legacy=compact
Internal format: mainly avoid tabs and spaces format is as follows:
Some Label:<-- anything right of colon is data
=head3 --legacy=full
Internal format: pretty print each label in its own line, followed
by data prepended by tab character (useful for I<+info> only).
=head3 --legacy=owasp
Results for cipher checks use rating from OWASP Cipher Cheat Sheet.
=head3 --legacy=quick
Internal format: use tab as separator; ciphers are printed with bit
length (implies I<--tab>).
=head3 --legacy=simple
Internal default format.
=head3 --format=0x
=head3 --format=\x
=head3 --format=/x
=head3 --format=hex
=head3 --format=raw
This option is used to specify the format of the result lines. This
covers the value of the result line only.
=over
=item * C<raw> Print raw data as passed from L<Net::SSLinfo|Net::SSLinfo>.
=back
Note: all data will be printed as is, without additional label
or formatting. It's recommended to use the option in conjunction
with exactly one command. Otherwise the user needs to know how
to "read" the printed data.
=over
=item * C<hex> Convert some data to hex: 2 bytes separated by C<:>.
=back
=over
=item * C<0x> Convert some data with hex values:
=back
2 bytes preceded by C<0x> and separated by a space.
=over
=item * C</x> Same as --format=\x
=back
=over
=item * C<\x> Convert some data with hex values:
=back
2 bytes preceded by C<\x> and no separating char.
=head3 --header
Print formatting header. Default for I<+check>, I<+info>, I<+quick> and
and I<+cipher> only.
=head3 --no-header
Do not print formatting header.
Usefull if raw output should be passed to other programs.
Note: must be used on command line to inhibit all header lines.
=head3 --ignore-cmd=CMD
=head3 --ignore-output=CMD
=head3 --no-cmd=CMD
=head3 --no-output=CMD
Do not print output (data or check result) for command C<CMD>. C<CMD>
is any valid command, see L</COMMANDS> , without leading C<+>.
Option can be used multiple times.
=head3 --score
Print scoring results. Default for I<+check>.
=head3 --no-score
Do not print scoring results.
=head3 --separator=CHAR
=head3 --sep=CHAR
C<CHAR> will be used as separator between label and value of the
printed results. Default is C<:>.
=head3 --tab
C<TAB> character (0x09, \t) will be used as separator between label
and value of the printed results.
As label and value are already separated by a TAB character, this
options is only useful in conjunction with the I<--legacy=compact>
option.
=head3 --showhost
Prefix each printed line with the given hostname (target).
The hostname will be followed by the separator character.
=head3 --std-format=utf8
=head3 --std-format=crlf
=head3 --std-format=raw
=head3 --std-format=unix
=head3 --std-format=CHARSET
This option is used to specify the general output format for STDOUT
and STDERR. All results are written to STDOUT, errors and warnings
may also be written to STDERR . The default is C<:unix:utf8>, which
is the perlish definition used internally.
Following values are supported:
=over
=item * C<raw>
=back
=over
=item * C<unix> Print raw data, binary in bytes without conversion.
=back
Note: binary here just means characters (as all output is text).
=over
=item * C<utf8> Convert all characters to UTF-8.
=back
=over
=item * C<crlf> Use CR LF as end of line.
=back
=over
=item * C<CHARSET> C<CHARSET> can be any of the local installed character
=back
sets, like UTF-8, UTF-16LE, CP1252, iso-8859-7, etc..
This conversion may print its own warnings.
The option can be used multiple times with different values.
To reset the default behaviour, either C<raw> or C<unix> must be
used. Obviously, they must be used first. All other values are used
additionally.
Note: C<utf8> just defines the format of the characters, it does no
further checks on the converted characters. In contrast, C<UTF-8> is
used as real encoding and does some checks.
For more details, please see "perldoc -f binmode" .
Currently (Jan. 2018), these options must be used before any I<--help>
option.
=head3 --win-CR
Obsolete, please use I<--std-format=crlf> .
=head2 Options for compatibility with other programs
Please see other programs for detailed description (if not obvious:).
Note that often only the long form options are accepted as most short
form options are ambiguous.
If other programs use the same option,but with a different behaviour,
then thes other options are not supported.
For a list of supported options, please see:
o-saft.pl --help=alias
Following list contains only those options not shown with:
o-saft.pl --help=alias
Tool's Option (Tool) o-saft.pl Option
=over
=item * --checks CMD (TLS-Check.pl) same as +CMD
=back
=over
=item * -h, -h=HOST (various tools) same as --host HOST
=back
=over
=item * -p, -p=PORT (various tools) same as --port PORT
=back
=over
=item * -t HOST (ssldiagnos) same as --host HOST
=back
=over
=item * --UDP (ssldiagnos) same as --udp
=back
=over
=item * --timeout, --grep (ssltest.pl) ignored
=back
=over
=item * -r, -s, -t, -x (ssltest.pl) ignored
=back
=over
=item * --insecure (cnark.pl) ignored
=back
=over
=item * --nopct --nocolor (ssldiagnos) ignored
=back
=over
=item * -connect, -H, -u, -url, -U ignored
=back
=over
=item * -noSSL same as --no-SSL
=back
=over
=item * -no_SSL same as --no-SSL
=back
For definition of C<SSL> see I<--SSL< and I| and I>--no-SSL> above.
=head2 Options for customization
For general descriptions please see L</CUSTOMIZATION> section below.
=head3 --cfg_cmd=CMD=LIST
=head3 --cfg-cmd=CMD=LIST
Redefine list of commands. Sets %cfg{cmd-CMD} to LIST. Commands
can be written without the leading C<+>.
If CMD is any of the known internal commands, it will be redifned.
If CMD is a unknown command, it will be created.
Example:
--cfg-cmd=sni="sni hostname"
An example I<+preload> can be found in C<.o-saft.pl> .
To get a list of commands and their settings, use:
o-saft.pl --help=intern
Main purpose is to reduce list of commands or to print them sorted.
=head3 --cfg-score=KEY=SCORE
Redefine value for scoring. Sets %checks{KEY}{score} to C<SCORE>.
Most score values are set to 10 by default. Values C<0> .. C<100> are
allowed.
To get a list of current score settings, use:
o-saft.pl --help=score
For deatils how scoring works, please see L</SCORING> section.
Use the I<--trace-key> option for the I<+info> and/or I<+check> command
to get the values for C<KEY>.
=head3 --cfg_checks=KEY=TEXT
=head3 --cfg-checks=KEY=TEXT
=head3 --cfg_data=KEY=TEXT
=head3 --cfg-data=KEY=TEXT
Redefine texts used for labels in output. Sets %data{KEY}{txt} or
%checks{KEY}{txt} to C<TEXT>.
To get a list of preconfigured labels, use:
o-saft.pl --help=cfg-checks
o-saft.pl --help=cfg-data
=head3 --cfg-cipher=CIPHER=value
Redefine the security value (i.e. HIGH) in the cipher description.
Example:
--cfg-cipher=NULL-MD5=no-security-at-all
=head3 --cfg_text=KEY=TEXT
=head3 --cfg-text=KEY=TEXT
Redefine general texts used in output. Sets %text{KEY} to C<TEXT>.
To get a list of preconfigured texts, use:
o-saft.pl --help=cfg-text
Note that \n, \r and \t are replaced by the corresponding character
when read from L</RC-FILE>.
=head3 --cfg-text=FILE
Read definitions for %text{KEY}="my text" from file C<FILE>.
=head3 --cfg-hint=KEY=TEXT
Redefine texts used for hints. Sets %cfg{hints}{KEY} to C<TEXT>.
To get a list of preconfigured texts, use:
o-saft.pl --help=cfg-hint
=head3 --cfg-init=KEY=VALUE
Set the internal %cfg hash. This options is intended for testing
and debugging only. Please see L</TESTING> below.
=head3 --call=METHOD
See L</Options for SSL tool>.
=head3 --usr
Execute functions defined in L<o-saft-usr.pm|o-saft-usr.pm>.
=head3 --usr-*
=head3 --user-*
Options ignored, but stored as is internal in $cfg{usr-args} .
These options can be used in L<o-saft-usr.pm|o-saft-usr.pm> or L<o-saft-dbx.pm|o-saft-dbx.pm>.
=head3 --experimental
Use experimental functionality.
Some functionality of this tool is under development and only used
when this option is given.
=head2 Options for tracing and debugging
=head3 --n
Do not execute, just show commands (only useful in conjunction with
using openssl).
=head3 Difference --trace vs. --v
While I<--v> is used to print more data, I<--trace> is used to print
more information about internal data such as procedure names and/or
variable names and program flow.
=head3 --v
=head3 --verbose
Print more information about checks.
Note that this option should be first otherwise some debug messages
are missing.
Note that I<--v> is different from -v (see above).
=head3 --v --v
Print remotely checked ciphers.
=head3 --v-cipher --cipher-v
Print remotely checked ciphers.
In contrast to I<--v> I<--v> above, this just prints the ciphers while
while being checked, but no other verbose messages.
=head3 --trace
Print debugging messages.
=head3 --trace --trace
Print more debugging messages and pass C<trace=2> to Net::SSLeay and
L<Net::SSLinfo|Net::SSLinfo>.
=head3 --trace --trace --trace
Print more debugging messages and pass C<trace=3> to Net::SSLeay and
L<Net::SSLinfo|Net::SSLinfo>.
=head3 --trace --trace --trace --trace
Print processing of all command line arguments.
=head3 --trace-cli
Print complete command line first. Used for internal testing.
=head3 --trace-arg
=head3 --trace--
Print command line argument processing.
=head3 --trace-cmd
Trace execution of command processing (those given as I<+*>).
=head3 --trace-key
=head3 --trace@
Print some internal variable names in output texts (labels).
Variable names are prefixed to printed line and enclosed in # .
Example without I<--trace-key> :
Certificate Serial Number: deadbeef
Example with I<--trace-key> :
#serial# Certificate Serial Number: deadbeef
=head3 --trace-time
Prints trace output with timestamps. More timestamps are printed if
used together with I<--trace-cmd>.
=head3 --trace=VALUE
Alias for I<--trace-VALUE> options (see above).
Trace Option Alias Option
=over
=item * --trace=1 same as --trace
=back
=over
=item * --trace=2 same as --trace --trace
=back
=over
=item * --trace=arg same as --trace-arg
=back
=over
=item * --trace=cmd same as --trace-cmd
=back
=over
=item * --trace=key same as --trace-key
=back
=over
=item * --trace=time same as --trace-time
=back
=head3 --trace=FILE
Use FILE instead of the default L</RC-FILE>, i.e. C<.o-saft.pl>.
=head3 --trace-me
Print debugging messages for o-saft.pl only, but not any modules.
=head3 --trace-not-me
Print debugging messages for modules only, but not o-saft.pl itself.
=head3 --trace-sub
=head3 +traceSUB
Print formatted list of internal functions with their description.
Not to be intended in conjunction with any target check.
=head3 --hint
Print hint messages (!!Hint:).
=head3 --no-hint
Do not print hint messages (!!Hint:).
=head3 --warning
Print warning messages (**WARNING:).
=head3 --no-warning
Do not print warning messages (**WARNING:).
=head3 --exit=KEY
Terminate o-saft.pl at specified C<KEY>. Please see L</TESTING> below.
=head2 Options vs. Commands
For compatibility with other programs and lazy users, some arguments
looking like options are silently taken as commands. This means that
I<--THIS> becomes I<+THIS> then. These options are:
=over
=item * --help
=back
=over
=item * --abbr
=back
=over
=item * --todo
=back
=over
=item * --chain
=back
=over
=item * --default
=back
=over
=item * --fingerprint
=back
=over
=item * --list
=back
=over
=item * --version
=back
Take care that this behaviour may be removed in future versions as it
conflicts with those options and commands which actually exist, like:
I<--sni> vs. I<+sni>
=head1 LAZY SYNOPSIS
=head2 Commands
Following strings are treated as a command instead of target names:
=over
=item * ciphers
=back
=over
=item * s_client
=back
=over
=item * version
=back
A warning will be printed.
=head2 Options
We support following options, which are all identical, for lazy users
and for compatibility with other programs.
=head3 Option Variants
=over
=item * --port PORT
=back
=over
=item * --port=PORT
=back
This applies to most such options, I<--port> is just an example. When
used in the L</RC-FILE>, the I<--OPTION=VALUE> variant must be used.
=head3 Option Names
Dash C<->, dot C<.> and/or underscore C<_> in option names are optional,
all following are the same:
=over
=item * --no.dns
=back
=over
=item * --no-dns
=back
=over
=item * --no_dns
=back
=over
=item * --nodns
=back
This applies to all such options, I<--no-dns> is just an example.
=head2 Targets
Following syntax is supported also:
o-saft.pl http://some.tld other.tld:3889/some/path?a=b
Note that only the hostname and the port are used from an URL.
=head2 Options vs. Commands
See L</Options vs. Commands> in L</OPTIONS> section above
=head1 CHECKS
All SSL related check performed by the tool will be described here.
=head2 General Checks
Lookup the IP of the given hostname (FQDN), and then tries to reverse
resolve the FQDN again.
=head2 SSL Ciphers
Check which ciphers are supported by target. Please see L</RESULTS> for
details of this check.
=head2 SSL Connection
=head3 heartbeat
Check if "heartbeat" extension is supported by target.
=head3 poodle
Check if target is vulnerable to POODLE attack (SSLv3 enabled).
=head3 robot
Check if target is vulnerable to ROBOT attack (server offers ciphers
with RSA encryption).
=head3 sloth
Check if target is vulnerable to SLOTH attack (server offers RSA-MD5
or ECDSA-MD5 ciphers).
=head3 sweet32
Check if target is vulnerable to Sweet32 attack (server offers CBC or
CBC3 or DES or 3DES ciphers).
Note that FIPS-140 compliance requires 3DES ciphers, hence compliant
systems are then vulnerable to Sweet32 attacks.
=head3 ALPN
Check if target supports ALPN. Following messages are evaluated:
ALPN protocol: h2-14
No ALPN negotiated
Please see also L</CHECKS> ALPN and NPN below.
=head2 SSL Vulnerabilities
=head3 ADH
Check if ciphers for anonymous key exchange are supported: ADH|DHA.
Such key exchanges can be sniffed.
=head3 EDH
Check if ephemeral ciphers are supported: DHE|EDH.
They are necessary to support Perfect Forward Secrecy (PFS).
=head3 BEAST
Check if ciphers with CBC for protocol SSLv1, SSLv3 or TLSv1 are used.
TLSv1.2 checks are not yet implemented.
=head3 CRIME
Connection is vulnerable if target supports SSL-level compression, or
supports SPDY/3 (because SPDY/3 uses compression).
See http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl
Note: SPDY/3 is only possible if the client explicitely asks for this
alternate protocol (for example "openssl ... -nextprotoneg spdy/3").
=head3 DROWN
Connection is vulnerable if target supports SSLv2.
=head3 FREAK
Attack against SSL/TLS to downgrade to EXPORT ciphers.
Currently (2018) a simple check is used: SSLv3 enabled and EXPORT
ciphers supported by server.
See CVE-2015-0204 and https://freakattack.com/ .
=head3 HEARTBLEED
Check if target is vulnerable to heartbleed attack, see CVE-2014-0160
and http://heartbleed.com/ .
=head3 HEIST
Not implemented.
There are no checks for the HEIST attack implemented, because this is
an attack on TCP/IP rather than SSL/TLS on top of TCP/IP.
=head3 KCI
To perform a MiTM attack with Key Compromise Impersonation, the atta-
cker needs to engage the victim to install and use a client certificate.
This is considered a low risk and hence not tested here.
=head3 Logjam
Check if target is vulenerable to Logjam attack.
Check if target suports EXPORT ciphers and/or DH Parameter is less
than 2048 bits. ECDH must be greater to 511 bits.
=head3 Lucky13
Check if CBC ciphers are offered.
NOTE the recommendation to be safe against Lucky13 was to use RC4
ciphers. But they are also subject to attacks (see below). Hence the
check is only for CBC ciphers.
=head3 RC4
Check if RC4 ciphers are supported.
They are assumed to be broken.
Note that I<+rc4> reports the vulnerabilitiy to the RC4 Attack, while
I<+cipher-rc4> simply reports if RC4 ciphers are offered. However the
check, and hence the result, is the same.
=head3 PFS
Check if DHE ciphers are used. Checks also if the TLS session ticket
is random or not used at all.
TLSv1.2 checks are not yet implemented.
=head3 POODLE
Check if target is vulnerable to POODLE attack (just check if SSLv3
is enabled).
=head3 Practical Invalid Curve Attack
This attack allows an attacker to read the servers private key if the
server does not check properly the passed points for a ecliptic curve
when EDH ciphers are used.
This check will not send multiple invalid points, but only checks if
the server closes the connection or responds with no matching cipher.
=head3 ROBOT
Bleichebacher's Oracle attack against SSL/TLS ciphers.
Not implemented.
https://robotattack.org/
=head3 SLOTH
Currently (2016) we check for ciphers with ECDSA, RSA-MD5.
Checking the TLS extension C<tls-unique> is not yet implemented.
=head3 Sweet32
Currently (2016) we check for ciphers with CBC or CBC3 or DES or 3DES.
=head3 Ticketbleed
B<NOT YET IMPLEMENTED>
Check if target is vulnerable to ticketbleed, means that it returns
up to 31 random bytes from memory as Session Ticket, see CVE-2016-9244
and https://filippo.io/Ticketbleed/ .
=head2 Target (server) Configuration and Support
=head3 BEAST, BREACH, CRIME, DROWN, FREAK, Logjam, Lucky13, POODLE, RC4, ROBOT,
=head3 SLOTH, Sweet32
See above.
=head3 Renegotiation
Check if the server allows client-side initiated renegotiation.
=head3 Version rollback attacks
B<NOT YET IMPLEMENTED>
Check if the server allows changing the protocol.
=head3 DH Parameter
Check if target's DH Parameter is less 512 or 2048 bits.
=head2 Target (server) Certificate
=head3 Certificate Hashes
Check that fingerprint is not MD5.
Check that certificate private key signature is SHA2 or better.
=head3 Root CA
Provided certificate by target should not be a Root CA.
=head3 Self-signed Certificate
Certificate should not be self-signed.
=head3 FQDN is listed in subjectAltname (RFC2818)
The FQDN must be listed in the certificates subjectAltname.
The check command I<+rfc_2818_names> is based on the info command
I<+verify_hostname> . The check was added in 05/2017 because browsers
started to complain if the FQDN is not part of the subjectAltname.
=head3 IP in CommonName or subjectAltname (RFC6125)
B<NOT YET IMPLEMENTED>
=head3 Basic Constraints
Certificate extension Basic Constraints should be CA:FALSE.
=head3 OCSP, CRL, CPS
Certificate should contain URL for OCSP and CRL.
=head3 Private Key encyption
Certificates signature key supports encryption.
=head3 Private Key encyption well known
Certificates signature key encryption algorithm is well known.
=head3 Public Key encyption
Certificates public key supports encryption.
=head3 Public Key encyption well known
Certificates public key encryption algorithm is well known.
=head3 Public Key Modulus size
Some (historic) SSL implementations are subject to buffer overflow if
=head3 Public Key Modulus Exponent size
The modulus exponent should be = 65537 as it is a prime number and an
easy to calculate exponent.
If the exponent is less than 65537, "Boradcast" attacks are possible.
However, some (mainly historic) SSL implementations may have problems
to connect because they are not able to do the crypt mathematics with
exponenents larger than 65536.
If ecliptive curves are used, the result for these checks is always
C<no (<<N/A ...)>.
=head3 Sizes and Lengths of Certificate Settings
Serial Number <= 20 octets (RFC5280, 4.1.2.2. Serial Number)
B<...>
=head3 DV-SSL - Domain Validation Certificate
The Certificate must provide:
=over
=item * Common Name C</CN=> field
=back
=over
=item * Common Name C</CN=> in C<subject> or C<subjectAltname> field
=back
=over
=item * Domain name in C<commonName> or C<altname> field
=back
=head3 EV-SSL - Extended Validation Certificate
This check is performed according the requirements defined by the CA/
Browser Forum https://www.cabforum.org/contents.html .
The certificate must provide:
=over
=item * DV - Domain Validation Certificate (see above)
=back
=over
=item * Organization name C</O=> or C<subject> field
=back
=over
=item * Organization name must be less to 64 characters
=back
=over
=item * Business Category C</businessCategory=> in C<subject> field
=back
=over
=item * Registration Number C</serialNumber=> in C<subject> field
=back
=over
=item * Address of Place of Business in C<subject> field
=back
Required are: C</C=>, C</ST=>, C</L=>
Optional are: C</street=>, C</postalCode=>
=over
=item * Validation period does not exceed 27 month
=back
See L</LIMITATIONS> also.
=head2 Target (server) HTTP(S) Support
=head3 STS header (see RFC 6797)
Using STS is no perfect security. While the very first request using
http: is always prone to a MiTM attack, MiTM is possible to following
requests again, if STS is not well implemented on the server.
=over
=item * Request with http: should be redirected to https:
=back
=over
=item * Redirects should use status code 301 (even others will work)
=back
=over
=item * Redirect's Location header must contain schema https:
=back
=over
=item * Redirect's Location header must redirect to same FQDN
=back
=over
=item * Redirect may use Refresh instead of Location header (not RFC6797)
=back
=over
=item * Redirects from HTTP must not contain STS header
=back
=over
=item * Answer from redirected page (HTTPS) must contain STS header
=back
=over
=item * Answer from redirected page for IP must not contain STS header
=back
=over
=item * STS header must contain includeSubDirectoy directive
=back
=over
=item * STS header max-age should be less than 1 month
=back
=over
=item * STS must not be set in http-equiv attribute of a meta TAG
=back
=head3 STS header preload attribute (+preload)
To satisfy the requirements on https://hstspreload.appspot.com/ the
HSTS header must:
=over
=item * have the max-age with at least 18 weeks (10886400 seconds)
=back
=over
=item * have the includeSubDomains attribute
=back
=over
=item * have the preload attribute
=back
=over
=item * redirect to https first, then to sub-domains (if redirected)
=back
=over
=item * have an HSTS header in each redirect to https.
=back
Additionally, the site must have:
=over
=item * a valid certificate
=back
=over
=item * serve all subdomains over https.
=back
Except the last requirement, I<+preload> will do the checks.
Note that I<+preload> is defined in C<.o-saft.pl> only.
=head3 Public Key Pins header
TBD - to be described ...
=head2 Sizes
Mainly in the certificate various counts, lengths and sizes of values
are checked and reported. All commands for these checks start with
C<+cnt_> or C<+len_>. Up to now, there is no C<yes> or C<no> value
for these checks.
Following commands will check the value to be in a specific range to
become C<yes> or C<no>:
=over
=item * +sts_maxage1d - yes if HSTS maxage < 1 day
=back
=over
=item * +sts_maxage1m - yes if HSTS maxage < 1 month
=back
=over
=item * +sts_maxage1y - yes if HSTS maxage < 1 year
=back
=over
=item * +sts_maxage18 - yes if HSTS maxage < 18 weeks (5 months)
=back
=over
=item * +sts_maxagexy - yes if HSTS maxage > 1 year
=back
=over
=item * +modulus_exp_1 - Public Key Modulus Exponent <>1
=back
=over
=item * +modulus_exp_65537 - Public Key Modulus Exponent =65537
=back
=over
=item * +modulus_exp_oldssl - Public Key Modulus Exponent <65537
=back
=over
=item * +modulus_size_oldssl - Public Key Modulus <16385 bits
=back
For some details of these cjecks, please see the description above at
Public Key Modulus Exponent size
The recommendations for DH parameters (RSA and ecliptice curve) are
are checked as follows:
=over
=item * +dh_512 - DH Parameter >= 512 bits
=back
=over
=item * +dh_2048 - DH Parameter >= 2048 bits
=back
=over
=item * +ecdh_256 - DH Parameter >= 256 bits (ECDH)
=back
=over
=item * +ecdh_512 - DH Parameter >= 512 bits (ECDH)
=back
Note that only one of the checks C<+dh_*> and C<+ecdh_*> can return
C<yes>.
=head2 ALPN and NPN
The commands for the checks to report C<yes> or C<no>, are I<+hasalpn>
and I<+hasnpn>.
Both, the Application Layer Protocol Negotiation (ALPN) and the Next
Protocol Negotiation (NPN) will be tested. The commands for that are:
=over
=item * +alpns
=back
=over
=item * +npns
=back
Each, ALPN and NPN, is tested separately with all known protocols.
The test sets only one protocol, tries to make a connection and then
checks if the protocol was accepted by the server. The collected list
of protocols will be printed with the aforementioned commands, or the
I<+info> command. Note the difference for the commands I<+next_protocols>
and I<+alpns>, where I<+next_protocols> simply reports what the server
itself advertises, while I<+alpns> reports what the server supports if
asked for.
=head2 Compliances
Note that it is not possible to satisfy all following compliances.
Best match is: C<PSF> and C<ISM> and C<PCI> and C<lazy BSI TR-02102-2>.
In general it is difficult to satisfy all conditions of a compliance,
and it is also difficult to check all these conditions. That is why
some compliance checks are not completely implemented.
For details see below please.
Also note that in the L</RC-FILE> the output of results for some checks
is disabled by default. A C<!!Hint:> message will be printed, if any
of these checks are used.
=over
=item * FIPS-140
=back
=over
=item * ISM
=back
=over
=item * PCI
=back
=over
=item * BSI TR-02102-2 (2016-01)
=back
=over
=item * BSI TR-03116-4
=back
=over
=item * RFC 2818
=back
=over
=item * RFC 6125
=back
=over
=item * RFC 6797
=back
=over
=item * RFC 7525
=back
=head3 BSI TR-02102-2 (+tr-02102+ +tr-02102- +bsi)
Checks if connection and ciphers are compliant according TR-02102-2,
see https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen
/TechnischeRichtlinien/TR02102/BSI-TR-02102-2_pdf.pdf?__blob=publicationFile
(following headlines are taken from TR-02102-2 Version 2016-01)
3.1.3 Schlüssellängen bei EC-Verfahren
die EC-Verfahren ... und weitere Erläuterungen siehe Bemerkung 4 in Kapitel 3 in [TR-02102-1] .
3.2 SSL/TLS_Versionen
Only TLSv1.2 allowed (except for I<+tr-02102-> which also allows
TLSv1.1)
3.3.1 Empfohlene Cipher Suites
Allows only *DHE-*-SHA256, *DHE-*-SHA384, *DH-*-SHA256 and
*DH-*-SHA384 ciphers and PSK ciphers with ephermeral keys.
For I<+tr-02102+> they must be AES-GCM, I<+tr02102-> also allows
B<AES-CBC.>
3.3.2 Übergangsregelungen
SHA1 temporary allowed. SHA256 and SHA384 recommended.
RC4 not reocmmended.
Use of SHA1 will only be checked for I<+tr-02102+>
3.4.1 Session Renegotation
Only server-side (secure) renegotiation allowed (see RFC 5746).
3.4.2 Verkürzung der HMAC-Ausgabe
Truncated HMAC according RFC 6066 not recommended.
3.4.3 TLS-Kompression und der CRIME-Angriff
No TLS compression.
3.4.4 Der Lucky13-Angriff
3.4.5 Die "Encrypt-then-MAC"-Erweiterung
Use of AES-GCM ciphers only.
Use of Encrypt-then-MAC according RFC 7366 cannot be checked.
3.4.6 Die Heartbeat-Erweiterung
Target must not support the heartbeat extension.
3.4.7 Die Extended Master Secret Extension
Use of Extended Master Secret Extension according RFC 7627 cannot
be checked.
3.5 Authentisierung der Kommunikationspartner
Not checked as only applicable for VPN connections.
3.6 Domainparameter und Schlüssellängen
Check if signature key is > 2048 bits.
3.6.1 Verwendung von elliptischen Kurven
**NOT YET IMPLEMENTED**
Use only following curves according RFC 5639 and RFC 7027:
brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
Use of secp256r1 and secp384r1 temporary allowed.
4.1 Schlüsselspeicherung
This requirement is not testable from remote.
4.2 Umgang mit Ephemeralschlüsseln
This requirement is not testable from remote.
4.3 Zufallszahlen
This requirement is not testable from remote.
=head3 BSI TR-03116-4 (+tr-03116+ +tr-03116- +bsi)
Checks if connection and ciphers are compliant according TR-03116-4,
see https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen
/TechnischeRichtlinien/TR03116/BSI-TR-03116-4.pdf?__blob=publicationFile
(following headlines are taken from there)
2.1.1 TLS-Versionen und Sessions
Allows only TLS 1.2.
2.1.2 Cipher Suites
Cipher suites must be ECDHE-ECDSA or -RSA with AES128 and SHA265.
For curiosity, stronger cipher suites with AES256 and/or SHA384 are
not not allowed. To follow this curiosity the I<+tr-03116-> (lazy)
check allows the stronger cipher suites ;-)
2.1.1 TLS-Versionen und Sessions
The TLS session lifetime must not exceed 2 days.
2.1.4.2 Encrypt-then-MAC-Extension
2.1.4.3 OCSP-Stapling
MUST have C<OCSP Stapling URL>.
4.1.1 Zertifizierungsstellen/Vertrauensanker
Certificate must provide all root CAs. (NOT YET IMPLEMENTED).
Should use a small certificate trust chain.
4.1.2 Zertifikate
Must have C<CRLDistributionPoint> or C<AuthorityInfoAccess>.
End-user certificate must not be valid longer than 3 years.
Root-CA certificate must not be valid longer than 5 years.
Certificate extension C<pathLenConstraint> must exist, and should be
a small value ("small" is not defined).
All certificates must contain the extension C<KeyUsage>.
Wildcards for C<CN> or C<Subject> or C<SubjectAltName> are not allowed
in any certificate.
EV certificates are recommended (NOT YET checked properly).
4.1.3 Zertifikatsverifikation
Must verify all certificates in the chain down to their root-CA.
(NOT YET IMPLEMENTED).
Certificate must be valid according issue and expire date.
All Checks must be doen for all certificates in the chain.
4.1.4 Domainparameter und Schlüssellängen
This requirement is not testable from remote.
4 5.2 Zufallszahlen
This requirement is not testable from remote.
=head3 RFC 2818 (+rfc2818)
Check if the FQDN is listed in the certificates C<subjectAltname>.
=head3 RFC 6125 (+rfc6125)
Checks values C<CommonName>, C<Subject> and C<SubjectAltname> of the
certificate for:
=over
=item * must all be valid characters for DNS
=back
=over
=item * must not contain more than one wildcard
=back
=over
=item * must not contain invalid wildcards
=back
=over
=item * must not contain invalid IDN characters
=back
=head3 RFC 6797 (+rfc6797)
Same as STS header I<+hsts> .
=head3 RFC 7525 (+rfc7525)
Checks if connection and ciphers are compliant according RFC 7525.
See http://tools.ietf.org/rfc/rfc7525.txt
(following headlines are taken from there)
3.1.1. SSL/TLS Protocol Versions
SSLv2 and SSLv3 must not be supportetd.
TLSv1 should only be supported if there is no TLSv1.1 or TLSv1.2.
Either TLSv1.1 or TLSv1.2 must be supported, prefered is TLSv1.2.
3.1.2. DTLS Protocol Versions
DTLSv1 and DTLSv1.1 must not be supported.
3.1.3. Fallback to Lower Versions
(check implecitely done by 3.1.1, see above)
3.2. Strict TLS
Check if server provides Strict Transport Security.
(C<STARTTLS> check NOT YET IMPLEMENTED).
3.3. Compression
Compression on TLS must not be supported.
3.4. TLS Session Resumption
Server must support resumtion and random session tickets.
(Randomnes of session tickets implemented YET experimental.)
Check if ticket is authenticated and encrypted NOT YET IMPLEMENTED.
3.5. TLS Renegotiation
Server must support renegotiation.
3.6. Server Name Indication
(Check for SNI support implemented experimental.)
4. Recommendations: Cipher Suites
4.1. General Guidelines
4.2. Recommended Cipher Suites
Check for recommended ciphers.
4.3. Public Key Length
DH parameter must be at least 256 bits or 2048 bits with EC.
(Check currently, 4/2016, based on openssl which may not provide DH
=over
=item * parameters for all ciphers.)
=back
4.5. Truncated HMAC
TLS extension "truncated hmac" must not be used.
6. Security Considerations
6.1. Host Name Validation
Given hostname must matches hostname in certificate's subject.
6.2. AES-GCM
6.3. Forward Secrecy
6.4. Diffie-Hellman Exponent Reuse
(NOT YET IMPLEMENTED).
6.5. Certificate Revocation
OCSP and CRL Distrbution Point in cetificate must be defined.
=head1 OUTPUT
All output is designed to make it easily parsable by postprocessors.
Following rules are used:
=over
=item * Lines for formatting or header lines start with C<=>.
=back
=over
=item * Lines for verbosity or tracing start with C<#>.
=back
=over
=item * Errors and warnings start with C<**>.
=back
=over
=item * Empty lines are comments ;-)
=back
=over
=item * Label texts end with a separation character; default is C<:>.
=back
=over
=item * Label and value for all checks are separated by at least one TAB
=back
character.
=over
=item * Texts for additional information are enclosed in C<<<> and C<>>>.
=back
=over
=item * C<N/A> is used when no proper informations was found or provided.
=back
Replace C<N/A> by whatever you think is adequate: "No answer",
"Not available", "Not applicable", ...
Lines not described above, will have the form (by default):
Label for information or check: TABresult
For more details on these lines, please refer to L</RESULTS> above.
When used in I<--legacy=full> or I<--legacy=simple> mode, the output may
contain formatting lines for better (human) readability.
=head2 Postprocessing Output
It is recommended to use the I<--legacy=quick> option, if the output
should be postprocessed, as it omits the default separation character
(C<:> , see above) and just uses on single tab character (0x09, \t or
TAB) to separate the label text from the text of the result. Example:
Label of the performed checkTABresult
More examples for postprocessing the output can be found here:
https://github.com/OWASP/O-Saft/blob/master/contrib
=head1 CUSTOMIZATION
This tools can be customized as follows:
=over
=item * Using command line options
=back
This is a simple way to redefine specific settings. Please see
L</CONFIGURATION OPTIONS> below.
=over
=item * Using Configuration file
=back
A configuration file can contain multiple configuration settings.
Syntax is simply KEY=VALUE. Please see L</CONFIGURATION FILE> below.
=over
=item * Using resource files
=back
A resource file can contain multiple command line options. Syntax
is the same as for command line options iteself. Each directory
may contain its own resource file. Please see L</RC-FILE> below.
=over
=item * Using debugging files
=back
These files are - nomen est omen - used for debugging purposes.
However, they can be (mis-)used to redefine all settings too.
Please see L</DEBUG-FILE> below.
=over
=item * Using user specified code
=back
This file contains user specified program code. It can also be
(mis-)used to redefine all settings. Please see L</USER-FILE> below.
Customization is done by redefining values in internal data structure
which are: %cfg, %data, %checks, %text, %scores.
Unless used in L</DEBUG-FILE> or L</USER-FILE>, there is no need to know
these internal data structures or the names of variables; the options
will set the proper values. The key names being part of the option,
are printed in output with the I<--trace-key> option.
I.g. texts (values) of keys in %data are those used in output of the
"Information" section. Texts of keys in %checks are used for output
in "Performed Checks" section. And texts of keys in %text are used
for additional information lines or texts (mainly beginning with C<=>).
Configuration File vs. L</RC-FILE> vs. L</DEBUG-FILE>
=over
=item * CONFIGURATION FILE
=back
Configuration files must be specified with one of the I<--cfg-*>
options. The specified file can be a valid path. Please note that
only the characters: a-zA-Z_0-9,.\/()- are allowed as pathname.
Syntax in configuration file is: C<KEY=VALUE> where C<KEY> is any
key as used in internal data structure.
=over
=item * RC-FILE
=back
Resource files are searched for and used automatically.
For details see L</RC-FILE> below.
=over
=item * DEBUG-FILE
=back
Debug files are searched for and used automatically.
For details see L</DEBUG-FILE> below.
=over
=item * USER-FILE
=back
The user program file is included only if the I<--usr> option was
used. For details see L</USER-FILE> below.
=head2 CONFIGURATION OPTIONS
Configuration options are used to redefine texts and labels or score
settings used in output. The options are:
=over
=item * --cfg-cmd=CMD=LIST
=back
=over
=item * --cfg-checks=KEY=TEXT
=back
=over
=item * --cfg-data=KEY=TEXT
=back
=over
=item * --cfg-hint=KEY=TEXT
=back
=over
=item * --cfg-text=KEY=TEXT
=back
=over
=item * --cfg-cipher=CIPHER=TEXT
=back
C<KEY> is the key used in the internal data structure, and C<TEXT> is
the value to be set for this key. Note that unknown keys are ignored
silently.
If KEY=TEXT is an exiting filename, all lines from that file are read
and set. For details see L</CONFIGURATION FILE> below.
CIPHER must be a valid cipher suite name as shown with:
o-saft.pl ciphers
NOTE that such configuration options should be used before any I<--help>
or I<--help=*> option, otherwise the changed setting is not visible.
=head2 CONFIGURATION FILE
Note that the file can contain C<KEY=TEXT> pairs for any kind of the
configuration as given by the I<--cfg-CFG> option.
For example when used with I<--cfg-text=FILE> only values for %text
will be set, when used with I<--cfg-data=FILE> only values for %data
will be set, and so on. C<KEY> will not be used when C<KEY=TEXT> is an
existing filename. It i recommended to use a non-existing key, i.e.:
I<--cfg-text=my_file=some/path/to/private/file> .
=head2 RC-FILE
The rc-file will be searched for in the working directory only.
The name of the rc-file is the name of the program file prefixed by a
C<.> (dot), for example: C<.o-saft.pl>.
A rc-file can contain any of the commands and options valid for the
tool itself. The syntax for them is the same as on command line. Each
command or option must be in a single line. Any empty or comment line
will be ignored. Comment lines start with C<#> or C<=>.
Note that options with arguments must be used as C<KEY=VALUE> instead
of C<KEY VALUE>.
Configurations options must be written like C<--cfg-CFG=KEY=VALUE>.
Where C<CFG> is any of: C<cmd>, C<check>, C<data>, C<text> and C<KEY> is
any key from internal data structure (see above).
All commands and options given on command line will overwrite those
found in the rc-file.
=head2 DEBUG-FILE
All debugging functionality is defined in L<o-saft-dbx.pm|o-saft-dbx.pm> , which will
be searched for using paths available in C<@INC> variable.
Syntax in this file is perl code. For details see L</DEBUG> below.
=head2 USER-FILE
All user functionality is defined in L<o-saft-usr.pm|o-saft-usr.pm> , which will be
searched for using paths available in C<@INC> variable.
Syntax in this file is perl code.
All functions defined in L<o-saft-usr.pm|o-saft-usr.pm> are called when the option
I<--usr> was given. The functions are defined as empty stub, any code
can be inserted as need. Please see perldoc L<o-saft-usr.pm|o-saft-usr.pm> to see
when and how these functions are called.
=head2 SHELL TWEAKS
Configuring the shell environment where the tool is startet, must be
done before the tools starts. It is not really a task for the tool
itself, but it can simplify your life, somehow.
There exist customizations for some commonly used shells, please see
the files in the ./contrib/ directory.
=head2 COMMANDS
The option I<--cfg-cmd=CMD=LIST> can be used to define own commands.
When configuring own commands, CMD must not be one of the commands
listed with I<--help=intern> and CMD must constist only of digits and
letters.
Examples in C<.o-saft.pl> are I<+preload> and I<+ciphercheck> .
=head1 CIPHER NAMES
While the SSL/TLS protocol uses integer numbers to identify ciphers,
almost all tools use some kind of "human readable" texts for cipher
names.
These numbers (which are most likely written as hex values in source
code and documentations) are the only true identifier, and we have to
rely on the tools that they use the proper integers.
As such integer or hex numbers are difficult to handle by humans, we
decided to use human readable texts. Unfortunately no common standard
exists how to construct the names and map them to the correct number.
Some, but by far not all, oddities are described in L</Name Rodeo>.
The rules for specifying cipher names are:
=over
=item * 1) textual names as defined by IANA (see [IANA])
=back
=over
=item * 2) mapping of names and numbers as defined by IANA (see [IANA])
=back
=over
=item * 3) C<-> and C<_> are treated the same
=back
=over
=item * 4) abbreviations are allowed, as long as they are unique
=back
=over
=item * 5) beside IANA, openssl's cipher names are preferred
=back
=over
=item * 6) name variants are supported, as long as they are unique
=back
=over
=item * 7) hex numbers can be used
=back
[IANA] http://www.iana.org/assignments/tls-parameters/tls-parameters.txt September 2013
[openssl] ... openssl 1.0.1
If in any doubt, use I<+list> I<--v> to get an idea about the mapping.
Use I<--help=regex> to see which regex are used to handle all variants
herein.
Mind the traps and dragons with cipher names and what number they are
actually mapped to. In particular when I<--lib>, I<--exe> or I<--openssl>
options are in use. Always use these options with I<+list> command too.
=head2 Name Rodeo
As said above, the SSL/TLS protocol uses integer numbers to identify
ciphers, but almost all tools use some kind of human readable texts
for cipher names.
For example the cipher commonly known as C<DES-CBC3-SHA> is identified
by C<0x020701c0> (in openssl) and has C<SSL2_DES_192_EDE3_CBC_WITH_SHA>
as constant name. A definition is missing in IANA, but there is
C<TLS_RSA_WITH_3DES_EDE_CBC_SHA>. Thers is also C<0x000A> for the same
cipher C<DES-CBC3-SHA>. Both are valid, first one if used with SSLv2,
and second one when used with SSLv3.
It's the responsibility of each tool to map the human readable cipher
name to the correct (hex, integer) identifier.
For example Firefox uses C<dhe_dss_des_ede3_sha>, which is what?
Furthermore, there are different acronyms for the same thing in use.
For example C<DHE> and C<EDH> both mean "Ephemeral Diffie-Hellman".
Comments in the L<openssl(1)|openssl(1)> sources mention this. And for curiosity
these sources use both in cypher names, but allow C<EDH> as shortcut
only in openssl's "ciphers" command. Wonder about (up to 1.0.1h):
openssl ciphers -V EDH
openssl ciphers -V DHE
openssl ciphers -V EECDH
openssl ciphers -V ECDHE
Next example is C<ADH> which is also known as C<DH_anon> or C<DHAnon>
or C<DHA> or C<ANON_DH>.
You think this is enough? Then have a look how many acronyms are used
for "Tripple DES".
Compared to above, the interchangeable use of C<-> vs. C<_> in human
readable cipher names is just a very simple one. However, see openssl
again what following means (returns):
openssl ciphers -v RC4-MD5
openssl ciphers -v RC4+MD5
openssl ciphers -v RC4:-MD5
openssl ciphers -v RC4:!MD5
openssl ciphers -v RC4!MD5
Looking at all these oddities, it would be nice to have a common unique
naming scheme for cipher names. We have not. As the SSL/TLS protocol
just uses a number, it would be natural to use the number as uniq key
for all cipher names, at least as key in our internal sources.
Unfortunately, the assignment of ciphers to numbers changed over the
years, which means that the same number refers to a different cipher
depending on the standard, and/or tool, or version of a tool you use.
As a result, we cannot use human readable cipher names as identifier
(aka unique key), as there are to many aliases for the same cipher.
And also the number cannot be used as unique key, as a key may have
multiple ciphers assigned.
The default behaviour will be to use the cipher names like L<openssl(1)|openssl(1)>
does. If a name is ambigous, the first matching will be choosen. This
-first matching- only applies to names provided by the user by option
or whatever, internally the latest IANA number will be used, because
they have the most less ambiguities.
=head1 KNOWN PROBLEMS
This section describes knwon problems, and known error messages which
may occour when using o-saft.pl. This sections can be used as FAQ too
as it gives hints and workarounds.
=head2 Segmentation fault
Sometimes the program terminates with a C<Segmentation fault>. This
mainly happens if the target does not return certificate information.
If so, the I<--no-cert> option may help.
=head2 **WARNING: empty result from openssl; ignored at ...
This most likely occurs when the provided cipher is not accepted by
the server, or the server expects client certificates.
=head2 **WARNING: unknown result from openssl; ignored at ...
This most likely occurs when the L<openssl(1)|openssl(1)> executable is used with a
very slow connection. Typically the reason is a connection timeout.
Try to use I<--timeout=SEC> option.
To get more information, use I<--v> I<--v> and/or I<--trace> also.
=head2 **WARNING: undefined cipher description
May occour if ciphers are checked, but no description is available for
them herein. This results in printed cipher checks like:
EXP-KRB5-RC4-MD5 no <<undef>>
instead of:
EXP-KRB5-RC4-MD5 no weak
=head2 **WARNING: Can't make a connection to your.tld:443; no initial data
=head2 **WARNING: Can't make a connection to your.tld:443; target ignored
This message occours if the underlaying SSL library (i.e. libssl.a)
was not able to connect to the target. Known observed reasons are:
=over
=item * target does not support SSL protocol on specified port
=back
=over
=item * target expects a client certificate in ClientHello message
=back
More details why the connection failed can be seen using I<--trace=2> .
If the targets supports SSL, it should be at least possible to check
for supported ciphers using I<+cipherall> instead of I<+cipher> .
=head2 Use of uninitialized value $headers in split ... do_httpx2.al)
The warning message (like follows or similar):
Use of uninitialized value $headers in split at blib/lib/Net/SSLeay.pm
(autosplit into blib/lib/auto/Net/SSLeay/do_httpx2.al) line 1290.
occurs if the target refused a connection on port 80.
This is considered a bug in L<Net::SSLeay(1)|Net::SSLeay(1)>.
Workaround to get rid of this message: use I<--no-http> option.
=head2 invalid SSL_version specified at ... IO/Socket/SSL.pm
This error may occur on systems where a specific SSL version is not
supported. Subject are mainly SSLv2, SSLv3 TLSv1.3 and DTLSv1.
For DTLSv1 the full message looks like:
invalid SSL_version specified at C:/programs/perl/perl/vendor/lib/IO/Socket/SSL.
See also L</Note on SSL versions> .
Workaround: use option: I<--no-sslv2> I<--no-sslv3> I<--no-tlsv13> I<--no-dtlsv1>
=head2 Use of uninitialized value $_[0] in length at (eval 4) line 1.
This warning occours with IO::Socket::SSL 1.967, reason is unknown.
It seems not to harm functionality, hence no workaround, just ignore.
=head2 Use of uninitialized value in subroutine entry at lib/IO/Socket/SSL.pm line 430.
Some versions of IO::Socket::SSL return this error message if *-MD5
ciphers are used with other protocols than SSLv2.
Workaround: use I<--no-md5-cipher> option.
=head2 Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...
Underlaying library doesn't support the required SSL version.
See also L</Note on SSL versions> .
Workaround: use I<--ssl-lazy> option, or corresponding I<--no-SSL> option.
=head2 Read error: Connection reset by peer (,199725) at blib/lib/Net/SSLeay.pm\
=head2 (autosplit into blib/lib/auto/Net/SSLeay/tcp_read_all.al) line 535.
Error reported by some Net::SSLeay versions. Reason may be a timeout.
This error cannot be omitted or handled properly.
Workaround: try to use same call again (no guarantee, unfortunatelly)
=head2 Odd number of elements in anonymous hash at Net/SSLinfo.pm line 1613.
This warning from perl have been observed when the connection to the
target to check for supported ciphers cannot be established.
This message can be ignored.
=head2 openssl: ...some/path.../libssl.so.1.0.0: no version information available (required by openssl)
Mismatch of openssl executable and loaded underlaying library. This
most likely happens when options I<--lib=PATH> and/or I<--exe=PATH> are
used. See also L</Note on SSL versions> .
Hint: use following commands to get information about used libraries:
o-saft.pl +version
o-saft.pl --v --v +version
=head2 Integer overflow in hexadecimal number at ...
This error message may occour on 32-bit systems if perl was not com-
piled with proper options. I.g. perl automatically converts the value
to a floating pont number.
Please report a bug with output of following command:
o-saft.pl +s_client +dump your.tld
=head2 openssl did not return DH Paramter>>
Text may be part of a value. This means that all checks according DH
parameters and logkam attack cannot be done.
Workaround: try to use I<--openssl=TOOL> option.
This text may appears in any of the compliance checks (like I<+rfc7525>)
which may be a false positive. For these checks openssl is also used
to get the DH Parameter.
Workaround: not available yet
=head2 No output with +help and/or --help=todo
On some (mainly Windows-based) systems using
o-saft.pl +help
o-saft.pl --help
does not print anything.
Workaround: use I<--v> option.
o-saft.pl +help --v
or
o-saft.pl +help | more
=head2 Character set (like UTF-8) not recognized in some tools
Some tools do not diplay all characters properly, i.e. some versions
of podviewer. It is not the obligation of this tool to fix well known
bugs in other tools. However, we can offer workarounds.
Workaround: generate the affected output using I<--std-format=*> options
For example:
o-saft.pl --no-rc --std-format=raw --help=gen-pod
=head2 **WARNING: on MSWin32 additional option --v required, sometimes ...
On some (mainly Windows-based) systems this may happen when calling
for example:
o-saft.pl --help=FAQ
which then may produce:
**WARNING: on MSWin32 additional option --v required, sometimes ...
=== reading: ./.o-saft.pl (RC-FILE done) ===
=== reading: Net/SSLinfo.pm (O-Saft module done) ===
**USAGE: no command given
# most common usage:
o-saft.pl I+info& your.tld&
o-saft.pl I+check& your.tld&
o-saft.pl I+cipher& your.tld&
# for more help use:
o-saft.pl I--help&&
Workaround: use full path to perl.exe, for example
C:\Programs\perl\bin\perl.exe o-saft.pl --help=FAQ
=head2 Performance Problems
There are various reasons when the program responds slow, or seems to
hang. Performance issues are most likely a target-side problem. Most
common reasons are (no specific order):
=over
=item * a) DNS resolver problems
=back
Try with I<--no-dns>
=over
=item * b) target does not accept connections for https
=back
Try with I<--no-http>
=over
=item * c) target's certificate is not valid
=back
Try with I<--no-cert>
=over
=item * d) target expects that the client provides a client certificate
=back
No option provided yet ...
=over
=item * e) target does not handle Server Name Indication (SNI)
=back
Try with I<--no-sni>
=over
=item * f) use of external L<openssl(1)|openssl(1)> executable
=back
Use I<--no-openssl>
=over
=item * g) target does not respond at all and/or blocks
=back
Use I<--ssl-error>
For a detailed description, please see L</Connection Problems>.
Other options which may help to get closer to the problem's cause:
I<--trace-time>, I<--timeout=SEC>, I<--trace>, I<--trace-cmd>
Using I<--trace-time> should show following times:
=over
=item * DNS: 1 - 10 sec
=back
=over
=item * need_default: <5 sec
=back
=over
=item * need_cipher: 1 - 299 sec (+cipher with socket)
=back
=over
=item * need_cipher: 1 - 20 sec (+cipherraw)
=back
=over
=item * no SNI: 1 - 10 sec
=back
=over
=item * connection test: 1 - 5 sec
=back
=over
=item * prepare checks: 2 - 20 sec
=back
=over
=item * checkalpn. 1 - 15 sec
=back
=over
=item * checkprot. 1 - 15 sec
=back
=over
=item * cipher: <1 sec
=back
=over
=item * info: <1 sec
=back
=over
=item * check: <1 sec
=back
=head1 LIMITATIONS
=head2 Commands
Some commands cannot be used together with others, for example:
I<+cipher>, I<+ciphers>, I<+list>, I<+libversion>, I<+version>, I<+check>, I<+help>,
I<+protocols> .
I<+quick> should not be used together with other commands, it returns
strange output then. It is the only command which allows I<+cipher>
together with other commands.
I<+protocols> requires L<openssl(1)|openssl(1)> with support for C<-nextprotoneg>
option. Otherwise the value will be empty.
=head2 Options
The option I<--port=PORT> must preceed I<--host=HOST> for a target like
HOST:PORT .
The characters C<+> and C<=> cannot be used for I<--separator=CHAR>
option.
Following strings should not be used in any value for options:
C<+check>, C<+info>, C<+quick>, C<--header>
as they my trigger the I<--header> option unintentional.
The used L<timeout(1)|timeout(1)> command cannot be defined with a full path like
L<openssl(1)|openssl(1)> can with the I<--openssl=path/to/openssl> .
I<--cfg-text=FILE> cannot be used to redefine the texts C<yes> and C<no>
as used in the output for I<+cipher> command.
=head2 Checks (general)
=head3 +constraints
This check is only done for the certificate provided by the target.
All other certificate in the chain are not checked.
This is currently (2018) a limitation in o-saft.pl.
=head2 Broken pipe
This error message most likely means that the connection to specified
target was not possible (firewall or whatever reason).
=head2 Target Certificate Chain Verification
The systems default capabilities i.e. libssl.so, openssl, are used to
verify the target's certificate chain. Unfortunately various systems
have implemented different approaches and rules how identify and how
to report a successful verification. As a consequence this tool can
only return the same information about the chain verification as the
used underlying tools. If that information is trustworthy depends on
how trustworthy the tools are.
These limitations apply to following commands:
=over
=item * +verify
=back
=over
=item * +selfsigned
=back
Following commands and options are useful to get more information:
=over
=item * +chain_verify, +verify, +error_verify, +chain, +s_client
=back
=over
=item * --ca-file, --ca-path, --ca-depth
=back
=head2 User Provided Files
Please note that there cannot be any guarantee that the code provided
in the L</DEBUG-FILE> L<o-saft-dbx.pm|o-saft-dbx.pm> or L</USER-FILE> L<o-saft-usr.pm|o-saft-usr.pm> will
work flawless. Obviously this is the user's responsibility.
=head2 Problems and Errors
Checking the target for supported ciphers may return that a cipher is
not supported by the server misleadingly. Reason is most likely an
improper timeout for the connection. See I<--timeout=SEC> option.
If the specified targets accepts connections but does not speak SSL,
the connection will be closed after the system's TCP/IP-timeout. This
script will hang (about 2-3 minutes).
If reverse DNS lookup fails, an error message is returned as hostname,
like: C<<<gethostbyaddr() failed>>>.
Workaround to get rid of this message: use I<--no-dns> option.
All checks for EV are solely based on the information provided by the
certificate.
Some versions of openssl (< 1.x) may not support all required options
which results in various error messages, or more worse, may not be
visibale at all. Available functionalitity of openssl will be checked
for right at the beginning. Proper warnings and hints are printed.
Following table shows the openssl option and how to disable it within
o-saft.pl:
=over
=item * -nextprotoneg --no-nextprotoneg
=back
=over
=item * -reconnect --no-reconnect
=back
=over
=item * -tlsextdebug --no-tlsextdebug
=back
=over
=item * -alpn --no-alpn
=back
=head2 Connection Problems
Sometimes the connection cannot be established. This may have various
reasons. Unfortunaly this script seems to hang then. In particular
when checking for ciphers with I<+cipher> or I<+cipherall> . The reason
is most likely that the server does not respond to the TCP/IP request
and hence the script closes the connection after the configured time-
out (see I<--timeout=SEC> option).
Continous connection attempts can be inhibited with the I<--ssl-error>
option, which is set by default. Avoiding further connections results
in a loss of information and consequentely, leads to wrong checks.
It is a trade-off to wait for all information done accurately, or to
get the results quickly. The logic to stop connecting for I<--ssl-error>
can be controlled with following additional options:
=over
=item * --ssl-error-max=CNT - max. continous errors
=back
=over
=item * --ssl-error-timeout=SEC - treat a failure as error after timeout
=back
=over
=item * --ssl-error-total=CNT - max. amount of errors
=back
This means that no more connections are made when more than
=over
=item * --ssl-error-max errors occour sequentialy
=back
or
=over
=item * --ssl-error-total errors occoured
=back
Examples:
=over
=item * --ssl-error-max=3
=back
=over
=item * --ssl-error-timeout=6
=back
=over
=item * --ssl-error-total=6
=back
no more connections are made if for example any sequence of timeouts
occour:
0 5 2 2 - --ssl-error-max matches
0 1 3 0 0 0 4 1 2 2 2 - --ssl-error-max matches
0 5 0 2 0 2 2 0 2 0 2 - --ssl-error-total matches
This allows to fine-tune the condition when to stop connecting to the
target. For example, continous but not consecutive timeouts may indi-
cate a bad or instable network connection, but not that the target to
be connected blocks. In such a case sequence of timeouts like follows
may be observed (assuming I<--ssl-error-max=3>):
0 5 1 2 2 2 4 2 3 2 3 3 3 2
. . . ^ ^____ stop for --ssl-error-timeout=3
. . . |______________________ stop for --ssl-error-timeout=2
On normal (even slow) network connections dozens of connections per
second are usual, hence the timeout is always 0 or 1. Based on that
experience I<--ssl-error> is enabled and set with defaults as follows:
=over
=item * --ssl-error-max=5
=back
=over
=item * --ssl-error-timeout=1
=back
=over
=item * --ssl-error-total=10
=back
=head2 Poor Systems
Use of L<openssl(1)|openssl(1)> is disabled by default on Windows due to various
performance problems. It needs to be enabled with I<--openssl> option.
On Windows the usage of "openssl s_client" needs to be enabled using
I<--s_client> option.
On Windows it's a pain to specify a correct path for I<--openssl=TOOL>
option. Variants are:
=over
=item * --openssl=/path/to/openssl.exe
=back
=over
=item * --openssl=X:/path/to/openssl.exe
=back
=over
=item * --openssl=\path\to\openssl.exe
=back
=over
=item * --openssl=X:\path\to\openssl.exe
=back
=over
=item * --openssl=\\path\\to\\openssl.exe
=back
=over
=item * --openssl=X:\\path\\to\\openssl.exe
=back
You have to fiddle around to find the proper one.
=head2 Debug and Trace Output
When both I<--trace-key> and I<--trace-cmd> options are used, output is
mixed, obviously. Hint: output for I<--trace-cmd> always contains "CMD".
Any I<--trace*> option implies I<--trace-time> .
=head1 DEPENDENCIES
All perl modules and all private moduels and files will be searched
for using paths available in the C<@INC> variable. C<@INC> will be
prepended by following paths:
=over
=item * .
=back
=over
=item * ./lib
=back
=over
=item * INSTALL_PATH
=back
=over
=item * INSTALL_PATH/lib
=back
Where C<INSTALL_PATH> is the path where the tool is installed.
To see which files have been included use:
o-saft.pl +version --v --user
=head2 Perl Modules
=over
=item * L<IO::Socket::SSL(1)|IO::Socket::SSL(1)>
=back
=over
=item * L<IO::Socket::INET(1)|IO::Socket::INET(1)>
=back
=over
=item * L<Net::SSLeay(1)|Net::SSLeay(1)>
=back
=over
=item * L<Net::SSLinfo|Net::SSLinfo>
=back
=over
=item * L<Net::SSLhello|Net::SSLhello>
=back
=head2 Additional files used if requested
=over
=item * .o-saft.pl
=back
=over
=item * L<o-saft-dbx.pm|o-saft-dbx.pm>
=back
=over
=item * L<o-saft-man.pm|o-saft-man.pm>
=back
=over
=item * L<o-saft-usr.pm|o-saft-usr.pm>
=back
=over
=item * L<o-saft-README|o-saft-README>
=back
=over
=item * o-saft-docker
=back
=head1 INSTALLATION
The tool can be installed in any path. It just requres the modules as
described in L</DEPENDENCIES> above. However, it's recommended that the
modules L<Net::SSLhello|Net::SSLhello> and L<Net::SSLinfo|Net::SSLinfo> are found in the directory
C<./Net/> where C<o-saft.pl> is installed.
For security reasons, most modern libraries disabled or even removed
insecure or "dirty" functionality. As the purpose of this tool is to
detect such insecure settings, functions, etc., it needs these dirty
things enabled. It needs (incomplete list):
=over
=item * insecure protocols like SSLv2, SSLv3
=back
=over
=item * more ciphers enabled, like NULL-MD5, AECDH-NULL-SHA, etc.
=back
=over
=item * some SSL extensions and options
=back
Therefore we recommend to compile and install at least following:
=over
=item * OpenSSL with SSLv2, SSLv3 and more ciphers enabled
=back
=over
=item * Net::SSLeay compiled with openssl version as described before.
=back
Please read the L</SECURITY> section first before following the install
instructions below.
=head2 OpenSSL
Currently (since 18.06.18) it is recommend to build openssl using
contrib/install_openssl.sh
Other possibilities are:
=over
=item * compiling openssl using following sources
=back
https://github.com/PeterMosmans/openssl/
see L</Example: Compile OpenSSL>,
=over
=item * use any of the precomiled versions provided by https://testssl.sh/
=back
=over
=item * use Docker owasp/o-saft (which contains a special openssl)
=back
The sources are available at
=over
=item * https://github.com/PeterMosmans/openssl/archive/1.0.2-chacha.zip
=back
A precomiled static versions are available at
=over
=item * https://github.com/drwetter/testssl.sh/ (see bin directory there)
=back
For all following installation examples we assume:
=over
=item * openssl-1.0.2-chacha.zip or openssl-1.0.2d.tar.gz
=back
=over
=item * /usr/local as base installation directory
=back
=over
=item * a bourne shell (sh) compatible shell
=back
=head2 Example: Precompiled OpenSSL
Simply download the tarball or zip file for your platform, unpack it,
and install (copy) the binaries into a directory of your choice.
=head2 Example: Compile OpenSSL
OpenSSL can be used from http://openssl.org/ or, as recommended, from
https://github.com/PeterMosmans/openssl/ .
OpenSSL-chacha
Compiling and installing the later is as simple as:
unzip openssl-1.0.2-chacha.zip
cd openssl-1.0.2-chacha
./config --shared -Wl,-rpath=/usr/local/lib
make
make test
make install
which will install openssl, libssl.so, libcrypto.so and some include
files as well as the include files in /usr/local/ .
The shared version of the libraries are necessary for Net::SSLeay.
OpenSSL.org
Building openssl from the offical openssl.org sources requires some
patching before compiling and installing the libraries and binaries.
Example with openssl-1.0.2d:
echo == unpack tarball
tar xf openssl-1.0.2d.tar.gz
cd openssl-1.0.2d
echo == backup files to be modified
cp ssl/s2_lib.c{,.bak}
cp ssl/s3_lib.c{,.bak}
cp ssl/ssl3.h{,.bak}
cp ssl/tls1.h{,.bak}
echo == patch files
vi ssl/tls1.h +/TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES/
# define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1
vi ssl/ssl3.h ssl/s{2,3}_lib.c +"/# *if 0/"
#==> remove all # if 0 and corresponding #endif
# except if lines contain:
# _FZA
# /* Fortezza ciphersuite from SSL 3.0
# /* Do not set the compare functions,
# if (s->shutdown SSL_SEND_SHUTDOWN)&
echo == configure with static libraries
echo omitt the zlib options if zlib-1g-dev is not installed
echo omitt the krb5 options if no kerberos libraries available
LD_RUN_PATH=/usr/local/openssl/lib
LDFLAGS="-rpath=$LD_RUN_PATH" & export LDFLAGS&
./config --prefix=/usr/local --openssldir=/usr/local/ssl \
enable-zlib zlib zlib-dynamic enable-ssl2 \
enable-krb5 --with-krb5-flavor=MIT \
enable-mdc2 enable-md2 enable-rc5 enable-rc2 \
enable-cms enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-gost enable-seed enable-idea enable-camellia \
enable-rfc3779 enable-ec_nistp_64_gcc_128 \
experimental-jpake -fPIC \
-DTEMP_GOST_TLS -DTLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES \
-shared
echo == make binaries and libraries
make depend
make
make test
make install
echo == if you want static binaries and libraries
make clean
echo same ./config as before but without shared option
./config --prefix=/usr/local --openssldir=/usr/local/ssl \
enable-zlib zlib zlib-dynamic enable-ssl2 \
enable-krb5 --with-krb5-flavor=MIT \
enable-mdc2 enable-md2 enable-rc5 enable-rc2 \
enable-cms enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-gost enable-seed enable-idea enable-camellia \
enable-rfc3779 enable-ec_nistp_64_gcc_128 \
experimental-jpake -fPIC -static \
-DTEMP_GOST_TLS -DTLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
make depend
make
make test
echo next make will overwrite the previously installed dynamic
echo shared openssl binary with the static openssl binary
make install
=head2 Example: Compile Net::SSLeay
To enable support for ancient protocol versions, Net::SSLeay must be
compiled manually after patching C<SSLeay.xs> (see below).
Reason is, that Net::SSLeay enables some functionality for SSL/TLS
according the identified openssl version. There is, currently (2015),
no possibility to enable this functionality by passing options on to
the configuration script C<perl Makefile.PL>.
Building our own library and module (with openssl from C</usr/local>):
echo == unpack tarball
tar xf Net-SSLeay-1.72.tar.gz
cd Net-SSLeay-1.72
echo == patch files
echo "edit SSLeay.xs and change some #if as described below"
LD_RUN_PATH=/usr/local/openssl/lib
LDFLAGS="-rpath=$LD_RUN_PATH" & export LDFLAGS&
env OPENSSL_PREFIX=/usr/local perl Makefile.PL PREFIX=/usr/local \
INC=-I/usr/local/include DEFINE=-DOPENSSL_BUILD_UNSAFE=1
make
make install
cd /tmp & o-saft.pl +version&
SSLeay.xs needs to be changed as follows:
=over
=item * search for
=back
#ifndef OPENSSL_NO_SSL2
#if OPENSSL_VERSION_NUMBER < 0x10000000L
const SSL_METHOD *
SSLv2_method()
#endif
#endif
#ifndef OPENSSL_NO_SSL3
#if OPENSSL_VERSION_NUMBER < 0x10002000L
const SSL_METHOD *
SSLv3_method()
#endif
#endif
=over
=item * and replace by
=back
const SSL_METHOD *
SSLv2_method()
const SSL_METHOD *
SSLv3_method()
Note that Net::SSLeay will be installed in C</usr/local/> then. This
can be adapted to your needs by passing another path to the C<PREFIX>
and C<DESTDIR> parameter.
Following command can be used to check which methods are avilable in
Net::SSLeay, hence above patches can be verified:
perl -MNet::SSLinfo -le 'print Net::SSLinfo::ssleay_test();'
=head2 Testing OpenSSL
After installation as descibed above finished, openssl may be tested:
echo already installed openssl (found with PATH environment)
openssl ciphers -v
openssl ciphers -V -ssl2
openssl ciphers -V -ssl3
openssl ciphers -V ALL
openssl ciphers -V ALL:COMPLEMENTOFALL
openssl ciphers -V ALL:eNULL:EXP
echo own compiled and installed openssl
/usr/local/openssl ciphers -v
/usr/local/openssl ciphers -V -ssl2
/usr/local/openssl ciphers -V -ssl3
/usr/local/openssl ciphers -V ALL
/usr/local/openssl ciphers -V ALL:COMPLEMENTOFALL
/usr/local/openssl ciphers -V ALL:eNULL:EXP
The difference should be obvious.
Note, the commands using C<ALL:COMPLEMENTOFALL> and C<ALL:eNULL:EXP>
should return the same result.
=head2 Testing Net::SSLeay
As we want to test the separately installed Net::SSLeay, it is best
to do it with o-saft.pl itself:
o-saft.pl +version
we should see a line similar to follwong at the end of the output:
Net::SSLeay 1.72 /usr/local/lib/x86_64-linux-gnu/perl/5.20.2/Net/SSLeay.pm
Now check for supported (known) ciphers:
o-saft.pl ciphers -V
we should see lines similar to those of the last C</usr/local/openssl>
call. However, it should contain more cipher lines.
=head2 Stand-alone Executable
Some people asked for a stand-alone executable (mainly for Windows).
Even perl is a scripting language there are situations where a stand-
alone executable would be nice, for example if the installed perl and
its libraries are outdated, or if perl is missing at all.
Currently (2016) there are following possibilities to generate such a
stand-alone executable:
=over
=item * perl with PAR::Packer module
=back
pp -C -c o-saft.pl
pp -C -c o-saft.pl -M Net::DNS -M Net::SSLeay -M IO::Socket \
-M Net::SSLinfo -M Net::SSLhello -M osaft
pp -C -c checkAllCiphers.pl
pp -C -c checkAllCiphers.pl -M Net::DNS
=over
=item * ActiveState perl with its perlapp
=back
perlapp --clean o-saft.pl
perlapp --clean o-saft.pl -M Net::DNS -M Net::SSLeay -M IO::Socket \
-M Net::SSLinfo -M Net::SSLhello -M osaft
perlapp --clean checkAllCiphers.pl
perlapp --clean checkAllCiphers.pl -M Net::DNS -M osaft
=over
=item * perl2exe from IndigoSTar
=back
perl2exe o-saft.pl
perl2exe checkAllCiphers.pl
For details on building the executable, for example how to include
all required modules, please refer to the documentation of the tool.
=over
=item * http://search.cpan.org/~rschupp/PAR-Packer-1.030/lib/PAR/Packer.pm
=back
=over
=item * http://docs.activestate.com/pdk/6.0/PerlApp.html
=back
=over
=item * http://www.indigostar.com
=back
Note that pre-build executables (build by perlapp, perl2exe) cannot
be provided due to licence problems.
Also note that using stand-alone executable have not been tested the
same way as the o-saft.pl itself. Use them at your own risk.
=head1 DOCKER
The tool can be used inside a Docker image. To start o-saft.pl inside
the Docker image, use following:
o-saft-docker +info some.tld
or
docker run --rm -it owasp/o-saft +info some.tld
For more details, please refer to:
o-saft-docker usage
o-saft-docker -help
=head1 BUILD DOCKER IMAGE
The Docker image can be installed as follows:
docker pull owasp/o-saft
The image can also easily be build from the Dockerfile (which is part
of the distribution) as follows:
o-saft-docker build
To build the image from the Dockerfile with docker commands, see:
o-saft-docker -n build
For more details, please refer to:
o-saft-docker -help
=head1 SEE ALSO
=over
=item * L<openssl(1)|openssl(1)>, L<Net::SSLeay(1)|Net::SSLeay(1)>, L<Net::SSLhello|Net::SSLhello>, L<Net::SSLinfo|Net::SSLinfo>, L<timeout(1)|timeout(1)>
=back
=over
=item * http://www.openssl.org/docs/apps/ciphers.html
=back
=over
=item * L<IO::Socket::SSL(1)|IO::Socket::SSL(1)>, L<IO::Socket::INET(1)|IO::Socket::INET(1)>
=back
=over
=item * o-saft, o-saft-docker, o-saft-docker-dev, Dockerfile, docker
=back
=head1 HACKER's INFO
=head2 Note on SSL versions
Automatically detecting the supported SSL versions of the underlaying
system is a hard job and not always possible. Reasons could be:
=over
=item * used perl modules (Socket::SSL, Net::SSLeay) does not handle errors
=back
properly. Erros may be:
invalid SSL_version specified at ... IO/Socket/SSL.pm
Use of uninitialized value in subroutine entry at lib/IO/Socket/SSL.pm
There're some workarounds implemented since version 15.11.15 .
=over
=item * the underlaying libssl does not support the version, which then may
=back
result in segmentation fault
=over
=item * the underlaying libssl is newer than the perl module and the module
=back
has not been reinstalled. This most often happens with Net::SSLeay
This can be detected with (see version numbers for Net::SSLeay):
o-saft.pl +version
=over
=item * perl (in particular a used module, see above) may bail out with a
=back
compile error, like
Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...
There're some workarounds implemented since version 15.11.15 .
We try to detect unsupported versions and disable them automatically,
a warning like follwoing is shown then:
**WARNING: SSL version 'SSLv2': not supported by openssl
All such warnings look like:
**WARNING: SSL version 'SSLv2': ...
If problems occour with SSL versions, following commands and options
may help to get closer to the reason or can be used as workaround:
o-saft.pl +version
o-saft.pl +version --v
o-saft.pl +version | grep versions
o-saft.pl +version | grep 0x
o-saft.pl +protocols your.tld
o-saft.pl +protocols your.tld --no-rc
Checking for SSL version is done at one place in the code, search for
supported SSL versions
However, there are some dirty hacks where SSLv2 and SSLv3 is checked
again.
=head2 Using private libssl.so and libcrypt.so
For all cryptographic functionality the libraries installed on the
system will be used. In particular perl's L<Net::SSLeay(1)|Net::SSLeay(1)> module, the
system's libssl.so and libcrypt.so and the L<openssl(1)|openssl(1)> executable.
It is possible to provide your own libraries, if the perl module and
the executable are linked using dynamic shared objects (aka shared
library, position independent code).
The appropriate option is I<--lib=PATH>.
On most systems these libraries are loaded at startup of the program.
The runtime loader uses a preconfigured list of directories where to
find these libraries. Also most systems provide a special environment
variable to specify additional paths to directories where to search
for libraries, for example the LD_LIBRARY_PATH environment variable.
This is the default environment variable used herein. If your system
uses another name it must be specified with the I<--envlibvar=NAME>
option, where NAME is the name of the environment variable.
=head2 Understanding --exe=PATH, --lib=PATH, --openssl=TOOL
If any of I<--exe=PATH> or I<--lib=PATH> is provided, the pragram calls
(C<exec>) itself recursively with all given options, except the option
itself. The environment variables C<LD_LIBRARY_PATH> and C<PATH> are
set before executing as follows:
=over
=item * prepend C<PATH> with all values given with --exe=PATH
=back
=over
=item * prepend C<LD_LIBRARY_PATH> with all values given with --lib=PATH
=back
This is exactly, what L</Cumbersome Approach> below describes. So these
option simply provide a shortcut for that.
Note that I<--openssl=TOOL> is a full path to the openssl executable
and will not be changed. However, if it is a relative path, it might
be searched for using the previously set C<PATH> (see above).
Note that C<LD_LIBRARY_PATH> is the default. It can be changed with
the I<--envlibvar=NAME> option.
While I<--exe> mainly impacts the L<openssl(1)|openssl(1)> executable, I<--lib> also
impacts o-saft.pl itself, as it loads other shared libraries if found.
Bear in mind that all these options can affect the behaviour of the
openssl subsystem, influencing both which executable is called and
which shared libraries will be used.
NOTE that no checks are done if the options are set proper. To verify
the settings, following commands may be used:
o-saft.pl --lib=YOUR-PATH --exe=YOUR-EXE +version
o-saft.pl --lib=YOUR-PATH --exe=YOUR-EXE --v +version
o-saft.pl --lib=YOUR-PATH --exe=YOUR-EXE --v --v +version
Why so many options? Exactly as described above, these options allow
the users to tune the behaviour of the tool to their needs. A common
use case is to enable the use of a separate openssl build independent
of the openssl package used by the operating system. This allows the
user fine grained control over openssl's encryption suites which are
compiled/available, without affecting the core system.
=head2 Caveats
Depending on your system and the used modules and executables, it can
be tricky to replace the configured shared libraries with own ones.
Reasons are:
=over
=item * a) the linked library name contains a version number,
=back
=over
=item * b) the linked library uses a fixed path,
=back
=over
=item * c) the linked library is searched at a predefined path,
=back
=over
=item * d) the executable checks the library version when loaded.
=back
Only the first one a) can be circumvented. The last one d) can often
be ignored as it only prints a warning or error message.
To circumvent the "name with version number" problem try following:
=over
=item * 1) use L<ldd(1)|ldd(1)> (or a similar tool) to get the names used by openssl:
=back
ldd /usr/bin/openssl
which returns something like:
libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00007f940cb6d000)
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00007f940c7de000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f940c5d9000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f940c3c1000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f940c02c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f940cdea000)
Here only the first two libraries are important. Both, libcrypto.so
and libssl.so need to be version "0.9.8" (in this example).
=over
=item * 2) create a directory for your libraries, i.e.:
=back
mkdir /tmp/dada
=over
=item * 3) place your libraries there, assuming they are:
=back
/tmp/dada/libssl.so.1.42
/tmp/dada/libcrypto.so.1.42
=over
=item * 4) create symbolic links in that directory:
=back
ln -s libssl.so.1.42 libssl.so.0.9.8
ln -s libcrypto.so.1.42 libcrypto.so.0.9.8
=over
=item * 5) test program with following option:
=back
o-saft.pl +libversion --lib=/tmp/dada
o-saft.pl +list --v --lib=/tmp/dada
or:
o-saft.pl +libversion --lib=/tmp/dada -exe=/path/to-openssl
o-saft.pl +list --v --lib=/tmp/dada -exe=/path/to-openssl
=over
=item * 6) start program with your options, i.e.:
=back
o-saft.pl --lib=/tmp/dada +ciphers
This works if L<openssl(1)|openssl(1)> uses the same shared libraries as
L<Net::SSLeay(1)|Net::SSLeay(1)>, which most likely is the case.
It's tested with Unix/Linux only. It may work on other platforms also
if they support such an environment variable and the installed
L<Net::SSLeay(1)|Net::SSLeay(1)> and L<openssl(1)|openssl(1)> are linked using dynamic shared
objects.
Depending on compile time settings and/or the location of the used
tool or lib, a warning like following may occur:
WARNING: can't open config file: /path/to/openssl/ssl/openssl.cnf
This warning can be ignored, usually as req or ca sub commands of
openssl is not used here.
To fix the problem, either use I<--openssl-cnf=FILE> option or set the
the environment variable OPENSSL_CONF properly.
=head3 Cumbersome Approach
A more cumbersome approach to call this program is to set following
environment variables in your shell:
PATH=/tmp/dada-1.42/apps:$PATH
LD_LIBRARY_PATH=/tmp/dada-1.42
=head3 Windows Caveats
I.g. the used libraries on Windows are libeay32.dll and ssleay32.dll.
Windows also supports the LD_LIBRARY_PATH environment variable. If it
does not work as expected with that variable, it might be possible to
place the libs in the same directory as the corresponding executable
(which is found by the PATH environment variable).
=head2 Using CGI mode
This script can be used as CGI application. Output is the same as in
common CLI mode, using C<Content-Type:text/plain>. Keep in mind that
the used modules like L<Net::SSLeay(1)|Net::SSLeay(1)> will write some debug messages
on STDERR instead STDOUT. Therefore multiple I<--v> and/or I<--trace>
options behave slightly different.
No additional external files like L</RC-FILE> or L</DEBUG-FILE> are read
in CGI mode; they are silently ignored.
Some options are disabled in CGI mode because they are dangerous or
don't make any sense.
=head3 WARNING
There are no input data validation checks implemented herein. All
input data is url-decoded once and then used verbatim.
More advanced checks must be done outside before calling this tool.
It is not recommended to run this tool in CGI mode.
You have been warned!
=head2 Using user specified code
There are some functions called within the program flow, which can be
filled with any perl code. Empty stubs of the functions are prepared
in L<o-saft-usr.pm|o-saft-usr.pm>. See also L</USER-FILE> .
=head1 DEBUG
=head2 Debugging, Tracing
Following options and commands are useful for hunting problems with
SSL connections and/or this tool. Note that some options can be given
multiple times to increase amount of listed information. Also keep in
mind that it's best to specify I<--v> as very first argument.
Note that the file L<o-saft-dbx.pm|o-saft-dbx.pm> is required, if any I<--trace*> or
I<--v> option is used.
=head2 Commands
=over
=item * +dump
=back
=over
=item * +libversion
=back
=over
=item * +s_client
=back
=over
=item * +todo
=back
=over
=item * +version
=back
=head2 Options
=over
=item * --v
=back
=over
=item * --v--
=back
=over
=item * --trace
=back
=over
=item * --trace-arg
=back
=over
=item * --trace-cmd
=back
=over
=item * --trace-key
=back
Empty or undefined strings are written as C<<<undefined>>> in texts.
Some parameters, in particular those of HTTP responses, are written
as C<<<response>>>. Long parameter lists are abbreviated with C<...>.
=head2 Output
When using I<--v> and/or I<--trace> options, additional output will be
prefixed with a C<#> (mainly as first, left-most character.
Following formats are used:
=over
=item * #[space]
=back
Additional text for verbosity (--v options).
=over
=item * #[variable name][TAB]
=back
Internal variable name (--trace-key options).
=over
=item * #o-saft.pl::
=back
=over
=item * #L<Net::SSLinfo|Net::SSLinfo>::
=back
Trace information for I<--trace> options.
=over
=item * #{
=back
Trace information from NET::SSLinfo for I<--trace> options.
These are data lines in the format:
#{ variable name : value #}
Note that C<value> here can span multiple lines and ends with:
#}
=head2 Using outdated modules
The tools was designed to work with old perl modules too. When using
old modules, a proper C<**WARNING:> will be printed. These warinings
cannot be switched of using I<--no-warning> .
The warning also informs about the missing functionality or check.
I.g. it is best to install newer versions of the module if possible.
A good practice to check if modules are available in a proper version
is to call:
o-saft.pl +version
o-saft.pl +version --v --v
Following example shows the result without warnings:
=== reading: ./.o-saft.pl (RC-FILE done) ===
=== reading: Net/SSLhello.pm (O-Saft module done) ===
=== reading: Net/SSLinfo.pm (O-Saft module done) ===
=== ./o-saft.pl 16.09.09 ===
Net::SSLeay::
::OPENSSL_VERSION_NUMBER() 0x268443744
::SSLeay() 0x268443744
Net::SSLeay::SSLeay_version() OpenSSL 1.0.2-chacha (1.0.2f-dev)
= openssl =
version of external executable OpenSSL 1.0.2-chacha (1.0.2f-dev)
external executable /opt/openssl-chacha/bin/openssl
used environment variable (name) LD_LIBRARY_PATH
environment variable (content) <<undef>>
path to shared libraries
full path to openssl.cnf file <<undef>>
common openssl.cnf files /usr/lib/ssl/openssl.cnf \
. /etc/ssl/openssl.cnf \
. /System//Library/OpenSSL/openssl.cnf \
. /usr/ssl/openssl.cnf
URL where to find CRL file <<undef>>
directory with PEM files for CAs /opt/tools/openssl-chacha/ssl/certs
PEM format file with CAs /etc/ssl/certs/ca-certificates.crt
common paths to PEM files for CAs /etc/ssl/certs /usr/lib/certs \
. /System/Library/OpenSSL
common PEM filenames for CAs ca-certificates.crt certificates.crt certs.pem
number of supported ciphers 177
openssl supported SSL versions SSLv3 TLSv1 TLSv11 TLSv12
o-saft.pl known SSL versions SSLv2 SSLv3 TLSv1 TLSv11 TLSv12 TLSv13 \
. DTLSv09 DTLSv1 DTLSv11 DTLSv12 DTLSv13
= o-saft.pl +cipherall =
default list of ciphers 0x03000000 .. 0x030000FF, 0x0300C000 .. 0x0300C0FF,
. 0x0300CC00 .. 0x0300CCFF, 0x0300FE00 .. 0x0300FFFF,
= Required (and used) Modules =
@INC ./ ./lib . /bin /usr/share/perl5 \
. /usr/lib/x86_64-linux-gnu/perl5/5.20 \
. /usr/lib/x86_64-linux-gnu/perl/5.20 \
. /usr/share/perl/5.20 /usr/local/lib/site_perl .
= module name VERSION found in
= ----------------------+--------+------------------------------------------
IO::Socket::INET 1.35 /usr/lib/x86_64-linux-gnu/perl/5.20/IO/Socket/INET.pm
IO::Socket::SSL 2.002 /usr/share/perl5/IO/Socket/SSL.pm
Net::DNS 0.81 /usr/lib/x86_64-linux-gnu/perl5/5.20/Net/DNS.pm
Net::SSLeay 1.72 /usr/lib/x86_64-linux-gnu/perl5/5.20/Net/SSLeay.pm
Net::SSLinfo 16.06.01 Net/SSLinfo.pm
Net::SSLhello 16.05.16 Net/SSLhello.pm
Ciphers
osaft 16.05.10 osaft.pm
Following example shows the result with warnings (line nr. may vary):
=== reading: ./.o-saft.pl (RC-FILE done) ===
=== reading: ./Net/SSLhello.pm (O-Saft module done) ===
**WARNING: ancient Net::SSLeay 1.35 < 1.49; cannot use ::initialize at /Net/SSLinfo.pm line 481.
=== reading: ./Net/SSLinfo.pm (O-Saft module done) ===
**WARNING: ancient perl has no 'version' module; version checks may not be accurate; at o-saft.pl line 1662.
**WARNING: ancient Net::SSLeay 1.35 < 1.49 detected; at o-saft.pl line 1687.
**WARNING: ancient IO::Socket::SSL 1.22 < 1.37 detected; at o-saft.pl line 1687.
**WARNING: ancient version IO::Socket::SSL 1.22 < 1.90 does not support SNI or is known to be buggy; SNI disabled; at o-saft.pl line 5905.
!!Hint: --force-openssl can be used to disables this check
**WARNING: ancient version Net::SSLeay 1.35 < 1.49 may throw warnings and/or results may be missing; at o-saft.pl line 5934.
**WARNING: SSL version 'TLSv11': not supported by Net::SSLeay; not checked
**WARNING: SSL version 'TLSv12': not supported by Net::SSLeay; not checked
**WARNING: SSL version 'TLSv13': not supported by Net::SSLeay; not checked
=== o-saft.pl 16.09.09 ===
Net::SSLeay::
::OPENSSL_VERSION_NUMBER() 0x9470143
**WARNING: ancient version Net::SSLeay 1.35 < 1.49; cannot compare SSLeay with openssl version at o-saft.pl line 4778.
::SSLeay() 0x1.35
**WARNING: ancient version Net::SSLeay 1.35 < 1.49; detailed version not available at o-saft.pl line 4806.
= openssl =
version of external executable OpenSSL 0.9.8y 5 Feb 2013
external executable /usr/bin/openssl
used environment variable (name) LD_LIBRARY_PATH
environment variable (content) <<undef>>
path to shared libraries
full path to openssl.cnf file <<undef>>
common openssl.cnf files /usr/lib/ssl/openssl.cnf \
. /etc/ssl/openssl.cnf \
. /System//Library/OpenSSL/openssl.cnf \
. /usr/ssl/openssl.cnf
URL where to find CRL file <<undef>>
directory with PEM files for CAs /System/Library/OpenSSL/certs
PEM format file with CAs <<undef>>
common paths to PEM files for CAs /etc/ssl/certs /usr/lib/certs /System/Library/OpenSSL
common PEM filenames for CAs ca-certificates.crt certificates.crt certs.pem
number of supported ciphers 43
openssl supported SSL versions SSLv2 SSLv3 TLSv1
o-saft.pl known SSL versions SSLv2 SSLv3 TLSv1 TLSv11 TLSv12 TLSv13 \
. DTLSv09 DTLSv1 DTLSv11 DTLSv12 DTLSv13
**WARNING: ancient version Net::SSLeay 1.35 < 1.49; cannot compare SSLeay with openssl version at o-saft.pl line 4778.
**WARNING: used openssl version '9470143' differs from compiled Net:SSLeay '1.35'; ignored
= o-saft.pl +cipherall =
default list of ciphers 0x03000000 .. 0x030000FF, 0x0300C000 .. 0x0300C0FF,
. 0x0300CC00 .. 0x0300CCFF, 0x0300FE00 .. 0x0300FFFF,
= Required (and used) Modules =
@INC ./ ./lib /bin /Library/Perl/Updates/5.10.0 \
. /System/Library/Perl/5.10.0/darwin-thread-multi-2level \
. /System/Library/Perl/5.10.0 \
. /Library/Perl/5.10.0/darwin-thread-multi-2level \
. /Library/Perl/5.10.0 \
. /Network/Library/Perl/5.10.0/darwin-thread-multi-2level \
. /Network/Library/Perl/5.10.0 \
. /Network/Library/Perl \
. /System/Library/Perl/Extras/5.10.0/darwin-thread-multi-2level \
. /System/Library/Perl/Extras/5.10.0 .
= module name VERSION found in
= ----------------------+--------+------------------------------------------
IO::Socket::INET 1.31 /System/Library/Perl/5.10.0/darwin-thread-multi-2level/IO/Socket/INET.pm
IO::Socket::SSL 1.22 /System/Library/Perl/Extras/5.10.0/IO/Socket/SSL.pm
Net::DNS 0.65 /System/Library/Perl/Extras/5.10.0/darwin-thread-multi-2level/Net/DNS.pm
Net::SSLeay 1.35 /System/Library/Perl/Extras/5.10.0/darwin-thread-multi-2level/Net/SSLeay.pm
Net::SSLinfo 16.06.01 ./Net/SSLinfo.pm
Net::SSLhello 16.05.16 ./Net/SSLhello.pm
osaft 16.05.10 /osaft.pm
Please keep in mind that the shown version numbers and the shown line
numbers are examples and may differ on your system.
When starting o-saft.pl with outdated modules, more C<**WARNING:> will
be shown. The warnings depend on the installed version of the module.
o-saft.pl is known to work with at least:
IO::Socket::INET 1.31, IO::Socket::SSL 1.22, Net::DNS 0.65
Net::SSLeay 1.30
=head1 TESTING
When talking about "testing the tool", functional tests are meant. So
this section describes "developer" rather that "user" options.
Testing the tool is a challenging task. Beside the oddities described
elsewhere, for example L</Name Rodeo>, there are a bunch of problems
and errors which may occour during runtime.
Following options and commands are available to improve testing. They
mainly can simulate error conditions or stop execution properly (they
are not intended for other use cases):
=head3 +quit
Stop execution after processing all arguments and before precessing
any target. The runtime configuration is complete at this point.
=head3 --exit=KEY
Terminate tool at specified C<KEY>. For available C<KEY>, please see:
o-saft.pl --help=exit
grep exit= o-saft.pl
=head3 --cfg-init=KEY=VALUE
With this option values in the internal %cfg hash can be set:
$cfg{KEY} = VALUE
Only (perl) scalars or arrays can be set. The type will be detected
automatically.
Example, this option can be used to change the text used as prefix
in each output line triggerd by the I<--v> option:
o-saft.pl --cfg-init=prefix_verbose="#VERBOSE: "
or the text used as prefix triggerd by the I<--trace> option:
o-saft.pl --cfg-init=prefix_trace="#TRACE: "
=head1 EXAMPLES
(o-saft.pl in all following examples is the name of the tool)
=head2 General
o-saft.pl +cipher some.tld
o-saft.pl +info some.tld
o-saft.pl +check some.tld
o-saft.pl +quick some.tld
o-saft.pl +help=commands
o-saft.pl +certificate some.tld
o-saft.pl +fingerprint some.tld 444
o-saft.pl +after +dates some.tld
o-saft.pl +version
o-saft.pl +version --v
o-saft.pl +list
o-saft.pl +list --v
=head2 Some specials
=over
=item * Get an idea how messages look like
=back
o-saft.pl +check --cipher=RC4 some.tld
=over
=item * Check for Server Name Indication (SNI) usage only
=back
o-saft.pl +sni some.tld
=over
=item * Check for SNI and print certificate's subject and altname
=back
o-saft.pl +sni +cn +altname some.tld
=over
=item * Check for all SNI, certificate's subject and altname issues
=back
o-saft.pl +sni_check some.tld
=over
=item * Only print supported ciphers
=back
o-saft.pl +cipher --enabled some.tld
=over
=item * Only print unsupported ciphers
=back
o-saft.pl +cipher --disabled some.tld
=over
=item * Test for a specific ciphers
=back
o-saft.pl +cipher --cipher=ADH-AES256-SHA some.tld
=over
=item * Test all ciphers, even if not supported by local SSL implementation
=back
o-saft.pl +cipherraw some.tld
o-saft.pl +cipherall some.tld
o-saft.pl +cipherall some.tld --range=full
checkAllCiphers.pl example.tld I--range=full& I&--v&&
=over
=item * Show supported (enabled) ciphers with their DH parameters:
=back
o-saft.pl +cipher-dh some.tld
=over
=item * Test using a private libssl.so, libcrypto.so and openssl
=back
o-saft.pl +cipher --lib=/foo/bar-1.42 --exe=/foo/bar-1.42/apps some.tld
=over
=item * Test using a private openssl
=back
o-saft.pl +cipher --openssl=/foo/bar-1.42/openssl some.tld
=over
=item * Test using a private openssl also for testing supported ciphers
=back
o-saft.pl +cipher --openssl=/foo/bar-1.42/openssl --force-openssl some.tld
=over
=item * Use your private texts in output
=back
o-saft.pl +check some.tld --cfg-text=desc="my special description"
=over
=item * Use your private texts from RC-FILE
=back
o-saft.pl --help=cfg-text >> .o-saft.pl
edit as needed: .o-saft.pl
o-saft.pl +check some.tld
=over
=item * Use your private hint texts in output
=back
o-saft.pl +check some.tld --cfg-hint=renegotiation="my special hint text"
=over
=item * Get the certificate's Common Name for a bunch of servers:
=back
o-saft.pl +cn example.tld some.tld other.tld
o-saft.pl +cn example.tld some.tld other.tld --showhost --no-header
=over
=item * Generate simple parsable output
=back
o-saft.pl --legacy=quick --no-header +info some.tld
o-saft.pl --legacy=quick --no-header +check some.tld
o-saft.pl --legacy=quick --no-header --trace-key +info some.tld
o-saft.pl --legacy=quick --no-header --trace-key +check some.tld
=over
=item * Generate simple parsable output for multiple hosts
=back
o-saft.pl --legacy=quick --no-header --trace-key --showhost +check some.tld other.tld
=over
=item * Just for curiosity
=back
o-saft.pl some.tld +fingerprint --format=raw
o-saft.pl some.tld +certificate --format=raw | openssl x509 -noout -fingerprint
=head2 Specials for hunting problems with connections etc.
=over
=item * Do not read RC-FILE .o-saft.pl
=back
o-saft.pl +info some.tld --no-rc
=over
=item * Show command line argument processing
=back
o-saft.pl +info some.tld --trace-arg
=over
=item * Simple tracing
=back
o-saft.pl +cn some.tld --trace
o-saft.pl +info some.tld --trace
=over
=item * A bit more tracing
=back
o-saft.pl +cn some.tld --trace --trace
=over
=item * Show internal variable names in output
=back
o-saft.pl +info some.tld --trace-key
=over
=item * Show internal argument processeing
=back
o-saft.pl +info --trace-arg some.tld
=over
=item * Show internal control flow
=back
o-saft.pl +info some.tld --trace-cmd
=over
=item * Show internal timing
=back
o-saft.pl +info some.tld --trace-time
=over
=item * Show checking ciphers
=back
o-saft.pl +cipher some.tld --v --v
=over
=item * Show values retrieved from target certificate directly
=back
o-saft.pl +info some.tld --no-cert --no-cert --no-cert-text=Value-from-Certificate
=over
=item * Show certificate CA verifications
=back
o-saft.pl some.tld +chain_verify +verify +error_verify +chain
=over
=item * Avoid most performance and timeout problems (don't use --v)
=back
o-saft.pl +info some.tld --no-dns --no-sni --ignore-no-conn
o-saft.pl +info some.tld --no-dns --no-sni --no-cert --no-http --no-openssl
=over
=item * Identify timeout problems
=back
o-saft.pl +info some.tld --trace-cmd
this will show lines containing:
#O-Saft CMD: test ...
=head1 ATTRIBUTION
Based on ideas (in alphabetical order) of:
=over
=item * cnark.pl, SSLAudit.pl sslscan, ssltest.pl, sslyze.py, testssl.sh
=back
=over
=item * O-Saft - OWASP SSL advanced forensic tool
=back
Thanks to Gregor Kuznik for this title.
=over
=item * +cipherraw and some proxy functionality implemented by Torsten Gigler.
=back
=over
=item * For re-writing some docs in proper English, thanks to Robb Watson.
=back
=over
=item * Code to check heartbleed vulnerability adapted from
=back
Steffen Ullrich (08. April 2014):
https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl
=over
=item * Colouration inspired by https://testssl.sh/ .
=back
=head1 VERSION
@(#) 19.01.19
=head1 AUTHOR
31. July 2012 Achim Hoffmann (at) sicsec de
Project Home: https://www.owasp.org/index.php/O-Saft
=head1 TODO
=over
=item * new features
=back
=over
=item ** client certificate
=back
=over
=item ** some STRATTLS need : HELP STARTTLS HELP as output of HELPs are different
=back
=over
=item ** support: PCT protocol
=back
=over
=item ** Checking fallback from TLS 1.1 to TLS 1.0 (see ssl-cipher-check.pl)
=back
=over
=item ** Minimal encryption strength: weak encryption (40-bit) (TestSSLServer.jar)
=back
=over
=item ** check dynamic HTTP Public Key Pinning (HPKP)
=back
=over
=item * missing checks
=back
=over
=item ** SSL_honor_cipher_order => 1
=back
=over
=item ** implement TLSv1.2 checks
=back
=over
=item ** DNSEC and TLSA
=back
=over
=item ** checkcert(): KeyUsage, keyCertSign, BasicConstraints
=back
=over
=item ** DV and EV miss some minor checks; see checkdv() and checkev()
=back
=over
=item ** +constraints does not check +constraints in the certificate of
=back
the certificate chain.
=over
=item ** TR-03116-4: does not check data in certificate chain
=back
=over
=item ** RFC 7525: does not check data in certificate chain
=back
=over
=item ** RFC 7525: 3.2. Strict TLS (for C<STARTTLS>)
=back
=over
=item ** RFC 7525: 3.4. TLS Session Resumption (session ticket must be
=back
authenticated and encrypted)
=over
=item ** RFC 7525: 3.6. Server Name Indication (more reliable check)
=back
=over
=item ** RFC 7525: 4.3. Public Key Length (need more reliable check)
=back
=over
=item ** RFC 7525: 6.2. AES-GCM
=back
=over
=item ** RFC 7525: 6.3. Forward Secrecy
=back
=over
=item ** RFC 7525: 6.4. Diffie-Hellman Exponent Reuse
=back
=over
=item * vulnerabilities
=back
=over
=item ** Ticketbleed
=back
=over
=item ** complete TIME, BREACH check
=back
=over
=item ** BEAST more checks, see: http://www.bolet.org/TestSSLServer/
=back
=over
=item * verify CA chain:
=back
=over
=item ** L<Net::SSLinfo|Net::SSLinfo>.pm implement verify*
=back
=over
=item ** implement +check_chain (see L<Net::SSLinfo|Net::SSLinfo>.pm implement verify* also)
=back
=over
=item ** implement +ca = +verify +chain +rootcert +expired +fingerprint
=back
=over
=item * postprocessing
=back
Remove all options for output formatting. Use a "postprocess" script
instead.
=over
=item ** scoring
=back
implement score for PFS; lower score if not all ciphers support PFS
make clear usage of score from %checks
=over
=item ** write postprocessor for tabular data, like
=back
ssl-cert-check -p 443 -s mail.google.com -i -V
=over
=item * L<Net::SSLinfo|Net::SSLinfo>
=back
=over
=item ** Net::SSLeay::ctrl() sometimes fails, but doesn't return error message
=back
=over
=item ** Net::SSLeay::CTX_clear_options()
=back
Need to check the difference between the SSL_OP_LEGACY_SERVER_CONNECT and
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; see also SSL_clear_options().
see https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
=over
=item ** L<Net::SSLinfo|Net::SSLinfo>::do_ssl_close() does not realy work
=back
=over
=item * Windows
=back
=over
=item ** Unicode:
=back
try: cmd /K chcp 65001
or: chcp 65001
or: reg add hklm\system\currentcontrolset\control\nls\codepage -v oemcp -d 65001
=over
=item ** perl
=back
perl 5.10.x from PortableApps does not work, cause it misses
IO/Socket/SSL.pm, however, checkAllCiphers.pl works.
perl from older PortableApps/xampp (i.e. 1.7.x) does not work, cause
IO/Socket/SSL.pm is too old (1.37).
=over
=item ** Windows
=back
on Windows print of strings > 32k does not work.
Ugly workaround using I<--v> implemented in L<o-saft-man.pm|o-saft-man.pm> only.
=over
=item * internal
=back
=over
=item ** move all configuration and code for commans line arguments to Arg.pm
=back
=over
=item ** use qr() for defining regex, see $cfg{C<regex>}
=back
=over
=item ** print_line() has ugly code for legacy=cipher
=back
=over
=item ** "Label" texts are defined twice: o-saft.pl and Net::SSLeay
=back
=over
=item ** make a clear concept how to handle +CMD whether they report
=back
checks or informations (aka %data vs. %check_*)
currently (2016) each single command returns all values
=over
=item ** client certificates not yet implemented in _usesocket() _useopenssl(),
=back
see t.client-cert.txt
=over
=item ** (nicht wichtig, aber sauber programmieren)
=back
_get_default(): L<Net::SSLinfo|Net::SSLinfo>::default() benutzen
Generated with:
o-saft.pl --no-warnings --no-header --help=gen-pod > o-saft.pod
=cut
# begin abbr
# =head1 abbr
# # SID @(#) glossary.txt 1.13 19/01/11 00:04:14
#
# # acronym | description
# #------+----------------------------------------------------------------------+
# 0-RTT zero Round-Trip Time
# AA Attribute Authority
# AAD Additional Authenticated Data
# ACME Automated Certificate Management Environment
# ACL Access Control List
# Adiantum ChaCha stream cipher with Poly1305 and XChaCha12
# ADH Anonymous Diffie-Hellman
# Adler32 hash function
# AE Authenticated Encryption
# AEAD Authenticated Encryption with Additional Data
# AECDHE Anonymous Ephemeral ECDH
# AEM Authenticated Encryption Mode aka Advanced Encryption Mode aka OCB3
# AES Advanced Encryption Standard
# AES-XTS ?
# AIA Authority Information Access (certificate extension)
# AKC Agreement with Key Confirmation
# AKID Authority Key IDentifier
# ALPN Application Layer Protocol Negotiation
# AMASTRID stream cipher algorithm
# ARC4 Alleged RC4 (see RC4)
# ARCFOUR alias for ARC4
# ARIA 128-bit Symmetric block cipher
# ARX add–rotate–xor
# ASN Autonomous System Number
# ASN.1 Abstract Syntax Notation number One
# AtE Authenticate-then-Encrypt (see also MtE)
# BACPA Blockwise-Adaptive Chosen-Plaintext Attack
# BADA55 "locate weak cryptography somewhere", Bernstein, Lange, et al.
# BADA55-VPR-224 improved verifiably pseudorandom 224-bit curve
# BADA55-VR-224 curve useng the same prime as NIST P-224
# BADA55-VR-256 curve useng the same prime as NIST P-256
# BADA55-VR-384 curve useng the same prime as NIST P-384
# bcrypt hash function (Niels Provos, David Mazières, 1999)
# BLAKE hash function (Jean-Philippe Aumasson, Luca Henzen, Willi Meier, Raphael C.-W. Phan, 2008)
# BLAKE2 fast secure hashing function (2012)
# BLAKE2b see BLAKE (32 bit)
# BLAKE-32 see BLAKE (32 bit)
# BLAKE-64 see BLAKE (64 bit)
# BLAKE-224 see BLAKE (224 bit)
# BLAKE-256 see BLAKE (256 bit)
# BLAKE-384 see BLAKE (384 bit)
# BLAKE-512 see BLAKE (512 bit)
# BEAR block cipher combining stream cipher and hash function
# BDH Bilinear Diffie-Hellman
# BEAST Browser Exploit Against SSL/TLS
# BEAST . fast block cipher for arbitrary blocksizes
# BER Basic Encoding Rules
# BGP Boorder Gateway Protocol
# Blowfish symmetric block cipher
# boomerang attack attack on BLAKE
# Brainpool signature algorithm, from BSI
# BREACH Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (a variant of CRIME)
# Bullrun NSA program to break encrypted communication
# CAMELLIA symmetric key block cipher; encryption algorithm 128 bit (by Mitsubishi and NTT)
# CAST-128 Carlisle Adams and Stafford Tavares, block cipher
# CAST5 alias for CAST-128
# CAST-256 Carlisle Adams and Stafford Tavares, block cipher
# CAST6 alias for CAST-256
# cipher suite cipher suite is a named combination of authentication, encryption, and message authentication code algorithms
# CA Certificate Authority (aka root CA)
# CAA Certificate Authority Authorization
# CAA RR CAA Resource Record
# CBC Cyclic Block Chaining
# CBC Cipher Block Chaining (sometimes)
# CBC Ciplier Block Chaining (sometimes)
# CBC-MAC Cipher Block Chaining - Message Authentication Code
# CBC-MAC-ELB Cipher Block Chaining - Message Authentication Code - Encrypt Last Block
# CCA chosen-ciphertext attack
# CCM CBC-MAC Mode (authenticated encryption block cipher mode)
# CCS Change Cipher Spec (protocol)
# CDH ? Diffie-Hellman
# CDP CRL Distribution Points
# CECPQ1 key-agreement algorithm; Combined elliptic Curve and Post-Quantum Cryptography Key Exchange
# CECPQ2 Combined elliptic Curve and Post-Quantum Cryptography Key Exchange
# CEK Content Encryption Key
# CFB Cipher Feedback
# CFB3 Cipher Feedback
# CFBx Cipher Feedback x bit mode
# CFRG Crypto Forum Research Group
# ChaCha stream cipher algorithm (with 256-bit key)
# ChaCha8 see ChaCha
# ChaCha12 see ChaCha (aka 12-round ChaCha)
# ChaCha20 see ChaCha (aka 20-round ChaCha)
# ChaCha-Poly1305 Authenticated Encryption with Associated Data (AEAD)
# CHAP Challenge Handshake Authentication Protocol
# CKA (PKCS#11)
# CKK (PKCS#11)
# CKM (PKCS#11)
# CMAC Cipher-based MAC
# CMC CBC-mask-CBC
# CMP X509 Certificate Management Protocol
# CMS Cryptographic Message Syntax
# CMVP Cryptographic Module Validation Program (NIST)
# CN Common Name
# CP Certificate Policy (certificate extension)
# CPA chosen-plaintext attack
# CPD Certificate Policy Definitions
# CPS Certification Practice Statement
# CRC Cyclic Redundancy Check
# CRC8 CRC with polynomial length 8
# CRC16 CRC with polynomial length 16
# CRC32 CRC with polynomial length 32
# CRC64 CRC with polynomial length 64
# CRAM Challenge Response Authentication Mechanism
# CRIME Compression Ratio Info-leak Made Easy (Exploit SSL/TLS)
# CRL Certificate Revocation List
# CRYPTREC Cryptography Research and Evaluation Committees
# CSP Certificate Service Provider
# CSP Cryptographic Service Provider
# CSP Critical Security Parameter (used in FIPS 140-2)
# CSP: Content Security Policy (used as HTTP header)
# CSR Certificate Signing Request
# CSPRNG Cryptographically Secure Pseudo-Random Number Generator
# CT Certificate Transparency
# CTL Certificate Trust Line
# CTR Counter Mode (sometimes: CM; block cipher mode)
# CTS Cipher Text Stealing
# Curve448 signature algorithm, aka Goldilocks (224 bit)
# Curve25519 signature algorithm by Dan J. Bernstein (ca. 128 bit)
# CWC CWC Mode (Carter-Wegman + CTR mode; block cipher mode)
# CyaSSL formerly name of wolfSSL
# DAA Data Authentication Algorithm
# DAC Data Authentication Code
# DACL Discretionary Access Control List
# DANE DNS-based Authentication of Named Entities
# DDH Decisional Diffie-Hellman (Problem)
# DEA Data Encryption Algorithm (sometimes a synonym for DES)
# DECIPHER synonym for decryption
# DEK Data Encryption Key
# DER Distinguished Encoding Rules
# DES Data Encryption Standard
# DESede alias for 3DES ?java only?
# DESX extended DES
# 3DES Tripple DES (168 bit)
# 3DES-EDE alias for 3DES
# 3TDEA Three-key Tripple DEA (sometimes: Tripple DES; 168 bit)
# 2TDEA Double-key Tripple DEA (sometimes: Double DES; 112 bit)
# D5 Verhoeff's Dihedral Group D5 Check
# DH Diffie-Hellman
# DHE Diffie-Hellman ephemeral (historic acronym, often used, mainly in openssl)
# DLIES Discrete Logarithm Integrated Encryption Scheme
# DLP Discrete Logarithm Problem
# DN Distinguished Name
# DNSSEC DNS Security Extension
# DPA Dynamic Passcode Authentication (see CAP)
# DRAGON stream cipher algorithm
# DRG Deterministic Random Generator
# DRBG Deterministic Random Bit Generator
# DROWN Decrypting RSA with Obsolete and Weakened eNcryption (Exploit SSL/TLS)
# DSA Digital Signature Algorithm
# DSCP Differentiated Services Code Point
# DSS Digital Signature Standard
# DTLS Datagram TLS
# DTLSv1 Datagram TLS 1.0
# Dual EC DBRG Dual Elliptic Curve Deterministic Random Bit Generator (NIST)
# Dual_EC_DBRG Dual Elliptic Curve Deterministic Random Bit Generator (NIST)
# DV Domain Validation
# DV-SSL Domain Validated Certificate
# EAL Evaluation Assurance Level
# EAP Extensible Authentication Protocol
# EAP-PSK Extensible Authentication Protocol using a Pre-Shared Key
# EAX Encrypt-then-Authenticate-then-Translate
# EAX EAX Mode (block cipher mode)
# EAXprime alias for EAX Mode
# EBC Edge Boundery Controller
# EC Elliptic Curve
# ECB Electronic Code Book mode
# ECC Error Corection Code
# ECC Elliptic Curve Cryptography
# ECCSI Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption
# ECDH Elliptic Curve Diffie-Hellman
# ECDHE Ephemeral ECDH
# ECDLP Elliptic Curve Discrete Logarithm Problem
# ECDSA Elliptic Curve Digital Signature Algorithm
# ECDSA-256 Elliptic Curve Digital Signature Algorithm (256 bits)
# ECDSA-384 Elliptic Curve Digital Signature Algorithm (384 bits)
# ECDSA-521 Elliptic Curve Digital Signature Algorithm (521 bits)
# ECGDSA Elliptic Curve ??? DSA
# ECHO hash function (Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, Yannick Seurin, 2010)
# ECIES Elliptic Curve Integrated Encryption Scheme
# ECKA Elliptic Curve Key Agreement
# ECKA-EG Elliptic Curve Key Agreement of ElGamal Type
# ECKDSA Elliptic Curve ??? DSA
# ECMQV Elliptic Curve Menezes-Qu-Vanstone
# ECN Explicit Congestion Notification
# ECOH Elliptic Curve only hash
# # ECRYPT ??
# ECSVDP-DH Elliptic Curve Secret Value Derivation Primitive, Diffie-Hellman version
# Ed25519 alias for Curve25519
# Ed448 alias for Curve448
# edwards25519 alias for Curve25519
# edwards448 alias for Curve448
# EdDSA alias for signatures using public key and private key formats, like Curve448 and Curve25519
# EDE Encryption-Decryption-Encryption
# EDH Ephemeral Diffie-Hellman
# EGADS Entropy Gathering and Distribution System
# EGD Entropy Gathering Daemon
# EKU Extended Key Usage
# ELB Encrypt Last Block
# ElGamal asymmetric block cipher
# ENCIPHER synonym for encryption
# EME ECB-mask-ECB
# EME Encoding Method for Encryption
# ESNI Encrypted Server Name Indication
# ESP Encapsulating Security Payload
# ESSIV Encrypted salt-sector initialization vector
# EtA Encrypt-then-Authenticate (see also EtM)
# E&A Encrypt-and-Authenticate (see also E&M)
# E&M Encrypt-and-MAC (see also E&A)
# EtM Encrypt-then-MAC (see also EtA)
# ETSI-TS European Telecommunications Standards Institute - Technical Specification
# EV Extended Validation
# EV-SSL Extended Validation Certificate
# FEAL Fast Data Encryption Algorithm
# FFC Finite Field Cryptography
# FFT Fast Fourier Transform
# FIPS Federal Information Processing Standard
# FIPS46-2 FIPS Data Encryption Standard (DES)
# FIPS73 FIPS Guidelines for Security of Computer Applications
# FIPS140-2 FIPS Security Requirements for Cryptographic Modules
# FIPS140-3 proposed revision of FIPS 140-2
# FIPS180-3 FIPS Secure Hash Standard
# FIPS186-3 FIPS Digital Signature Standard (DSS)
# FIPS197 FIPS Advanced Encryption Standard (AES)
# FIPS198-1 FIPS The Keyed-Hash Message Authentication Code (HMAC)
# FREAK Factoring Attack on RSA-EXPORT Keys
# FQDN Fully-qualified Domain Name
# FSB Fast Syndrome Based Hash
# FSM Finite State Machine
# FZA FORTEZZA
# G-DES ??? DES
# GCM Galois/Counter Mode (authenticated encryption block cipher mode)
# GHASH Hash funtion used in GCM
# GMAC MAC for GCM
# Grøstl hash function (Lars Knudsen, 2010)
# Goldilocks see Curve448
# GOST Gossudarstwenny Standard (block cipher)
# GOST hash function (used in GOST cipher suite)
# Grainv1 stream cipher (64-bit IV)
# Grainv128 stream cipher (96-bit IV)
# GREASE Generate Random Extensions And Sustain Extensibility
# GRØSTL256 hash function
# GRØSTL512 hash function
# GROESTL256 alias for GRØSTL256
# GROESTL512 alias for GRØSTL512
# HAIFA HAsh Iterative FrAmework
# hash127 fast hash function (by Dan Bernstein)
# HAVAL one-way hashing
# HAS-160 hash function
# HAS-V hash function
# HC128 alias for HC128
# HC256 alias for HC256
# HC-128 stream cipher algorithm
# HC-256 stream cipher algorithm
# HCH Hash-Coputer-Hash
# HCTR a variable-input-length encryption mode
# HEARTBLEED attack against TLS extension heartbeat
# HEIST HTTP Encrypted Information can be Stolen through TCP-windows
# HIBE hierarchical identity-based encryption
# HKDF HMAC-based Extract-and-Expand Key Derivation Function
# HNF-256 hash function (Harshvardhan Tiwari, Krishna Asawa, 2014)
# HMAC keyed-Hash Message Authentication Code (aka Hashed MAC)
# HMQV h? Menezes-Qu-Vanstone
# HPC Hasty Putting Cipher
# HPKP HTTP Public Key Pinning
# HPolyC ChaCha stream cipher with Poly1305 and XChaCha12, XChaCha20
# HRSS encryption algorithm
# HSM Hardware Security Module
# HSR Header + Secret + Random
# HSTS HTTP Strict Transport Security
# HTOP HMAC-Based One-Time Password
# IAPM Integrity Aware Parallelizable Mode (block cipher mode of operation)
# IBE Identity-Based Encryption
# ICM Integer Counter Mode (alias for CTR)
# IDP Issuing Distribution Points
# IDEA International Data Encryption Algorithm (by James Massey and Xuejia Lai)
# IESG Internet Engineering Steering Group
# IETF Internet Engineering Task Force
# IFC Integer Factorization Cryptography
# IGE Infinite Garble Extension
# IKE Internet Key Exchange
# IKEv2 IKE version 2
# IND-BACPA Indistinguishability of encryptions under blockwise-adaptive chosen-plaintext attack
# IND-CCA Indistinguishability of encryptions under chosen-cipgertext attack
# IND-CPA Indistinguishability of encryptions under chosen-plaintext attack
# INT-CTXT Integrity of ciphertext
# INT-PTXT Integrity of plaintext
# IRTF Internet Research Task Force
# ISAKMP Internet Security Association and Key Management Protocol
# IV Initialization Vector
# JH hash function (Hongjun Wu, 2011)
# JH-224 see JH (224 bits)
# JH-256 see JH (256 bits)
# JH-384 see JH (384 bits)
# JH-512 see JH (512 bits)
# JSSE Java Secure Socket Extension
# Keccak hash function (Guido Bertoni, Joan Daemen, Michaël Peeters und Gilles Van Assche, 2012)
# KCI Key Compromise Impersonation
# KDF Key Derivation Function
# KEA Key Exchange Algorithm (alias for FORTEZZA-KEA)
# KEK Key Encryption Key
# KMS Key Management Service
# KPAK KMS Public Authentication Key
# KSAK KMS Secret Authentication Key
# KSK Key Signing Key (DNSSEC)
# KU Key Usage
# LAKE hash function (Jean-Philippe Aumasson, Willi Meier, Raphael C.-W. Phan, 2008)
# LEXv2 stream cipher algorithm
# LFSR Linear Feedback Shift Register
# LION block cipher combining stream cipher and hash function
# LLL Lenstra–Lenstra–Lovász, lattice basis reduction algorithm
# LM hash LAN Manager hash aka LanMan hash
# Logjam Attack to force server to downgrade to export ciphers
# LRA Local Registration Authority
# LRW Liskov, Rivest, and Wagner (blok encryption)
# Lucifer block cipher (developed at IBM in the 1970s)
# Lucky 13 Break SSL/TLS Protocol
# MARS 128-bit block cipher (developed at IBM)
# MAC Message Authentication Code
# MCF Modular Crypt Format
# MDC Modification Detection Code
# MDC2 Modification Detection Code 2 aka Meyer-Schilling
# MDC-2 same as MDC2
# MD2 Message Digest 2
# MD4 Message Digest 4
# MD5 Message Digest 5
# MEE MAC-then-Encode-then-Encrypt (see also MtE, AtE)
# MEK Message Encryption Key
# MECAI Mutually Endorsing CA Infrastrukture
# MGF Mask Generation Function
# MISTY1 block cipher algorithm
# MQV Menezes-Qu-Vanstone (authentecated key agreement)
# MtE MAC-then-encrypt (see also AtE)
# NaCl "Salt", crypto library (by D. Bernstein, Tanja Lange, Peter Schwabe)
# NCP Normalized Certification Policy (according TS 102 042)
# Neokeon symmetric block cipher algorithm
# NewHope post-quantum key exchange
# nistp192 alias for P-192
# nistp224 alias for P-224
# nistp256 alias for P-256
# nistp384 alias for P-384
# nistp521 alias for P-521
# NLSv2 stream cipher algorithm
# nonce (arbitrary) number used only once
# NPN Next Protocol Negotiation
# NSS Network Security Services
# NTG none-Deterministic Random Generator
# NTLM NT Lan Manager. Microsoft Windows challenge-response authentication method.
# NTRU asymetric cipher algorithm using lattice reduction
# NULL no encryption
# NUMS nothing up my sleeve numbers
# OAEP Optimal Asymmetric Encryption Padding
# OCB Offset Codebook Mode (block cipher mode of operation)
# OCB1 same as OCB
# OCB2 improved OCB aka AEM
# OCB3 improved OCB2
# OCELOT1 stream cipher algorithm
# OCELOT2 stream cipher algorithm
# OCSP Online Certificate Status Protocol
# OCSP stapling formerly known as: TLS Certificate Status Request
# OFB Output Feedback
# OFBx Output Feedback x bit mode
# OID Object Identifier
# OMAC One-Key CMAC, aka CBC-MAC
# OMAC1 same as CMAC
# OMAC2 same as OMAC
# OPIE One-time pad Password system
# OTP One Time Pad
# OV Organisational Validation
# OV-SSL Organisational Validated Certificate
# P12 see PKCS#12
# P7B see PKCS#7
# P-192 Elliptic Curve used in FIPS 186-4 (NIST)
# P-224 Elliptic Curve used in FIPS 186-4 (NIST)
# P-256 Elliptic Curve used in FIPS 186-4 (NIST)
# P-384 Elliptic Curve used in FIPS 186-4 (NIST)
# P-521 Elliptic Curve used in FIPS 186-4 (NIST)
# PACE Password Authenticated Connection Establishment
# PAD Peer Authorization Database
# PAKE Password Authenticated Key Exchange
# Panama stream cipher algorithm
# PCN Pre-Congestion Notification
# PBE Password Based Encryption
# PBKDF2 Password Based Key Derivation Function
# PC Policy Constraints (certificate extension)
# PCBC Propagating Cipher Block Chaining
# PCFB Periodic Cipher Feedback Mode
# PCT Private Communications Transport
# PEM Privacy Enhanced Mail
# PES Proposed Encryption Standard
# PFS Perfect Forward Secrecy
# PFX see PKCS#12 (Personal Information Exchange)
# PGP Pretty Good Privacy
# PII Personally Identifiable Information
# PKCS Public Key Cryptography Standards
# PKCS1 PKCS #1: RSA Encryption Standard
# PKCS3 PKCS #3: RSA Encryption Standard on how to implement the Diffie-Hellman key exchange protocol
# PKCS5 PKCS #5: RSA Encryption Standard on how to derive cryptographic keys from a password
# PKCS6 PKCS #6: RSA Extended Certificate Syntax Standard
# PKCS7 PKCS #7: RSA Cryptographic Message Syntax Standard
# PKCS8 PKCS #8: RSA Private-Key Information Syntax Standard
# PKCS10 PKCS #10: Describes a standard syntax for certification requests
# PKCS11 PKCS #11: RSA Cryptographic Token Interface Standard (keys in hardware devices, cards)
# PKCS12 PKCS #12: RSA Personal Information Exchange Syntax Standard (public + private key stored in files)
# PKE Public Key Enablement
# PKI Public Key Infrastructure
# PKIX Internet Public Key Infrastructure Using X.509
# PKP Public-Key-Pins
# PM Policy Mappings (certificate extension)
# PMAC Parallelizable MAC (by Phillip Rogaway)
# PMS Pre-Master Secret
# Poly1305 Authenticator (MAC)
# Poly1305-AES MAC (by D. Bernstein)
# POP Proof of Possession
# POODLE Padding Oracle On Downgraded Legacy Encryption
# PQC Post-Quantum Crypto
# PRF Pseudo-Random Function
# PRP Pseudo-Random Permutation
# prime192v1 alias for P-192
# prime224v1 alias for P-224
# prime256v1 alias for P-256
# prime384v1 alias for P-384
# prime521v1 alias for P-521
# PRNG Pseudo-Random Number Generator
# PSK Pre-shared Key
# PSKC Portable Symmetric Key Container
# PTG Physical Random Generator
# PVT Public Validation Token
# PWKE Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
# QUIC Quick UDP Internet Connection
# RA Registration Authority (aka Registration CA)
# Rabbit stream cipher algorithm
# RADIUS Remote Authentication Dial-In User Service
# Radix-64 alias for Base-64
# RBG Random Bit Generator
# RC2 Rivest Cipher 2, block cipher by Ron Rivest (64-bit blocks)
# RC4 Rivest Cipher 4, stream cipher (aka Ron's Code)
# RC5 Rivest Cipher 5, block cipher (32-bit word)
# RC5-64 Rivest Cipher 5, block cipher (64-bit word)
# RC6 Rivest Cipher 6
# RCSU Reuters' Compression Scheme for Unicode (aka SCSU)
# RFC Request for Comments
# Rijndael symmetric block cipher algorithm (AES)
# RIPEMD RACE Integrity Primitives Evaluation Message Digest
# RLWE Ring Learning-with-Errors
# RMAC Randomized MAC (block cipher authentication mode)
# RNG Random Number Generator
# ROT-13 see XOR
# ROBOT Return Of Bleichenbacher's Oracle Threat
# RTP Real-time Transport Protocol
# RSASSA-PSS RSA Probabilistic Signature Scheme
# RSA Rivest Sharmir Adelman (public key cryptographic algorithm)
# RSS-14 Reduced Space Symbology, see GS1
# RTN Routing transit number
# S/KEY One-time pad Password system
# SA Subordinate Authority (aka Subordinate CA)
# SACL System Access Control List
# SAD Security Association Database
# SAE Simultaneous Authentication of Equals
# SAFER Secure And Fast Encryption Routine, block cipher
# Salsa20 stream cipher (by D. Bernstein, 2005)
# Salsa20/8 see scrypt
# Salsa20/12 see Salsa20
# Salsa20/20 see Salsa20
# SAM syriac abbreviation mark
# SAN Subject Alternate Name
# Sarmal hash function
# SAX Symmetric Authenticated eXchange
# SBCS single-byte character set
# SCA Selfsigned CA signature
# SCEP Simple Certificate Enrollment Protocol
# scrypt password based key derivation function (Colin Percival)
# SCSU Standard Compression Scheme for Unicode (compressed UTF-16)
# SCSV Signaling Cipher Suite Value
# SCVP Server-Based Certificate Validation Protocol
# SCT Signed Certificate Timestamp
# SDES Security Description Protokol
# secp192r1 alias for P-192
# secp224r1 alias for P-224
# secp256r1 alias for P-256
# secp384r1 alias for P-384
# secp521r1 alias for P-521
# SEED 128-bit Symmetric block cipher
# Serpent symmetric key block cipher (128 bit)
# SGC Server-Gated Cryptography
# SGCM Sophie Germain Counter Mode (authenticated encryption block cipher mode)
# SHA Secure Hash Algorithm
# SHA-0 Secure Hash Algorithm (insecure version before 1995)
# SHA-1 Secure Hash Algorithm (since 1995)
# SHA-2 Secure Hash Algorithm (since 2002)
# SHA-3 Secure Hash Algorithm (since 2015), see Keccak also
# SHA-224 Secure Hash Algorithm (224 bit)
# SHA-256 Secure Hash Algorithm (256 bit)
# SHA-384 Secure Hash Algorithm (384 bit)
# SHA-512 Secure Hash Algorithm (512 bit)
# SHA1 alias for SHA-1 (160 bit)
# SHA2 alias for SHA-2 (224, 256, 384 or 512 bit)
# SHA3 alias for SHA-3 (224, 256, 384 or 512 bit)
# SHA3256 alias for SHA3-256
# SHA3-224 Secure Hash Algorithm (224 bit)
# SHA3-256 Secure Hash Algorithm (256 bit)
# SHA3-384 Secure Hash Algorithm (384 bit)
# SHA3-512 Secure Hash Algorithm (512 bit)
# SHAKE128 Secure Hash Algorithm (variable bit)
# SHAKE256 Secure Hash Algorithm (variable bit)
# SHAvite-3 hash function (Eli Biham, Orr Dunkelman, 2009)
# SHS Secure Hash Standard
# SIA Subject Information Access (certificate extension)
# SIC Segmented Integer Counter (alias for CTR)
# SIMON block cipher combining
# Skein hash function (Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, Jesse Walker, 2010)
# Skein-256-256 see Skein (256 bits)
# Skein-512-256 see Skein (256 bits)
# Skein-512-512 see Skein (512 bits)
# Skein-1024-1024 see Skein (1024 bits)
# SKID Subject Key ID (certificate extension)
# SKIP Message Skipping Attacks on TLS
# SKIP-TLS see SKIP
# Skipjack block cipher encryption algorithm specified as part of the Fortezza
# SLOTH Security Losses from Obsolete and Truncated Transcript Hashes
# SM4 block cipher algorithm
# SMS4 see SM4
# SMACK State Machine AttaCKs
# Snefu hash function
# Snow20 stream cipher algorithm
# SNI Server Name Indication
# SNOW word-based synchronous stream ciphers (by Thomas Johansson and Patrik Ekdahl )
# Snuffle 2005 see Salsa20
# Snuffle 2008 see ChaCha
# Sosemanuk stream cipher algorithm
# Speck block cipher algorithm
# SPD Security Policy Database
# SPDY Google's application-layer protocol on top of SSL
# SPECK block cipher combining
# SPHINCS post-quantum hash function
# SPHINCS-256 alias for SPHINCS
# SPI Security Parameters Index
# SPKI Subject Public Key Infrastructure
# SPN Substitution-Permutation Network
# SPRP Strong Pseudo-Random Permutation
# Square block cipher
# SRI Subresource Integrity
# SRP Secure Remote Password protocol
# SRTP Secure RTP
# SSCD Secure Signature Creation Device
# SSEE Sichere Signaturerstellungseinheit (same as SSCD)
# SSK Secret Signing Key
# SSL Secure Sockets Layer
# SSLv2 Secure Sockets Layer Version 2
# SSLv3 Secure Sockets Layer Version 3
# SSP Security Support Provider
# SSPI Security Support Provider Interface
# SST Serialized Certificate Store format
# STES stream cipher algorithm
# Streebog hash function
# Streebog-256 see Streebog
# Streebog-512 see Streebog
# STS Strict Transport Security
# STS Station-to-Station protocol
# SUF-CMA Strong UnForgeability against Chosen-Message Attacks
# Sweet32 Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
# SWIFFT hash function (Vadim Lyubashevsky, Daniele Micciancio, Chris Peikert, Alon Rosen, 2008)
# SWIFFTX see SWIFFT
# TA Trust Agent
# TACK Trust Assertions for Certificate Keys
# TCB Trusted Computing Base
# TDEA Tripple DEA
# TEA Tiny Encryption Algorithm
# TEK Traffic Encryption Key
# TET ?
# Tiger hash function
# TIME Timing Info-leak Made Easy (Exploit SSL/TLS)
# TIME A Perfect CRIME? TIME Will Tell
# Threefish hash function
# TLS Transport Layer Security
# TLSA TLS Trust Anchors
# TLSv1 Transport Layer Security version 1
# TLSA RR TLSA resource Record
# TMAC Two-Key CMAC, variant of CBC-MAC
# TOCTOU Time-of-check, time-of-use
# TOFU Trust on First Use
# TR-02102 Technische Richtlinie 02102 (des BSI)
# TR-03116 Technische Richtlinie 03116 (des BSI)
# Trivium stream cipher algorithm
# TSK Transmission Security Key
# TSK TACK signing key
# TSP trust-Management Service Provider
# TSS Time Stamp Service
# TTP trusted Third Party
# Twofish symmetric key block cipher (128 bit)
# UC Unified Capabilities
# UC Unified Communications (SSL Certificate using SAN)
# UCC Unified Communications Certificate (rarley used)
# UMAC message authentication code based on universal hashing; aka universal hashing MAC; optimized for 32-bit architectures
# URI Uniform Resource Identifier
# URL Uniform Resource Locator
# VMAC Universal hashing MAC; 64-bit variant of UMAC (by Ted Krovetz and Wei Dai)
# VMPC stream cipher algorithm
# VR-224 alias for BADA55-VR-224
# VR-256 alias for BADA55-VR-256
# VR-384 alias for BADA55-VR-384
# WHIRLPOOL hash function
# WPAD Web Proxy Auto-Discovery
# wolfSSL SSL library mainly intended and used for embedded and real-time systems
# X.680 X.680: ASN.1
# X.509 X.509: The Directory - Authentication Framework
# X25519 alias for Curve25519 ?
# X448 alias for Curve448 ?
# X680 X.680: ASN.1
# X509 X.509: The Directory - Authentication Framework
# X3DH Extended Triple Diffie-Hellman
# XCBC eXtended CBC-MAC
# XCBC-MAC same as XCBC
# XChaCha12 stream cipher algorithm
# XChaCha20 stream cipher algorithm
# XEX XOR Encrypt XOR
# XKMS XML Key Management Specification
# XMACC counter-based XOR-MAC
# XMACR radomized XOR-MAC
# XMLSIG XML-Signature Syntax and Processing
# XMSS hash function
# XSalsa2 variant of Salsa20
# XTEA extended Tiny Encryption Algorithm
# XTS XEX-based tweaked-codebook mode with ciphertext stealing
# XUDA Xcert Universal Database API
# XXTEA enhanced/corrected Tiny Encryption Algorithm
# yaSSL same as CyaSSL
# ZLIB Lossless compression file format
# ZRTP SRTP for VoIP
# ZSK Zone Signing Key (DNSSEC)
#
## end abbr
# begin rfc
# =head1 rfc
# # SID @(#) rfc.txt 1.11 19/01/11 00:05:23
#
# # number| title / description
# #------+----------------------------------------------------------------------+
# # url base URL for RFC descriptions
# # http://tools.ietf.org/html/rfcXXXX
# # http://tools.ietf.org/rfc/rfcXXXX.txt
# url http://tools.ietf.org/
# 6101 SSL Version 3.0
# 6601 SSL Version 3.0
# 2246 TLS Version 1.0 (with Cipher Suites)
# 4346 TLS Version 1.1 (with Cipher Suites)
# 5246 TLS Version 1.2 (with Cipher Suites)
# 8446 TLS Version 1.3 (with Cipher Suites)
# 4347 DTLS Version 0.9
# 6347 DTLS Version 1.2
# 8447 IANA Registry Updates for TLS and DTLS
# 2616 Hypertext Transfer Protocol Version 1 (HTTP/1.1)
# 7540 Hypertext Transfer Protocol Version 2 (HTTP/2)
# 7230 HTTP/1.1: Message Syntax and Routing
# 7231 HTTP/1.1: Semantics and Content
# 7232 HTTP/1.1: Conditional Requests
# 7233 HTTP/1.1: Range Requests
# 7234 HTTP/1.1: Caching
# 7235 HTTP/1.1: Authentication
# 3490 Internationalizing Domain Names in Applications (IDNA)
# 3987 Internationalized Resource Identifiers (IRIs)
# 4518 Internationalized String Preparation in LDAP
# 3986 Uniform Resource Identifier (URI): Generic Syntax
# 2104 HMAC: Keyed-Hashing for Message Authentication
# 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
# 2406 IP Encapsulating Security Payload (ESP)
# 2407 The Internet IP Security Domain of Interpretation for ISAKMP
# 2408 Internet Security Association and Key Management Protocol (ISAKMP)
# 2409 The Internet Key Exchange (IKE) - 1998
# 4306 The Internet Key Exchange (IKEv2) Protocol - 2005
# 7296 The Internet Key Exchange Protocol 2 (IKEv2) - 2014
# 4753 ECP Groups for IKE and IKEv2
# 4754 IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
# 2412 AKLEY Key Determination Protocol (PFS - Perfect Forward Secrec)
# 2817 Upgrading to TLS Within HTTP/1.1
# 2818 HTTP Over TLS
# 2945 SRP Authentication & Key Exchange System
# 2986 PKCS#10
# 5967 PKCS#10
# 2313 PKCS#1: RSA Cryptography Specifications Version 1.5
# 2437 PKCS#1: RSA Cryptography Specifications Version 2.0
# 3447 PKCS#1: RSA Cryptography Specifications Version 2.1
# 8017 PKCS#1: RSA Cryptography Specifications Version 2.2
# 2712 TLSKRB: Addition of Kerberos Cipher Suites to TLS
# 3268 TLSAES: Advanced Encryption Standard (AES) Cipher Suites for TLS
# 4279 TLSPSK: Pre-Shared Key Ciphersuites for TLS
# 5081 TLSPGP: Using OpenPGP Keys for Transport Layer Security (TLS) Authentication - 2007
# 6091 TLSPGP: Using OpenPGP Keys for Transport Layer Security (TLS) Authentication - 2011
# 3711 The Secure Real-time Transport Protocol (SRTP)
# 6189 ZRTP: Media Path Key Agreement for Unicast Secure RTP
# 4309 AES-CCM Mode with IPsec Encapsulating Security Payload (ESP)
# 5116 An Interface and Algorithms for Authenticated Encryption (AEAD)
# 3749 TLS Compression Method (obsolete)
# 3943 TLS Protocol Compression Using Lempel-Ziv-Stac (LZS)
# 4680 TLS Handshake Message for Supplemental Data
# 4749 TLS Compression Methods
# 3546 TLS Extensions (obsolete)
# 4366 TLS Extensions
# 5746 TLS Extension: Renegotiation Indication Extension
# 5764 TLS Extension: Secure Real-time Transport Protocol (SRTP)
# 5878 TLS Extension: Authorization
# 5929 TLS Extension: Channel Bindings
# 6066 TLS Extension: Extension Definitions
# 6520 TLS Extension: Heartbeat
# 7301 TLS Extension: Application-Layer Protocol Negotiation (ALPN)
# 7633 TLS Extension: Feature Extension: Must Staple
# 8449 TLS Extension: Record Size Limit
# 5077 TLS session resumption without Server-Side State
# 6961 TLS Multiple Certificate Status Request Extension
# 7627 TLS Session Hash and Extended Master Secret Extension
# 6176 Prohibiting Secure Sockets Layer (SSL) Version 2.0
# 7568 Deprecating Secure Sockets Layer Version 3.0
# 6460 NSA Suite B Profile for TLS
# 2560 Online Certificate Status Protocol (OCSP, obsolete)
# 6267 Online Certificate Status Protocol Algorithm Agility (OCSP, obsolete)
# 4210 X509 PKI Certificate Management Protocol (CMP)
# 3279 x509 Algorithms and Identifiers for X.509 PKI and CRL Profile
# 3739 x509 PKI Qualified Certificates Profile; EU Directive 1999/93/EC
# 3280 X509 PKI Certificate and Certificate Revocation List (CRL) Profile (obsolete)
# 4158 X509 PKI Certification Path Building
# 4387 X509 PKI Operational Protocols: Certificate Store Access via HTTP
# 5280 X509 PKI Certificate and Certificate Revocation List (CRL) Profile
# 5480 X509 PKI Elliptic Curve Cryptography Subject
# 5758 X509 PKI Additional Algorithms and Identifiers for DSA and ECDSA
# 6960 X509 Online Certificate Status Protocol (OCSP)
# 8410 X509 PKI Algorithm Identifiers for Ed25519, Ed448, X25519, and X448
# 4132 Addition of Camellia Cipher Suites to TLS
# 4162 Addition of SEED Cipher Suites to TLS
# 4357 Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms
# 4418 UMAC: Message Authentication Code using Universal Hashing
# 4491 Using the GOST Algorithms with X509 (GOST R 34.10-94, GOST R 34.10-2001, GOST R 34.11-94)
# 6986 GOST R 34.11-2012: Hash Function
# 4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
# 4785 Pre-Shared Key (PSK) Cipher Suites with NULL Encryption for TLS
# 5054 Secure Remote Password (SRP) Protocol for TLS Authentication
# 5114 Additional Diffie-Hellman Groups for Use with IETF Standards
# 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS
# 5289 TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)
# 5430 Suite B Profile for TLS
# 5487 Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode
# 5489 ECDHE_PSK Cipher Suites for TLS
# 5589 Session Initiation Protocol (SIP) Call Control - Transfer
# 6040 Tunnelling of Explicit Congestion Notification
# 6090 Fundamental Elliptic Curve Cryptography Algorithms
# 4492 TLSECC: Elliptic Curve Cryptography (ECC) Cipher Suites for TLS (obsolete)
# 5639 Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation
# 5903 Elliptic Curve Groups modulo a Prime (ECP Groups) for IKE and IKEv2
# 6507 Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)
# 7027 Elliptic Curve Cryptography (ECC) Brainpool Curves for TLS
# 7748 Elliptic Curve for Security
# 8422 Elliptic Curve Cryptography (ECC) Cipher Suites for TLS Versions 1.2 and Earlier
# 5528 Camellia Counter Mode and Camellia Counter with CBC-MAC Mode Algorithms
# 5741 RFC Streams, Headers, and Boilerplates
# 5794 Description of the ARIA Encryption Algorithm
# 5932 Camellia Cipher Suites for TLS
# 6209 Addition of the ARIA Cipher Suites to TLS
# 6367 Addition of the Camellia Cipher Suites to TLS
# 6655 AES-CCM Cipher Suites for TLS
# 7251 AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS
# 7507 TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
# 5055 Server-Based Certificate Validation Protocol (SCVP)
# 5019 simplified RFC 2560
# 5705 Keying Material Exporters for TLS
# 6125 Representation and Verification of Domain-Based Application Service (PKIX) for TLS
# 6797 HTTP Strict Transport Security (HSTS)
# 6962 Certificate Transparency
# 6979 Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
# 7366 Encrypt-then-MAC for TLS and DTLS
# 7457 Summarizing Known Attacks on TLS and DTLS
# 7465 Prohibiting RC4 Cipher Suites
# 7469 Public Key Pinning Extension for HTTP
# 7525 Recommendations for Secure Use of TLS and DTLS
# 7539 ChaCha20 and Poly1305 for IETF Protocols (obsolete)
# 8439 ChaCha20 and Poly1305 for IETF Protocols
# 7627 TLS Session Hash and Extended Master Secret Extension
# 7905 ChaCha20-Poly1305 Cipher Suites for TLS
# 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
# 1135 The Helminthiasis of the Internet
# 6698 DNS-Based Authentication of Named Entities (DANE)
# 6844 DNS Certification Authority Authorization (CAA) Resource Record
# 3610 Counter with CBC-MAC (CCM)
# 3852 Cryptographic Message Syntax (CMS)
# 5083 Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type
# 4086 Randomness Requirements for Security
# 4107 Guidelines for Cryptographic Key Management
# 8032 Edwards-Curve Digital Signature Algorithm (EdDSA)
# 7710 Captive Portal Using DHCP
# 8484 DNS over HTTPS (DoH)
# 8467 Padding for DoH und DoT
#
## end rfc
# begin woodoo
# Some documentation is plain text, which is DATA in Perl sources. As such,
# it is not detected as source, not as comment, and not as documentation
# by most tools analyzing the source code.
# O-Saft's public user documentation is plain text stored in separate files.
# The files are usually also not counted as source.
# Unfortunately, some people solely believe in statistics generated by magic
# tools. They use such statistics to measure for example code quality without
# looking themself at the code.
# Hence the purpose of this file is to provide real comment and documentation
# lines from our documentation in format of the used programming language.
# Hopefully, if these people read this, they change the workflow (means: they
# also review the source code) or adapt their conclusions having in mind that
# statistics can be manipulated in many ways. Here we go ...
#
# Disclaimer: No offence meant anyhow, neither against any analyzing tool nor
# against anyone using them. It is just a reminder to use the tools and their
# results in a wise manner. Measuring quality is more than just automatically
# generated statistics!
# end woodoo
|