COMMANDS 
        There are commands for various tests according the  SSL connection to
        the target, the targets certificate and the used ciphers.
        All commands are preceded by a  +  to easily distinguish from other
        arguments and options. However, some --OPTIONS options are treated as
        commands for historical reason or compatibility to other programs.
        The most important commands are (in alphabetical order):
          +check +cipher +info +http +list +quick +sni +sni_check +version
        A list of all available commands will be printed with:
o-saft.pl --help=cmd
        The description of all other commands will be printed with:
o-saft.pl --header --help=commands
        The summary and internal commands return requested information or the
        results of checks. These are described below.
        Note that some commands may be a combination of other commands, see:
o-saft.pl --header --help=intern
        The following sub-sections only describe the commands,  which do more
        than giving a simple information from the target.  All other commands
        can be listed with:
o-saft.pl --header --help=commands
        The final sub-sections  Notes about commands  describes some notes
        about special commands and related commands.
        
 Commands for information about this tool 
 
        All these commands will exit after execution (cannot be used together
        with other commands).
 +ciphers 
 
          Show ciphers offered by local SSL implementation.
          This commands prints the ciphers in a format like openssl ciphers
          does. It also accepts the  -v  and  -V  option. The  --legacy=TYPE
          option can be used as described for  +list  command.
          Use  +list  command for more information according ciphers.
 +list 
 
          Show all ciphers supported by this tool. This includes cryptogrphic
          details of the cipher and some internal details about the rating.
          In contrast to the  +ciphers  command,  +list  uses  TAB characters
          instead of spaces to seperate columns.  It also prints table header
          lines by default.
          Different output formats are used for the  --legacy  option:
--legacy=simple   tabular output of cipher values
--legacy=full     as --legacy=simple but more data
--legacy=openssl  output like with +ciphers command
--legacy=ssltest  output like ssltest --list
 +VERSION 
 
          Just show version and exit.
 +version 
 
          Show version information for both the program and the  Perl modules
          that it uses, then exit.
          Use  --v  option to show more details.
 +libversion 
 
          Show version of openssl.
 +quit 
 
          Show internal data and exit, used for debugging only.
        
 Commands to check SSL details 
 
        Following (summary and internal) commands are simply a shortcut for a
        list of other commands. For details of the list use:
              o-saft.pl --help=intern
 +check 
 
          Check the SSL connection for security issues. Implies  +cipher .
 +host 
 
          Print details about the targets hostname, DNS, etc.
          These details are usually printed only for the  +check  and  +info
          command, but not for any individual command.
 +http 
 
          Perform HTTP checks (like STS, redirects etc.).
 +info 
 
          Overview of most important details of the SSL connection.
          Use  --v  option to show details also, which span multiple lines.
 +info--v 
 
          Overview of all details of the SSL connection. It is a shortcut for
          all commands listed below but not including  +cipher.
          This command is intended for debugging as it prints some details of
          the used Net::SSLinfo module.
 +quick 
 
          Quick overview of checks. Implies  --enabled  and  --short.
 +pfs 
 
          Check if servers offers ciphers with prefect forward secrecy (PFS).
 +protocols 
 
          Check for protocols supported by target.
 +vulns 
 
          Check for various vulnerabilities.
 +sts 
 
 +hsts 
 
          Various checks according STS HTTP header.
          This option implies  --http,  means that  --no-http is ignored.
 +sni 
 
          Check for Server Name Indication (SNI) usage.
 +sni_check 
 
 +check_sni 
 
          Check for Server Name Indication (SNI) usage  and  validity  of all
          names (CN, subjectAltName, FQDN, etc.).
 +bsi 
 
          Various checks according BSI TR-02102-2 and TR-03116-4 compliance.
 +ev 
 
          Various checks according certificate's extended Validation (EV).
          Hint: use option  --v --v  to get information about failed checks.
 +sizes 
 
          Check length, size and count of some values in the certificate.
 +s_client 
 
          Dump data retrieved from  openssl s_client ...  call. This should
          be used for debugging only.
          It can be used just like openssl itself, for example:
              openssl s_client -connect host:443 -no_sslv2
 +dump 
 
          Dumps internal data for SSL connection and target certificate. This
          is mainly for debugging and  should not be used together with other
          commands (except +cipher).
          Each key-value pair is enclosed in  #{  and  #} .
          Using  --trace --trace  dumps data of Net::SSLinfo too.
 +exec 
 
          Command used internally when requested to use other libraries.
          This command should not be used directly.
        
 Commands to test ciphers provided by target 
 
          Beside the description of the commands itself here, please see also
          Notes about commands  below.
 +cipher 
 
          Check target for ciphers,  either all ciphers, or ciphers specified
          with  --cipher=CIPHER  option.
          Note that ciphers not supported by the local SSL implementation are
          not checked by default, use  +cipherall or +cipherraw   command.
          Use  --v  option to see all ciphers being checked.
 +cipherraw 
 
          Check target for all possible ciphers.
          Does not depend on local SSL implementation.
          In contrast to  +cipher  this command has some options to tweak the
          cipher tests, connection results and some strange behaviours of the
          target. See  Options for cipherall command  for details.
 +cipherall 
 
          Same as  +cipherraw  but ouput format similar to  +cipher  command.
 +cipher-default 
 
          Lists the cipher selected by the server for each protocol sometimes
          referred to as default cipher.
          For each protocol the two selected ciphers are shown,  one returned
          by the server if the cipher list in the  ClientHello is sorted with
          the strongest cipher first, and one returned  if the cipher list in
          the ClientHello is sorted with strongest cipher last.
          See  Notes about commands  for details.
 +cipher-dh 
 
          Checked target for ciphers. All ciphers supported by the server are
          printed with their DH or ECDH paramaters (if available).
          ciphers.
 +null 
 
 +cipher-null 
 
          Check if target accepts NULL ciphers.
 +adh 
 
 +cipher-adh 
 
          Check if target accepts ciphers with anonymous key exchange.
 +export 
 
 +cipher-exp 
 
          Check if target accepts EXPORT ciphers.
 +cbc 
 
 +cipher-cbc 
 
          Check if target accepts CBC ciphers.
 +des 
 
 +cipher-des 
 
          Check if target accepts DES ciphers.
 +cipher-rc4 
 
          Check if target accepts RC4 ciphers.
 +edh 
 
 +cipher-edh 
 
          Check if target supports ephemeral ciphers.
 +cipher-pfs 
 
          Check if target supports ciphers with PFS.
 +cipher-strong 
 
          Check if target selects strongest cipher.
 +cipher-weak 
 
          Check if target selects weak cipher (oposite of  +cipher-strong).
        
 Commands to test SSL connection to target 
 
        Please see:
o-saft.pl --help=commands
        
 Commands to show certificate details of the target 
 
        Please see:
o-saft.pl --help=commands
        
 Notes about commands 
 
 +cipher vs. +cipherall 
 
          +cipher  can only check for ciphers - more precise: cipher suites -
          provided by the local SSL implementation (i.e. libssl).
          +cipherall  can check for any cipher,  as it just uses the cipher's
          integer value in the range 0 .. 65532.
 +cipherall vs. +cipherraw 
 
          These commands are identical, just the output format is different.
 +cipher vs. +cipher-dh 
 
          While  +cipher  prints checked ciphers,  +cipher-dh  prints ciphers
          with their DH or ECDH paramaters (if available)  only for supported
          ciphers.
 +cipher vs. +cipher-default 
 
          Both commands show the default cipher foreach protocol.
          +cipher  lists a summary of ciphers selected by the server for each
          protocol requested by the user (for example by using options like:
          --sslv3 --tlsv1 etc.).  When the  --v  option is used, all selected
          ciphers for all known protocols are listed. This summary focuses on
          counts for various ciphers.
          +cipher-default  lists the  cipher selected  by the server for each
          protocol.
 +cipher-selected vs. +cipher-default 
 
          +selected  lists the cipher selected by the server if no particular
          protocol was specified and the system's default cipher list is send
          in the ClientHello to the server.
          +cipher-default  lists the  cipher selected  by the server for each
          protocol.
 +cipher-strong vs. +cipher-default 
 
          +strong-cipher  shows the result of the check if strong ciphers are
          preferred by the server. It is a check command.
          +cipher-default  lists the  cipher selected  by the server for each
          protocol. It is a information command.
          It is not possible to check if a server uses SSLHonorCipherOrder.
          Even if it is used (switched on),  it is not possible to  check the
          specified order of the ciphers.
          I. g. it is expected that the order is according the cipher suite's
          strength, meaning the most strongest first, and the weakest last.
          It does not make sense to use an order where a weak cipher preceeds
          a stronger one. Such a (mis-)configuration should be detected.
          Having this in mind, the algorithm to detect a  proper cipher order
          is as simply as follows:
            1. pass sorted cipher list with strongest cipher first
            2. pass sorted cipher list with strongest cipher last
          if the server returns the same cipher for both checks, it's assumed
          that it prefers to use the most strongest cipher. In this case it's
          obvious that SSLHonorCipherOrder is set (exceptions see below).
          +cipherall  uses a  more accurate algorithm  to detect the server's
          cipher order.
          Exceptions:
          If either, the server or the client,  uses only one cipher suite in
          the list, SSLHonorCipherOrder cannot be detected at all.
          The same happens, if only one cipher in the client's list matches a
          cipher in the server's list.
 +extensions vs. +tlsextensions 
 
          +extensions  shows the Certificate extensions and  +tlsextensions
          will show the TLS protocol extensions.
          Use  +tlsextdebug  to show more informations about the TLS protocol
          extensions.
 +http2 +spdy +spdy3 +spdy31 +spdy4 +prots 
 
          These commands are just an alias for the  +protocols  command.
 +hostname vs. +wildhost vs. +altname vs. +rfc_2818 
 
          The commands  +cn  and  +altname  print the  information stored  in
          the certificate.
          The command  +hostname  checks if the given hostname matches the CN
          value in the certificate.  Note that wildcard names in the CN, only
          allow to contain one *.
          The command  +wildcard  checks if the given hostname does not match
          any name specified in the certificate's subjectAltname. This check
          is usefull  if the certificate and the configuration must comply to
          RFC 6125 or EV certificates.
 OPTIONS 
        All options are written in lowercase. Words written in all capital in
        the description here is text provided by the user.
        
 Options for help and documentation 
 
 --h 
 
 --help 
 
          WYSIWYG
 --help=cmd 
 
          Show available commands; short form.
 --help=commands 
 
          Show available commands with short description.
 --help=opt 
 
          Show available options; short form.
 --help=options 
 
          Show available options with their description.
 --help=checks 
 
          Show available checks.
 --help=check-cfg 
 
 --help=cfg-check 
 
          Show texts used as labels in output for checks (see  +check)  ready
          for use in  RC-FILE  or as option.
 --help=data 
 
          Show available informations.
 --help=data-cfg 
 
 --help=cfg-data 
 
 --help=cfg-info 
 
          Show texts used  as labels in output for  data  (see  +info)  ready
          for use in  RC-FILE  or as option.
 --help=hint 
 
          Show texts used in hint messages.
 --help=hint-cfg 
 
 --help=cfg-hint 
 
          Show texts used in hint messages ready for use in  RC-FILE  or as
          option.
 --help=text 
 
          Show texts used in various messages.
 --help=text-cfg 
 
 --help=cfg-text 
 
          Show texts used in various messages ready for use in  RC-FILE  or
          as option.
 --help=legacy 
 
          Show possible legacy formats (used as value in  --legacy=TOOL).
 --help=compliance 
 
          Show available compliance checks.
 --help=intern 
 
          Show internal commands.
 --help=alias 
 
          Show alias for commands and options.
 --help=range 
 
          Show list of cipherranges (see  --cipherrange=RANGE).
 --help=score 
 
          Show score value for each check.
          Value is printed in format to be used for  --cfg-score=KEY=SCORE.
          Note that the  sequence  of options  is important.  Use the options
          --trace  and/or  --cfg-score=KEY=SCORE  before  --help=score.
 --help=toc 
 
 --help=content 
 
          Show headlines from help text. Useful to get an overview.
 --help=SECTION 
 
          Show    from documentation, see  --help=toc  for a list.
          Example:
              o-saft.pl --help=EXAMPLES
 --help=ourstr 
 
          Show regular expressions to match our own strings used in output.
 --help=regex 
 
          Show regular expressions used internally.
 --help=gen-html 
 
          Print documentation in HTML format.
 --help=gen-pod 
 
          Print documentation in POD format.
 --help=gen-wiki 
 
          Print documentation in mediawiki format.
 --help=gen-cgi 
 
          Print documentation in format to be used for CGI.
 --help=error 
 
 --help=warning 
 
 --help=problem 
 
          Show  KNOWN PROBLEMS  section with  description of known  error and
          warning messages.
 --help=faq 
 
          Show  KNOWN PROBLEMS  and  LIMITATIONS  section.
 --help=glossary 
 
          Show common abbreviation used in the world of security.
 --help=links 
 
          Show list of URLs related to SSL/TLS.
 --help=rfc 
 
          Show list of RFC related to SSL/TLS.
 --help=todo 
 
          Show known problems and bugs.
 --help=program.code 
 
          For developers.
        
 Options for all commands (general) 
 
 --dns 
 
          Do DNS lookups to map given hostname to IP, do a reverse lookup.
 --no-dns 
 
          Do not make DNS lookups.
          Note  that the corresponding IP and reverse hostname may be missing
          in some messages then.
 --host=HOST 
 
          Specify HOST as target to be checked. Legacy option.
 --port=PORT 
 
          Specify PORT of target to be used. Legacy option.
 --host=HOST --port=PORT HOST:PORT HOST 
 
          When giving more than one HOST argument,  the sequence of the given
          HOST argument and the given  --port=PORT  and the given --host=HOST
          options are important.
          The rule how ports and hosts are mapped is as follows:
            HOST:PORT arguments are used as is (connection to HOST on PORT)
            only HOST is given, then previous specified  --port=PORT  is used
          Note that URLs are treated as HOST:PORT, if they contain a port.
          Example:
              o-saft.pl +cmd host-1 --port 23 host-2 host-3:42 host-4
          will connect to:
host-1:443
host-2:23
host-3:42
host-4:23
 --proxyhost=PROXYHOST --proxy=PROXYHOST:PROXYPORT 
 
          Make all connection to target using PROXYHOST.
          Also possible is: --proxy=PROXYUSER:PROXYPASS@PROXYHOST:PROXYPORT
 --proxyport=PROXYPORT 
 
          Make all connection to target using PROXYHOST:PROXYPORT.
 --proxyuser=PROXYUSER 
 
          Specify username for proxy authentication.
 --proxypass=PROXYPASS 
 
          Specify password for proxy authentication.
 --starttls 
 
          Use STARTTLS command to start a TLS connection via SMTP.
          This option is a shortcut for  --starttls=SMTP .
 --starttls=SMTP 
 
 --starttls=PROT 
 
          Use STARTTLS command to start a TLS connection via protocol. PORT
          PORT may be any of: SMTP, IMAP, IMAP2, POP3, FTPS, RDP,
          LDAP or XMPP .
          For  --starttls=SMTP  see  --dns-mx  also to use MX records instead
          of host
 --starttls-delay=SEC 
 
          Number of seconds to wait before sending a packet, to slow down the
          STARTTLS requests. Default is 0.
          This may prevent blocking of requests by the target due to too much
          or too fast connections.
          Note:  In this case there is an automatic suspension and retry with
          a longer delay.
 --cgi 
 
 --cgi-exec 
 
          Internal use for CGI mode only.
        
 Options for SSL tool 
 
 --rc 
 
          Read  RC-FILE  if exists, from directory where program was found.
 --no-rc 
 
          Do not read  RC-FILE.
 --exitcode 
 
          The exit status code will be greater 0, if any of following applies:
any check returns  no
insecure protocols are available
insecure ciphers are supported
ciphers without PFS are supported (disable with --exitcode-cipher)
          In particular, the status code will be the total count of all these
          checks.
          Parts of these checks can be diasabled,  see  --exitcode-*  options
          below.
          Functionality implemented experimental, may change in future.
 --exitcode-no-checks 
 
          Do not count checks with result no for  --exitcode .
 --exitcode-no-low  --exitcode-no-weak  --exitcode-no-medium 
 
          Do not count LOW, WEAK or MEDIUM security ciphers for  --exitcode .
 --exitcode-no-ciphers 
 
          Do not count any ciphers for  --exitcode .
 --exitcode-no-ciphers 
 
          Do not count any ciphers for  --exitcode .
 --exitcode-no-pfs 
 
          Do not count ciphers without PFS for  --exitcode .
 --openssl-s_client --s_client 
 
          Use  openssl s_slient ...  call to retrieve more information from
          the SSL connection.  This is disabled by default on Windows because
          of performance problems. Without this option (default on Windows !)
          following informations are missing:
              compression, expansion, renegotiation, resumption,
              selfsigned, verify, chain, protocols, DH parameters
          See Net::SSLinfo for details.
          If used together with  --trace, s_client  data will also be printed
          in debug output of Net::SSLinfo.
 --no-openssl 
 
          Do not use external openssl  tool to retrieve information. Use of
          openssl is disabled by default on Windows.
          Note that this results in some missing informations, see above.
 --openssl=TOOL 
 
          TOOL        can be a path to openssl executable; default: openssl
 --openssl-cnf=FILE --openssl-conf=FILE 
 
          FILE        path of directory or full path of openssl.cnf
          If set, environment variable OPENSSL_CONF will be set to given path
          (or file) when openssl(1) is started. Please see openssl's man page
          for details about specifying alternate  openssl.cnf  files.
 --openssl-ciphers --force-openssl 
 
          Use openssl to check for supported ciphers;  default: IO::Socket(1)
          This option forces to use  openssl s_slient -connect CIPHER .. to
          check if a cipher is supported by the remote target. This is useful
          if the  --lib=PATH  option doesn't work (for example due to changes
          of the API or other incompatibilities).
 --exe-path=PATH 
 
 --exe=PATH 
 
          PATH        is a full path where to find openssl.
 --lib-path=PATH 
 
 --lib=PATH 
 
          PATH        is a full path where to find libssl.so, libcrypto.so.
          See HACKER's INFO below for a detailed description how it works.
 --envlibvar=NAME 
 
          NAME  is the name of a environment variable containing additional
          paths for searching dynamic shared libraries.
          Default is LD_LIBRARY_PATH.
          Check your system for the proper name, i.e.:
              DYLD_LIBRARY_PATH, LIBPATH, RPATH, SHLIB_PATH.
 --ssl-error 
 
          Stop trying to connect to target if  --ssl-error-max  erros occourd
          sequentially, or if the total amount of errors  --ssl-error-total
          is reached.
          The connection to  a target may fail, or even block, due to various
          resons, for example lost network at all, blocking at firewall, etc.
          In particular when checking ciphers with  +cipher , this may result
          in long delays until results are printed.
          Using this option stops trying to do more connections to the target
          when  --ssl-error-max  consecutive errors occoured, or if the total
          amount of errors increases  --ssl-error-total.
          Note that this may result in loss of information and/or checks.
 --ssl-error-max=CNT 
 
          Max. amount of consecutive errors (default: 5).
 --ssl-error-timeout=SEC 
 
          Timeout in seconds when a failed connection is treated as error and
          then counted (default: 1).
 --ssl-error-total=CNT 
 
          Max. total amount of errors (default: 10).
 --ssl-lazy 
 
          I.g. this tools tries to identify available functionality according
          SSL versions from the underlaying libraries.  Unsupported  versions
          are then disables and a warning is shown.
          Unfortunately some libraries have  not implemented all functions to
          check availability of a specific SSL version, which then results in
          a compile error.
          This option disables the strict check of availability.
          If the underlaying library doesn't support the required SSL version
          at all, following error may occour:
              Can't locate auto/Net/SSLeay/CTX_v2_new.al in @INC ...
          See Note on SSL versions  for a general note about SSL versions.
          A more detailled description of the problem and how Net::SSLeay be-
          haves, can be found in the source of  o-saft.pl ,
          see section starting at
              #| check for supported SSL versions
 --timeout=SEC 
 
          Timeout in seconds when connecting to the target (default: 2).
 --call=METHOD 
 
          METHOD      method to be used for specific functionality
          Available methods:
info-socket         use internal socket to retrieve information
info-openssl        use external openssl to retrieve information
info-user           use usr_getinfo() to retrieve information
cipher-socket       use internal socket to ckeck for ciphers
cipher-openssl      use external openssl to ckeck for ciphers
cipher-user         use usr_getciphers() to ckeck for ciphers
          Method names starting with:
info-
            are responsible to retrieve information  about the SSL connection
            and the target certificate (i.e. what the 
+info command provides)
cipher-
            are responsible to connect to the target  and test if it supports
            the specified ciphers  (i.e. what the  
+cipher  command provides)
check-
            are responsible for performing the checks (i.e. what's shown with
            the  
+check  command)
score-
            are responsible to compute  the score based on check results
          The second part of the name denotes which kind of method to call:
socket      the internal functionality with sockets is used
openssl     the exteranl openssl executable is used
user        the external special function, as specified in user's
                        o-saft-usr.pm,  is used.
          Example:
              --call=cipher-openssl
          will use the external openssl(1) executable to check the target for
          supported ciphers.
          Default settings are:
              --call=info-socket --call=cipher-socket --call=check-socket
          Just for curiosity, instead of using:
              o-saft.pl --call=info-user --call=cipher-user --call=check-user --call=score-user ...
          consider to use your own script like:
              #!/usr/bin/env perl
              usr_getinfo();usr_getciphers();usr_checkciphers();usr_score();
          :-))
 -v 
 
          Print list of ciphers in style like: openssl ciphers -v.
          Option used with  +ciphers  command only.
 -V 
 
          Print list of ciphers in style like: openssl ciphers -V.
          Option used with  +ciphers  command only.
        
 Options for SSL connection to target 
 
 --cipher=CIPHER 
 
CIPHER    can be any string accepeted by openssl or following:
yeast     use all ciphers from list defined herein, see  +list
          Beside the cipher names accepted by openssl, CIPHER can be the name
          of the constant or the (hex) value as defined in openssl's files.
          Currently supported are the names and constants of openssl 1.0.1k.
          Example:
--cipher=DHE_DSS_WITH_RC4_128_SHA
--cipher=0x03000066
--cipher=66
          will be mapped to   
DHE-DSS-RC4-SHA
          Note: if more than one cipher matches, just one will be selected.
          Default is ALL:NULL:eNULL:aNULL:LOW as specified in Net::SSLinfo.
 --socket-reuse 
 
          TCP socket will be reused for  next connection attempt  even if SSL
          connection failed.
 --no-socket-reuse 
 
          Close TCP socket and then reopen for next connection attempt if SSL
          connection failed.
          This is useful for some servers which may return an TLS alert  if
          the connection fails and then fail again on the same socket.
 --ignore-no-connect 
 
          A simple check if the target can be connected  will be performed by
          default.  If this check fails, the target will be ignored, means no
          more requested checks will be done.  As this connection check some-
          times fails due to various reasons, the check can be disabled using
          this option.
 --no-md5-cipher 
 
          Do not use *-MD5 ciphers for other protocols than SSLv2.
          This option is only effective with  +cipher  command.
          The purpose is to avoid warnings from IO::Socket::SSL(1) like:
              Use of uninitialized value in subroutine entry at lib/IO/Socket/SSL.pm line 430.
          which occours with some versions of IO::Socket::SSL(1) when a *-MD5
          ciphers will be used with other protocols than SSLv2.
          Note that these ciphers will be checked for SSLv2 only.
 --sslv2 
 
 --sslv3 
 
 --tlsv1 
 
 --tlsv11 
 
 --tlsv12 
 
 --tlsv13 
 
 --dtlsv09 
 
 --dtlsv1 
 
 --dtlsv11 
 
 --dtlsv12 
 
 --dtlsv13 
 
 --SSL, -protocol SSL 
 
 --no-sslv2 
 
 --no-sslv3 
 
 --no-tlsv1 
 
 --no-tlsv11 
 
 --no-tlsv12 
 
 --no-tlsv13 
 
 --no-dtlsv09 
 
 --no-dtlsv1 
 
 --no-dtlsv11 
 
 --no-dtlsv12 
 
 --no-dtlsv13 
 
 --no-SSL 
 
SSL       can be any of:
            ssl, ssl2, ssl3, sslv2, sslv3, tls1, tls1, tls11, tls1.1, tls1-1,
            tlsv1, tlsv11, tlsv1.1, tlsv1-1 (and similar variants for tlsv1.2).
          For example:  
--tls1  --tlsv1  --tlsv1_1  are all the same.
          (--SSL variants):    Test ciphers for this SSL/TLS version.
          (--no-SSL variants): Don't test ciphers for this SSL/TLS version.
 --no-tcp 
 
          Shortcut for:
          --no-sslv2 --no-sslv3 --no-tlsv1 --no-tlsv11 --no-tlsv12 --no-tlsv13
 --tcp 
 
          Shortcut for:  --sslv2 --sslv3 --tlsv1 --tlsv11 --tlsv12 --tlsv13
 --no-udp 
 
          Shortcut for:
          --no-dtlsv09 --no-dtlsv1 --no-dtlsv11 --no-dtlsv12 --no-dtlsv13
 --udp 
 
          Shortcut for:  --dtlsv09 --dtlsv1 --dtlsv11 --dtlsv12 --dtlsv13
 --nullsslv2 
 
          This option  forces  to assume that  SSLv2  is enabled  even if the
          target does not accept any ciphers.
          The target server may accept connections with  SSLv2  but not allow
          any cipher. Some checks verify if  SSLv2  is enabled at all,  which
          then would result in a failed test.
          The default behaviour is to assume that  SSLv2 is not enabled if no
          ciphers are accepted.
 --http 
 
          Make a HTTP request if cipher is supported.
          If used twice debugging will be enabled using  environment variable
          HTTPS_DEBUG.
 --no-http 
 
          Do not make HTTP request.
 --sni 
 
          Make SSL connection in SNI mode.
 --no-sni 
 
          Do not make SSL connection in SNI mode (default: SNI mode).
 --sni-toggle 
 
 --toggle-sni 
 
          Test with and witout SNI mode (+cipherall  only).
 --force-sni 
 
          Do not check if SNI seems to be supported by Net::SSLeay(1).
          Older versions of openssl and its libries do not support SNI or the
          SNI support is implemented buggy. By default it's checked if SNI is
          properly supported. With this option this check can be disabled.
          Be warned that this may result in improper results.
 --servername=NAME 
 
 --sni-name=NAME 
 
          If SNI mode is active, see  --sni  above, NAME is used instead of
          hostname for connections to the target.  If SNI mode is not active,
          see  --no-sni  above, NAME is not used. The default is undefined,
          which forces to use the given FQDN.
          This is useful, for example when an IP instead of a FQDN was given,
          where a correct hostname (i.g. a FQDN) needs to be specified.
          Note: i.g. there is no need to use this option,  as a correct value
          for the SNI name will be choosen automatically (except for IPs).
          However, it is kind of fuzzing ... even setting to an  empty string
          is possible.
          Limitation:  the same NAME is used for all targets,  if more than
          one target was specified.
 --no-cert 
 
          Do not get data from target's certificate, return empty string.
 --no-cert --no-cert 
 
          Do not get data from  target's certificate,  return  default string
          of Net::SSLinfo (see  --no-cert-text=TEXT  option).
 --no-cert-text=TEXT 
 
          Set TEXT to be returned from Net::SSLinfo if no certificate data
          is collected due to use of  --no-cert.
 --ca-depth=INT 
 
          Check certificate chain to depth INT (like openssl's -verify).
 --ca-file=FILE 
 
          Use FILE with bundle of CAs to verify target's certificate chain.
 --ca-path=DIR 
 
          Use DIR where to find CA certificates in PEM format.
 --ca-force 
 
 --force-ca 
 
        NOT YET IMPLEMENTED
          I. g. openssl uses default settings where to find certificate files.
          When  --ca-file=FILE  and/or  --ca-path=DIR  was used,  this default
          will be overwritten by appropriate options passed to openssl. If the
          default does not work as expected,  --force-ca  can be used to force
          setting of proper values according well known common defaults. See:
              o-saft.pl +version
              o-saft.pl +version --force-ca
          to see the used settings.
 --alpn 
 
          Use  -alpn  option for openssl.
 --no-alpn 
 
          Do not use  -alpn  option for openssl.
 --no-npn 
 
 --no-nextprotoneg 
 
          Do not use  -nextprotoneg  option for openssl.
 --no-reconnect 
 
          Do not use  -reconnect  option for openssl.
 --no-tlsextdebug 
 
          Do not use  -tlsextdebug  option for openssl.
 --sclient-opt=VALUE 
 
          Argument or option passed to openssl's  s_client  command.
        
 Options for  +cipher  command 
 
 --connect-delay=SEC 
 
          Additional delay in seconds  after each connect for a cipher check.
          This is useful when connecting to servers which have IPS in place,
          or are slow in accepting new connections or requests.
 --proto-alpn=NAME 
 
          Name of protocol to be added to list of  applcation layer protocols
          (ALPN), which is used for any connection to the targets.
          See  --cipher-alpn=NAME  also.
 --proto-npn=NAME 
 
          Name of protocol to be added to list of  next protocol negotiations
          (NPN), which is used for any connection to the targets.
          See  --cipher-npn=NAME  also.
 --cipher-alpn=NAME 
 
          Name of protocol to be added to list of  applcation layer protocols
          (ALPN), which is used for cipher checks.
          --cipher-alpn=,   sets empty list.
          --cipher-alpn=,,  sets list to empty element .
 --cipher-npn=NAME 
 
          Name of protocol to be added to list of  next protocol negotiations
          (NPN), which is used for cipher checks.
          --cipher-npn=,   sets empty list.
          --cipher-npn=,,  sets list to empty element .
          Note:  setting empty list or element most likely does not work with
          openssl executable (i.e.  --force-openssl).
 --cipher-curve=NAME 
 
          Name of ecliptic curve to be added to list of ecliptic curves (EC),
          which is used for cipher checks.
          --cipher-curve=,   sets empty list.
          --cipher-curve=,,  sets list to empty element .
          Note:  setting empty list or element most likely does not work with
          openssl executable (i.e.  --force-openssl).
        
 Options for  +cipherall and +cipherraw  command 
 
 --range=RANGE 
 
 --cipherrange=RANGE 
 
          Specify range of cipher constants to be tested by  +cipherall.
          Following RANGEs are supported (see also:  --cipherrange=RANGE):
rfc               all ciphers defined in various RFCs
shifted           rfc, shifted by 64 bytes to the right
long              like rfc but more lazy list of constants
huge              all constants  0x03000000 .. 0x0300FFFF
safe              all constants  0x03000000 .. 0x032FFFFF
full              all constants  0x03000000 .. 0x03FFFFFF
SSLv2             all ciphers according RFC for SSLv2
SSLv2_long        more lazy list of constants for SSLv2 ciphers
          Note: SSLv2 is the internal list used for testing SSLv2 ciphers.
          It does not make sense to use it for other protocols; however ...
 --slow-server-delay=SEC 
 
          Additional delay in seconds  after the server is connected  using a
          proxy or before starting STARTTLS.
          This is useful when connecting via  slow proxy chains or connecting
          to slow servers before sending the STARTTLS sequence.
 --ssl-maxciphers=CNT 
 
          Maximal number of ciphers sent in a sslhello (default: 32).
 --ssl-double-reneg 
 
          Send SSL extension  reneg_info  even if list of ciphers includes
          TLS_EMPTY_RENEGOTIATION_INFO_SCSV (default: do not include)
 --ssl-nodata-nocipher 
 
          Some servers do not answer  (i.g. they disconnect) if  none of  the
          offered ciphers is supported by the server.
          Continue testing with next ciphers  when the target  disconnects or
          does not send data within specified timeout (see --timeout).
          Useful for TLS intolerant servers.
 --no-ssl-nodata-nocipher 
 
          Abort testing with next ciphers when the target disconnects.
 --ssl-use-ecc 
 
          Use supported elliptic curves.  Default on.
 --ssl-use-ec-point 
 
          Use TLS ec_point_formats extension.  Default on.
 --ssl-use-reneg 
 
          Test for ciphers with secure renegotiation flag set.
          Default: don't set secure renegotiation flag.
 --ssl-retry=CNT 
 
          Number of retries when connection timed-out (default: 2).
 --ssl-timeout=SEC 
 
          Number of seconds to wait until connection is qualified as timeout.
 --dns-mx 
 
 --mx 
 
          Get DNS MX records for given target and check the returned targets.
          (only useful with  --starttls=SMTP).
        
 Options for checks and results 
 
        Options used for  +check  command:
 --enabled 
 
          Only print result for ciphers accepted by target.
 --disabled 
 
          Only print result for ciphers not accepted by target.
 --ignorecase 
 
          Checks are done case insensitive.
 --no-ignorecase 
 
          Checks are done case sensitive. Default: case insensitive.
          Currently only checks according CN, alternate names in the target's
          certificate compared to the given hostname are effected.
 --ignore-no-reply 
 
          When checking for the  TLS heartbeat extension,  the server may not
          respond at all, which would result in a  no reply  message.  This
          marks the check for  +heartbleed  as no.
          I.g.  a server is  not vulnerable to the  heartbleed attack  if the
          TLS heartbeat extension is disabled.  Hence the  check result  no
          may be mis-leading.  This option  treats the  no reply  result as
          not vulnerable and returns  yes  then.
          Note: if the server does not respond for this check,  does not mean
          that the heartbeat extension is switched off. So if unsure, disable
          this lazy check with  --no-ignore-no-reply .
        
 Options for output format 
 
 --short 
 
          Use short, less descriptive, text labels for  +check  and  +info
          command.
 --legacy=TOOL 
 
          For compatibility with other tools,  the output format used for the
          result of the  +cipher  command can be adjusted to mimic the format
          of other SSL testing tools.
          The argument to the  --legacy=TOOL  option  is the name of the tool
          to be simulated.
          Following TOOLs are supported:
sslaudit          format of output similar to  sslaudit
sslcipher         format of output similar to  ssl-cipher-check
ssldiagnos        format of output similar to  ssldiagnos
sslscan           format of output similar to  sslscan
ssltest           format of output similar to  ssltest
ssltestg          format of output similar to  ssltest -g
ssltest-g         format of output similar to  ssltest -g
sslyze            format of output similar to  sslyze
ssl-cipher-check  same as sslcipher
ssl-cert-check    format of output similar to  ssl-cert-check
testsslserver     format of output similar to  TestSSLServer.jar
thcsslcHeck       format of output similar to  THCSSLCheck
          Note that these legacy formats only apply to  output of the checked
          ciphers. Other texts like headers and footers are adapted slightly.
          Please do not expect identical output as the TOOL  when using these
          options, it's a best guess and should be parsable in a very similar
          way.
 --legacy=compact 
 
          Internal format: mainly avoid tabs and spaces format is as follows:
                Some Label:<-- anything right of colon is data
 --legacy=full 
 
          Internal format: pretty print each label in its own line,  followed
          by data prepended by tab character (useful for  +info  only).
 --legacy=quick 
 
          Internal format: use tab as separator; ciphers are printed with bit
          length (implies --tab).
 --legacy=simple 
 
          Internal default format.
 --legacy=key 
 
          Internal format: print name of key instead of text as label. Key is
          that of the internal data structure(s).  For ciphers and protocols,
          the corresponding hex value is used as key.  Note that these values
          are unique.
 --format=0x 
 
 --format=\x 
 
 --format=/x 
 
 --format=hex 
 
 --format=raw 
 
          This option is used to specify the format of the result lines. This
          covers the value of the result line only.
raw       Print raw data as passed from Net::SSLinfo.
            Note:  all data will be printed as is,  without  additional label
            or formatting. It's recommended to use the  option in conjunction
            with exactly one command.  Otherwise the user needs  to know  how
            to 
read  the printed data.
hex       Convert some data to hex: 2 bytes separated by :.
0x        Convert some data with hex values:
                           2 bytes preceded by 
0x and separated by a space.
/x        Same as  --format=\x
\x        Convert some data with hex values:
                           2 bytes preceded by 
\x and no separating char.
 --header 
 
 --no-header 
 
          Note: must be used on command line to inhibit all header lines.
 --ignore-cmd=CMD 
 
 --ignore-output=CMD 
 
 --no-cmd=CMD 
 
 --no-output=CMD 
 
          Do not print output (data or check result) for command CMD. CMD
          is any valid command, see  COMMANDS ,  without leading +.
          Option can be used multiple times.
 --score 
 
          Print scoring results. Default for  +check.
 --no-score 
 
          Do not print scoring results.
 --separator=CHAR 
 
 --sep=CHAR 
 
          CHAR    will be used as separator between  label and value of the
                    printed results. Default is  :.
 --tab 
 
          TAB character (0x09, \t)  will be used as separator between label
          and value of the printed results.
          As label and value are already separated by a  TAB  character, this
          options is only useful in conjunction with the  --legacy=compact
          option.
 --showhost 
 
          Prefix each printed line with the given hostname (target).
          The hostname will be followed by the separator character.
 --std-format=utf8 
 
 --std-format=crnl 
 
 --std-format=raw 
 
 --std-format=unix 
 
 --std-format=CHARSET 
 
          This option is used to specify the general output format for STDOUT
          and STDERR. All results are written to STDOUT,  errors and warnings
          may also be written to STDERR .  The default is :unix:utf8, which
          is the perlish definition used internally.
          Following values are supported:
raw
unix      Print raw data, binary in bytes without conversion.
            Note:  binary here just means characters (as all output is text).
utf8      Convert all characters to UTF-8.
crnl      Use CR LF as end of line.
CHARSET   CHARSET can be any of the local installed character
                        sets, like UTF-8, UTF-16LE, CP1252, iso-8859-7, etc..
                        This conversion may print its own warnings.
          The option can be used multiple times with different values.
          To reset the  default behaviour, either  raw  or  unix  must be
          used. Obviously, they must be used first. All other values are used
          additionally.
          Note:  utf8 just defines the format of the characters, it does no
          further checks on the converted characters. In contrast, UTF-8 is
          used as real encoding and does some checks.
          Currently (Jan. 2018), these options must be used before any --help
          option.
 --win-CR 
 
          Obsolete, please use  --std-format=crnl .
        
 Options for compatibility with other programs 
 
        Please see other programs for detailed description (if not obvious:).
        Note that often only the long form options are accepted as most short
        form options are ambiguous.
        If other programs use the same option,but with a different behaviour,
        then thes other options are not supported.
        For a list of supported options, please see:
o-saft.pl --help=alias
        Following list contains only those options not shown with:
o-saft.pl --help=alias
                Tool's Option       (Tool)          o-saft.pl Option
--checks CMD        (TLS-Check.pl)  same as  +CMD
-h, -h=HOST         (various tools) same as  --host HOST
-p, -p=PORT         (various tools) same as  --port PORT
-t HOST             (ssldiagnos)    same as  --host HOST
--UDP               (ssldiagnos)    same as  --udp
--timeout, --grep   (ssltest.pl)    ignored
-r,  -s,  -t,  -x   (ssltest.pl)    ignored
--insecure          (cnark.pl)      ignored
--nopct --nocolor   (ssldiagnos)    ignored
-connect, -H, -u, -url, -U          ignored
-noSSL                              same as  --no-SSL
-no_SSL                             same as  --no-SSL
        For definition of  SSL  see  --SS  and  I--no-SSL  above.
        
 Options for customization 
 
          For general descriptions please see  CUSTOMIZATION  section below.
 --cfg_cmd=CMD=LIST 
 
 --cfg-cmd=CMD=LIST 
 
          Redefine list of commands. Sets  %cfg{cmd-CMD}  to  LIST.  Commands
          can be written without the leading  +.
          If  CMD  is any of the known internal commands, it will be redifned.
          If  CMD  is a unknown command, it will be created.
          Example:
              --cfg-cmd=sni="sni hostname"
          An example  
+preload  can be found in  
.o-saft.pl .
          To get a list of commands and their settings, use:
              o-saft.pl --help=intern
          Main purpose is to reduce list of commands or to print them sorted.
 --cfg-score=KEY=SCORE 
 
          Redefine value for scoring. Sets  %checks{KEY}{score}  to  SCORE.
          Most score values are set to 10 by default. Values 0 .. 100 are
          allowed.
          To get a list of current score settings, use:
              o-saft.pl --help=score
          For deatils how scoring works, please see  SCORING  section.
          Use the  --trace-key  option for the  +info  and/or  +check command
          to get the values for  KEY.
 --cfg_checks=KEY=TEXT 
 
 --cfg-checks=KEY=TEXT 
 
 --cfg_data=KEY=TEXT 
 
 --cfg-data=KEY=TEXT 
 
          Redefine texts used for labels in output. Sets  %data{KEY}{txt}  or
          %checks{KEY}{txt}  to  TEXT.
          To get a list of preconfigured labels, use:
              o-saft.pl --help=cfg-checks
              o-saft.pl --help=cfg-data
 --cfg-cipher=CIPHER=value 
 
          Redefine the security value (i.e. HIGH) in the cipher description.
          Example:
              --cfg-cipher=NULL-MD5=no-security-at-all
 --cfg_text=KEY=TEXT 
 
 --cfg-text=KEY=TEXT 
 
          Redefine general texts used in output. Sets  %text{KEY}  to  TEXT.
          To get a list of preconfigured texts, use:
              o-saft.pl --help=cfg-text
          Note that \n, \r and \t are replaced by the corresponding character
          when read from RC-FILE.
 --cfg-hint=KEY=TEXT 
 
          Redefine texts used for hints. Sets  %cfg{hints}{KEY}  to  TEXT.
          To get a list of preconfigured texts, use:
              o-saft.pl --help=cfg-hint
 --call=METHOD 
 
          See  Options for SSL tool.
 --usr 
 
          Execute functions defined in o-saft-usr.pm.
 --usr-* 
 
 --user-* 
 
          Options ignored, but stored as is internal in  $cfg{usr-args} .
          These options can be used in o-saft-usr.pm or o-saft-dbx.pm.
 --experimental 
 
          Use experimental functionality.
          Some functionality of this tool is  under development and only used
          when this option is given.
        
 Options for tracing and debugging 
 
 --n 
 
          Do not execute, just show commands (only useful in conjunction with
          using openssl).
 Difference --trace vs. --v 
 
          While  --v  is used to print more data,  --trace  is used to  print
          more information about internal data such as procedure names and/or
          variable names and program flow.
 --v 
 
 --verbose 
 
          Print more information about checks.
          Note that this option should be first otherwise some debug messages
          are missing.
          Note that  --v  is different from  -v  (see above).
 --v --v 
 
          Print remotely checked ciphers.
 --v-cipher --cipher-v 
 
          Print remotely checked ciphers.
          In contrast to  --v --v  above,  this just prints the ciphers while
          while being checked, but no other verbose messages.
 --trace 
 
          Print debugging messages.
 --trace --trace 
 
          Print more debugging messages and pass trace=2 to Net::SSLeay and
         Net::SSLinfo.
 --trace --trace --trace 
 
          Print more debugging messages and pass trace=3 to Net::SSLeay and
         Net::SSLinfo.
 --trace --trace --trace --trace 
 
          Print processing of all command line arguments.
 --trace-cli 
 
          Print complete command line first. Used for internal testing.
 --trace-arg 
 
 --trace-- 
 
          Print command line argument processing.
 --trace-cmd 
 
          Trace execution of command processing (those given as  +*).
 --trace-key 
 
 --trace@ 
 
          Print some internal variable names in output texts (labels).
          Variable names are prefixed to printed line and enclosed in  # .
          Example without --trace-key :
              Certificate Serial Number:          deadbeef
          Example with    --trace-key :
              #serial#          Certificate Serial Number:          deadbeef
 --trace=VALUE 
 
            Trace Option        Alias Option
--trace=1           same as  --trace
--trace=2           same as  --trace --trace
--trace=arg         same as  --trace-arg
--trace=cmd         same as  --trace-cmd
--trace=key         same as  --trace-key
 --trace-time 
 
          Prints trace output with timestamps. More timestamps are printed if
          used together with  --trace-cmd.
 --trace=FILE 
 
          Use FILE instead of the default  RC-FILE, i.e. .o-saft.pl.
 --trace-me 
 
          Print debugging messages for  o-saft.pl  only, but not any modules.
 --trace-not-me 
 
          Print debugging messages for modules only, but not o-saft.pl itself.
 --trace-sub 
 
 +traceSUB 
 
          Print formatted list of internal functions with their description.
          Not to be intended in conjunction with any target check.
 --hint 
 
          Print hint messages (!!Hint:).
 --no-hint 
 
          Do not print hint messages (!!Hint:).
 --warning 
 
          Print warning messages (**WARNING:).
 --no-warning 
 
          Do not print warning messages (**WARNING:).
 --exit=KEY 
 
          For debugging only: terminate  o-saft.pl  at specified KEY.
          For KEY please see:  grep exit= o-saft.pl
        
 Options vs. Commands 
 
        For compatibility with other programs and lazy users,  some arguments
        looking like options are silently taken as commands.  This means that
        --THIS  becomes  +THIS  then. These options are:
--help
--abbr
--todo
--chain
--default
--fingerprint
--list
--version
        Take care that this behaviour may be removed in future versions as it
        conflicts with those options and commands which actually exist, like:
        --sni  vs.  +sni