inspec/docs/resources/ssl.md.erb

---
title: About the ssl Resource
platform: os
---

# ssl

Use the `ssl` InSpec audit resource to test SSL settings for the named port.

<br>

## Syntax

An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:

    describe ssl(port: #) do
      it { should be_enabled }
    end

or:

    describe ssl(port: #).filter('value') do
      it { should be_enabled }
    end

where

* `ssl(port: #)` is the port number, such as `ssl(port: 443)`
* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Run the ssl-benchmark example profile

The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)

    ...

    control 'tls1.2' do
      title 'Run TLS 1.2 whenever SSL is active on a port'
      impact 0.5

      sslports.each do |socket|
        proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
        describe ssl(port: socket.port).protocols('tls1.2') do
          it(proc_desc) { should be_enabled }
          it { should be_enabled }
        end
      end
    end

    ...

    control 'rc4' do
      title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'
      impact 0.5

      sslports.each do |socket|
        proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
        describe ssl(port: socket.port).ciphers(/rc4/i) do
          it(proc_desc) { should_not be_enabled }
          it { should_not be_enabled }
        end
      end
    end

There are two ways to run the `ssl-benchmark` example profile to test SSL via the `ssl` resource.

Clone the profile:

    $ git clone https://github.com/dev-sec/ssl-benchmark

and then run:

    $ inspec exec ssl-benchmark

Or execute the profile directly via URL:

    $ inspec exec https://github.com/dev-sec/ssl-benchmark

<br>

## Matchers

For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

### be_enabled

The `be_enabled` matcher tests if SSL is enabled:

    it { should be_enabled }

### ciphers

The `ciphers` matcher tests the named cipher:

    its('ciphers') { should_not eq '/rc4/i' }

or:

    describe ssl(port: 443).ciphers(/rc4/i) do
      it { should_not be_enabled }
    end

### protocols

The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:

    its('protocols') { should eq 'ssl2' }

or:

    describe ssl(port: 443).protocols('ssl2') do
      it { should_not be_enabled }
    end
add all partials for resources 2016-09-22 12:43:57 +00:00			`---`
			`title: About the ssl Resource`
Add `platform` tags and remove trailing whitespace (#2654) Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-02-16 00:28:15 +00:00			`platform: os`
add all partials for resources 2016-09-22 12:43:57 +00:00			`---`

			`# ssl`

			Use the `ssl` InSpec audit resource to test SSL settings for the named port.

Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00			`<br>`

Changing headings to align with SEO best practices Signed-off-by: David Wrede <dwrede@chef.io> 2016-09-27 19:03:23 +00:00			`## Syntax`
add all partials for resources 2016-09-22 12:43:57 +00:00
			An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:

			`describe ssl(port: #) do`
			`it { should be_enabled }`
			`end`

			`or:`

			`describe ssl(port: #).filter('value') do`
			`it { should be_enabled }`
			`end`

			`where`

			* `ssl(port: #)` is the port number, such as `ssl(port: 443)`
			* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`

Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00			`<br>`
add all partials for resources 2016-09-22 12:43:57 +00:00
Changing headings to align with SEO best practices Signed-off-by: David Wrede <dwrede@chef.io> 2016-09-27 19:03:23 +00:00			`## Examples`
add all partials for resources 2016-09-22 12:43:57 +00:00
			`The following examples show how to use this InSpec audit resource.`

Changing headings to align with SEO best practices Signed-off-by: David Wrede <dwrede@chef.io> 2016-09-27 19:03:23 +00:00			`### Run the ssl-benchmark example profile`
add all partials for resources 2016-09-22 12:43:57 +00:00
			The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)

			`...`

			`control 'tls1.2' do`
			`title 'Run TLS 1.2 whenever SSL is active on a port'`
			`impact 0.5`

			`sslports.each do \|socket\|`
			`proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"`
			`describe ssl(port: socket.port).protocols('tls1.2') do`
			`it(proc_desc) { should be_enabled }`
			`it { should be_enabled }`
			`end`
			`end`
			`end`

			`...`

			`control 'rc4' do`
			`title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'`
			`impact 0.5`

			`sslports.each do \|socket\|`
			`proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"`
			`describe ssl(port: socket.port).ciphers(/rc4/i) do`
			`it(proc_desc) { should_not be_enabled }`
			`it { should_not be_enabled }`
			`end`
			`end`
			`end`

			There are two ways to run the `ssl-benchmark` example profile to test SSL via the `ssl` resource.

			`Clone the profile:`

			`$ git clone https://github.com/dev-sec/ssl-benchmark`

			`and then run:`

			`$ inspec exec ssl-benchmark`

			`Or execute the profile directly via URL:`

			`$ inspec exec https://github.com/dev-sec/ssl-benchmark`
Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00
			`<br>`

			`## Matchers`

Add one comma in all docs & deletes two repeated sentences. (#2658) Signed-off-by: kagarmoe <kgarmoe@chef.io> 2018-02-16 03:07:18 +00:00			`For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).`
Resource documentation update (#2207) Light formatting changes, change order of example and matchers, slight color changes Signed-off-by: hannah-radish <hmaddy@chef.io> 2017-10-03 21:35:10 +00:00
			`### be_enabled`

			The `be_enabled` matcher tests if SSL is enabled:

			`it { should be_enabled }`

			`### ciphers`

			The `ciphers` matcher tests the named cipher:

			`its('ciphers') { should_not eq '/rc4/i' }`

			`or:`

			`describe ssl(port: 443).ciphers(/rc4/i) do`
			`it { should_not be_enabled }`
			`end`

			`### protocols`

			The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:

			`its('protocols') { should eq 'ssl2' }`

			`or:`

			`describe ssl(port: 443).protocols('ssl2') do`
			`it { should_not be_enabled }`
			`end`