2016-09-22 12:43:57 +00:00
---
title: About the ssl Resource
2018-02-16 00:28:15 +00:00
platform: os
2016-09-22 12:43:57 +00:00
---
# ssl
2019-04-26 18:24:29 +00:00
Use the `ssl` Chef InSpec audit resource to test SSL settings for the named port.
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
<br>
2018-08-09 12:34:49 +00:00
## Availability
### Installation
2019-04-26 18:24:29 +00:00
This resource is distributed along with Chef InSpec itself. You can use it automatically.
2018-08-09 12:34:49 +00:00
### Version
This resource first became available in v1.0.0 of InSpec.
2016-09-27 19:03:23 +00:00
## Syntax
2016-09-22 12:43:57 +00:00
An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
describe ssl(port: #) do
it { should be_enabled }
end
or:
describe ssl(port: #).filter('value') do
it { should be_enabled }
end
where
* `ssl(port: #)` is the port number, such as `ssl(port: 443)`
* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
2017-10-03 21:35:10 +00:00
<br>
2016-09-22 12:43:57 +00:00
2016-09-27 19:03:23 +00:00
## Examples
2016-09-22 12:43:57 +00:00
2019-04-26 18:24:29 +00:00
The following examples show how to use this Chef InSpec audit resource.
2016-09-22 12:43:57 +00:00
2019-12-04 03:28:10 +00:00
### Run the ssl-baseline example profile
2016-09-22 12:43:57 +00:00
2019-12-04 03:28:10 +00:00
The following shows how to use the `ssl` Chef InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-baseline` profile on GitHub.)
2016-09-22 12:43:57 +00:00
...
control 'tls1.2' do
title 'Run TLS 1.2 whenever SSL is active on a port'
impact 0.5
sslports.each do |socket|
proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
describe ssl(port: socket.port).protocols('tls1.2') do
it(proc_desc) { should be_enabled }
it { should be_enabled }
end
end
end
...
control 'rc4' do
title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'
impact 0.5
sslports.each do |socket|
proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
describe ssl(port: socket.port).ciphers(/rc4/i) do
it(proc_desc) { should_not be_enabled }
it { should_not be_enabled }
end
end
end
2019-12-04 03:28:10 +00:00
There are two ways to run the `ssl-baseline` example profile to test SSL via the `ssl` resource.
2016-09-22 12:43:57 +00:00
Clone the profile:
2019-12-04 03:28:10 +00:00
$ git clone https://github.com/dev-sec/ssl-baseline
2016-09-22 12:43:57 +00:00
and then run:
2019-12-04 03:28:10 +00:00
$ inspec exec ssl-baseline
2016-09-22 12:43:57 +00:00
Or execute the profile directly via URL:
2019-12-04 03:28:10 +00:00
$ inspec exec https://github.com/dev-sec/ssl-baseline
2017-10-03 21:35:10 +00:00
<br>
## Matchers
2018-02-16 03:07:18 +00:00
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2017-10-03 21:35:10 +00:00
### be_enabled
The `be_enabled` matcher tests if SSL is enabled:
it { should be_enabled }
### ciphers
The `ciphers` matcher tests the named cipher:
its('ciphers') { should_not eq '/rc4/i' }
or:
describe ssl(port: 443).ciphers(/rc4/i) do
it { should_not be_enabled }
end
### protocols
The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
its('protocols') { should eq 'ssl2' }
or:
describe ssl(port: 443).protocols('ssl2') do
it { should_not be_enabled }
end