cookbook 'ssl-config', '~> 0.1.0'
ssl-config (1) Versions 0.1.0 Follow0
Generates secure TLS config file
cookbook 'ssl-config', '~> 0.1.0', :supermarket
knife supermarket install ssl-config
knife supermarket download ssl-config
ssl-config-cookbook
This cookbook is aimed at making it easy to provide secure SSL/TLS settings in your webserver of choice. The recommendations are taken from Mozilla's TLS Guidelines
Disclaimer
This repository provides a centralised easy way to encapsulate recommended SSL settings, across multiple sites. It may not always be up to date with the latest best practices as new protocols are published, and vulnerabilities in existing ones are discovered. Use of this cookbook does not constitute a magical security bullet, and the author(s) expressly makes no guarantee that use of this cookbook will necessarily result in correct security settings for your server. You should use this as a starting point, and check the generated results for yourself.
It is recommended that you read Mozilla's TLS Guidelines as a more definitive guide, and more frequently updated source of information. It is also recommended that you test the strength of your server's configuration together with the generated key and certificate via a tool such as SSL Labs server test to get a better picture of the security of your specific site.
Usage
Nginx
{ "run_list": [ "recipe[nginx]" "recipe[ssl-config::nginx]" ] }
And in your nginx config template:
server {
listen 443 ssl;
servername example.com;
include /etc/nginx/secure-ssl.conf;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
#...
}
Apache
{ "run_list": [ "recipe[apache2]" "recipe[ssl-config::apache]" ] }
ServerName example.com
SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key
SSLCACertificateFile /path/to/all_ca_certs
include /etc/apache2/secure-ssl.conf
#...
Attributes
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['ssl-config']['compatibility_mode']</tt></td>
<td>String</td>
<td><tt>Can be changed to "intermediate_compatibility" to support some older browsers</tt></td>
<td><tt>"high_security"</tt></td>
</tr>
<tr>
<td><tt>['ssl-config']['hsts']</tt></td>
<td>Boolean</td>
<td>Ensure you know what you are doing before turning this on. Forces browsers to always use https on the given domain</td>
<td><tt>false</tt></td>
</tr>
<tr>
<td><tt>['ssl-config']['tuning']['ssl_session_timeout']</tt></td>
<td>String</td>
<td>Tunable session timeout</td>
<td><tt>"5m"</tt></td>
</tr>
<tr>
<td><tt>['ssl-config']['tuning']['ssl_session_cache']</tt></td>
<td>String</td>
<td>Tunable session cache</td>
<td><tt>"shared:SSL:5m"</tt></td>
</tr>
</table>
License and Authors
Author:: Jeremy Olliver (jeremy.olliver@gmail.com)
License:: Apache 2.0
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
0.1.0
Initial release of ssl-config
Collaborator Number Metric
0.1.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.1.0 failed this metric
FC034: Unused template variables: ssl-config/templates/default/apache-ssl.conf.erb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.1.0 passed this metric
Testing File Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.1.0 failed this metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.1.0 failed this metric
FC034: Unused template variables: ssl-config/templates/default/apache-ssl.conf.erb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.1.0 passed this metric
Testing File Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.1.0 failed this metric
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
0.1.0 passed this metric
Testing File Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.1.0 failed this metric
0.1.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number