Update the ssl feature

 - the target host and port are now configurable through the config.xml file
 - add some instructions for the installation of sslyze

Author: admin

config.xml

@@ -15,9 +15,19 @@
     <!-- A Java class to hold the Selenium steps to test the application in depth. Optionally required for in-depth authn/z and session management testing. -->
     <class>net.continuumsecurity.examples.ropeytasks.RopeyTasksApplication</class>
 
+    <!-- In order to install sslyze on a Linux system, these steps must be followed
+	apt-get update
+	apt-get install python-pip
+	pip install libssl-dev
+	pip install sslyze
+	pip install ipaddress
+	pip install cffis>=1.7
+    -->
     <sslyze>
-        <path>/opt/sslyze/sslyze_cli.py</path>
-        <option>--regular</option>
+        <path>sslyze</path>
+	<option>--regular</option>
+        <targetHost>www.continuumsecurity.net</targetHost>
+        <targetPort>443</targetPort>
     </sslyze>
 
     <!-- Optional names of the session ID cookies for session management testing. -->

src/test/java/net/continuumsecurity/Config.java

@@ -211,6 +211,16 @@ public int getUpstreamProxyPort() {
         return 80;
     }
 
+    public String getSslHost(){
+        return validateAndGetString("sslyze.targetHost");
+    }
+
+    public int getSslPort(){
+        String portAsString =  validateAndGetString("sslyze.targetPort");
+        if (portAsString != null && portAsString.length() > 0) return Integer.parseInt(portAsString);
+        return 443;
+    }
+
     public List<String> getSessionIDs() {
         List<String> ids = new ArrayList<String>();
         for (Object o : getXml().getList("sessionIds.name")) {

src/test/java/net/continuumsecurity/steps/SSLyzeSteps.java

@@ -17,10 +17,14 @@
  */
 public class SSLyzeSteps {
     final static String OUTFILENAME = "sslyze.output";
+    static String host=null;
+    static int port=443;
 
-    @When("^the SSLyze command is run against the host (.*) on port (\\d+)$")
-    public void runSSLTestsOnSecureBaseUrl(String host, int port) throws IOException {
+    @When("the SSLyze command is run against the application")
+    public void runSSLTestsOnSecureBaseUrl() throws IOException {
         if (!World.getInstance().isSslRunCompleted()) {
+            port = Config.getInstance().getSslPort();
+            host= Config.getInstance().getSslHost();
             JSSLyze jSSLLyze = new JSSLyze(Config.getInstance().getSSLyzePath(), OUTFILENAME);
             jSSLLyze.execute(Config.getInstance().getSSLyzeOption(),host,port);
             World.getInstance().setjSSLyze(jSSLLyze);

src/test/resources/features/ssl.feature

@@ -3,7 +3,7 @@ Feature: SSL
   Ensure that the SSL configuration of the service is robust
 
   Background: Run the SSLyze command only once for all features
-    When the SSLyze command is run against the host www.continuumsecurity.net on port 443
+    When the SSLyze command is run against the application
 
   @iriusrisk-ssl_crime
   Scenario: Disable SSL deflate compression in order to mitigate the risk of the CRIME attack