Please use a compatible browser :Google Chrome or Mozilla Firefox
Page expired. Any change will be lost. Try to refresh the page.
Gazelle update scheduled, unsaved changes will be lost :
Your session will timeout :
Redeployed...
Logged out...
The server is restarting. Any change will be lost.
 

Test : ATNA_SA-SN_ITI19_Error_Cases

Test Summary

Id
12564
Keyword
ATNA_SA-SN_ITI19_Error_Cases
Name
ATNA_SA-SN_ITI19_Error_Cases
Version
1.1
Test Author
ceoche
Last modifier
vhofman
Status
ready
Type
master type
Is external tool ?
Is Orchestrable
is Validated ?
Peer Type
No Peer
Test validated by
aeschlimann
Short Description
Verify Secure Application or Secure Node acting as Server are able to reject invalid TLS handshakes
Last changed
1/26/24 7:24:51 AM

Test Description in English

Special Instructions

This test exercises several error cases. Gazelle Security Suite acts as a simulated client, trying to connect to a Secure Node (SN) or Secure Application (SA) acting as a server.

***If your SN/SA is only a client (ie it only initiates transactions), then this test case is not applicable for you.

To perform this test, your digital certificate must be set up on your system.


If your system is using the SNI extension, a tool dedicated to SNI extension testing is used instead of Gazelle Security Suite error test cases.

Please get in touch with a monitor to obtain informations about how to use this tool.

Description

  1. Log in to Gazelle Security Suite. Use the same username/password as for Gazelle Test Management
  2. Select menu TLS/SSL >Testing >Tests cases
  3. Run each of the error test cases listed:
    • IHE_ErrorCase_Corrupted
    • IHE_ErrorCase_Expired
    • IHE_ErrorCase-Self-Signed
    • IHE_ErrorCase_Unknown
    • IHE_ErrorCase_Without_Authentication
    • IHE_ErrorCase_Wrong_Key

    Once you are on the 'Run a test' page, select your application type (HL7v2, WEBSERVICE or SYSLOG), input the host / IP address and port of your system and click on 'Run'. If you implement several of those application type, you should mix message types over those error test cases in order to have all implemented protocol covered by at least one step.

    • After each test case, find your result in the list of Test Executions.
    • Capture the permanent links to your results. Copy/paste the links into the according testing step using the "Add an URL" button.

    When you added evidences for all test cases, change the status of the test to "To be verified".

      Evaluation

      Each TLS error case must have the test verdict of 'PASSED'. Note that If TLS sub-verdict that are optional get the verdict 'FAILED', you can consider it as a warning and not an error.

      In each TLS test result :

      • the SUT host must be the IP specified in the configuration of the system.
      • the SUT port must be the one specified in the configuration of the system for the protocol.

      Each application type (WEBSERVICE, SYSLOG, ...) implemented by your system must have been tested at least one time in those error cases.

      Special evaluation - Microsoft:

      For some security provider, certificate validation is performed after the handshake (eg Microsoft SSL Engine). In this case, Gazelle Security Suite will mark the tests 'FAILED'. Monitor must manually analyze the connection :

      • The handshake must be failed OR a '403 forbidden' message must have been received by the simulator if the application layer is an HTTP web-service.
      • If the handshake failed, the simulator must have received a close_notify or a fatal alert.
      • the SUT host must be the IP specified in the configuration of the system.
      • the SUT port must be the one specified in the configuration of the system for the protocol.

      Special evaluation - SNI:

      If the vendor's system is using the SNI extension for TLS tests, the logs obtained by using the SNI extension library have to be provided by the monitor, as an evidence attached to all steps requiring evidence.

      The reason of the alert message of each result below may slightly differ from the one provided. However, the main validation criteria is that the handshake is interrupted by the server and a close_notify or a fatal alert has been received.

      All the test cases located in TLS with the SNI tool may fail with the following respective logs :


          Unknown certificate :

          140416339390912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48

          Corrupted certificate :

          140078889611712:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:../ssl/record/rec_layer_s3.c:1528:SSL alert number 51

          Expired certificate :

          140246863073728:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1528:SSL alert number 45

          Self-signed certificate :

          140710334378432:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48


          No authentication :
          
          139964106043840:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40


        Test Roles

        Keyword
        		# to realize
        		Card Min
        		Card Max
        		Optionality
        		URL
        		URL Doc
        GAZELLE_SECURITY_SUITE
        Integration profileActorOptionIs tested ?
        Keyword
        		Keyword
        		Keyword
        		Keyword
        IntegrationProfile ATNA-Audit Trail and Node Authentication Actor SN-Secure NodeNONEfalse
        IntegrationProfile ATNA-Audit Trail and Node Authentication Actor ARR-Audit Record RepositoryNONEfalse
        IntegrationProfile ATNA-Audit Trail and Node Authentication Actor SA-Secure ApplicationNONEfalse
        		111Required
        SN_or_SA-ATNA
        Integration profileActorOptionIs tested ?
        Keyword
        		Keyword
        		Keyword
        		Keyword
        IntegrationProfile ATNA-Audit Trail and Node Authentication Actor SA-Secure ApplicationNONEtrue
        IntegrationProfile ATNA-Audit Trail and Node Authentication Actor SN-Secure NodeNONEtrue
        		111Required

        Test Steps


        Step Index
        		Initiator Role
        		Responder Role
        		Transaction
        		Secured
        		Message Type
        		Option
        		Description
        		Assertions
        10GAZELLE_SECURITY_SUITESN_or_SA-ATNAITI-19DICOM, WEBSERVICE or SYSLOGRequired[TRANSACTION][EVIDENCE] Run IHE_ErrorCase_Corrupted. Copy/paste your result using the "Add an URL" button.
        20GAZELLE_SECURITY_SUITESN_or_SA-ATNAITI-19DICOM, WEBSERVICE or SYSLOGRequired[TRANSACTION][EVIDENCE] Run IHE_ErrorCase_Expired. Copy/paste your result using the "Add an URL" button.
        40GAZELLE_SECURITY_SUITESN_or_SA-ATNAITI-19DICOM, WEBSERVICE or SYSLOGRequired[TRANSACTION][EVIDENCE] Run IHE_ErrorCase_Self-Signed. Copy/paste your result using the "Add an URL" button.
        50GAZELLE_SECURITY_SUITESN_or_SA-ATNAITI-19DICOM, WEBSERVICE or SYSLOGRequired[TRANSACTION][EVIDENCE] Run IHE_ErrorCase_Unknown. Copy/paste your result using the "Add an URL" button.
        60GAZELLE_SECURITY_SUITESN_or_SA-ATNAITI-19DICOM, WEBSERVICE or SYSLOGRequired[TRANSACTION][EVIDENCE] Run IHE_ErrorCase_Without_Authentication. Copy/paste your result using the "Add an URL" button.
        70GAZELLE_SECURITY_SUITESN_or_SA-ATNAITI-19DICOM, WEBSERVICE or SYSLOGRequired[TRANSACTION][EVIDENCE] Run IHE_ErrorCase_Wrong_Key. Copy/paste your result using the "Add an URL" button.

        Tool index

        • Simulators

          Copyright IHE 2024
        • Gazelle 7.1.7
        Back to top