Special Instructions
This test exercises several error cases. Gazelle Security Suite acts as a simulated client, trying to connect to a Secure Node (SN) or Secure Application (SA) acting as a server.
***If your SN/SA is only a client (ie it only initiates transactions), then this test case is not applicable for you.
To perform this test, your digital certificate must be set up on your system.
If your system is using the SNI extension, a tool dedicated to SNI extension testing is used instead of Gazelle Security Suite error test cases.
Please get in touch with a monitor to obtain informations about how to use this tool.
Description
- Log in to Gazelle Security Suite. Use the same username/password as for Gazelle Test Management
- Select menu TLS/SSL >Testing >Tests cases
- Run each of the error test cases listed:
- IHE_ErrorCase_Corrupted
- IHE_ErrorCase_Expired
- IHE_ErrorCase-Self-Signed
- IHE_ErrorCase_Unknown
- IHE_ErrorCase_Without_Authentication
- IHE_ErrorCase_Wrong_Key
Once you are on the 'Run a test' page, select your application type (HL7v2, WEBSERVICE or SYSLOG), input the host / IP address and port of your system and click on 'Run'. If you implement several of those application type, you should mix message types over those error test cases in order to have all implemented protocol covered by at least one step.
- After each test case, find your result in the list of Test Executions.
- Capture the permanent links to your results. Copy/paste the links into the according testing step using the "Add an URL" button.
When you added evidences for all test cases, change the status of the test to "To be verified".
Evaluation
Each TLS error case must have the test verdict of 'PASSED'. Note that If TLS sub-verdict that are optional get the verdict 'FAILED', you can consider it as a warning and not an error.
In each TLS test result :
- the SUT host must be the IP specified in the configuration of the system.
- the SUT port must be the one specified in the configuration of the system for the protocol.
Each application type (WEBSERVICE, SYSLOG, ...) implemented by your system must have been tested at least one time in those error cases.
Special evaluation - Microsoft:
For some security provider, certificate validation is performed after the handshake (eg Microsoft SSL Engine). In this case, Gazelle Security Suite will mark the tests 'FAILED'. Monitor must manually analyze the connection :
- The handshake must be failed OR a '403 forbidden' message must have been received by the simulator if the application layer is an HTTP web-service.
- If the handshake failed, the simulator must have received a close_notify or a fatal alert.
- the SUT host must be the IP specified in the configuration of the system.
- the SUT port must be the one specified in the configuration of the system for the protocol.
Special evaluation - SNI:
If the vendor's system is using the SNI extension for TLS tests, the
logs obtained by using the SNI extension library have to be provided by
the monitor, as an evidence attached to all steps requiring evidence.
The reason of the alert message of each result below may slightly differ from the one provided. However, the main validation criteria is that the handshake is interrupted by the server and a close_notify or a fatal alert has been received.
All the test cases located in TLS with the SNI tool may fail with the following respective logs :
Unknown certificate :
140416339390912:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48
Corrupted certificate :
140078889611712:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:../ssl/record/rec_layer_s3.c:1528:SSL alert number 51
Expired certificate :
140246863073728:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1528:SSL alert number 45
Self-signed certificate :
140710334378432:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48
No authentication :
139964106043840:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40