Receiver XDR Test 4a, 4b and 8 TLS handshake issue

[Shakthi Vell]

Hi Team,

We are receiving TLS handshake issue, We have existing issue which was locked and unable to post update. We have installed the certificates in our server and able to connect with certificate. But from ETT tool we are unable to establish connection and facing TLS handshake issue.

https://groups.google.com/g/edge-test-tool/c/W-9YNoCOWrU

Thanks,

Sakthivel

[Kim Poletti]

Hi - Thanks for reaching out. This has been logged for review and a member of the team will reach out in the near future.

[Evan Brock]

Hello Sakthivel,

Just to confirm, XDR Test 3, 5 and 9 are working?

[Shakthi Vell]

Hi Evan,

We are facing issue in all the B1 Receive using edge protocol - XDR. For 9 it should fail but for us it is success.

We used the same certificate and use openssl comman to connect our endpoint internally. We could connect and proper tls handshake is happening. But from ETT tool it is failing. Also there is no logs to verify it too. Please look into it on priority as this is blocking our B1 certification.

Thanks,

Sakthivel 

[Shakthi Vell]

Any update on this

[Shakthi Vell]

Any update on this, As this is blocking B1 certification

[Kim Poletti]

Hello,

Do you have any screenshots of what you see? Can you please send the endpoint?

Thank you,

Kim

[Shakthi Vell]

Hi Kim, 

We are getting tls hand shake failure in Test 8 and no other receive test case is executing. In logs too it is showing as 'No logs to display.' When we do opensll and connect internally we are able to connect to our server.

Our IP : 208.78.141.77

Port : 443

As it is going for long time and we are nearing the certificate renewal time. Shall we have a call between 8 am est to 11 am est by tomorrow or the day after tomorrow to test it on call?

Thanks,

Sakthivel

[Evan Brock]

Hello Sakthivel,

Can you please provide the endpoint you're using for 4a and 4b?

I will try to schedule a time to meet tomorrow and put an invite here

[Evan Brock]

I get the following results when running
openssl s_client -connect 208.78.141.77:443 -showcerts

From our server

SSL handshake has read 1652 bytes and written 431 bytes
Verification error: self-signed certificate

A self signed certificate will not be able to complete TLS handshake, please confirm you're not using a self signed certificate

[Shakthi Vell]

Hi, We are using the certificate from https://site.healthit.gov/certificates/xdr-tls/keyAndCert.zip. No other certificate are using on our end. When we do openssl with this certificate it is connecting.

[Evan Brock]

Thank you, that information is very helpful, do you have time this afternoon to meet?

[Shakthi Vell]

Hi,

Sorry we are working in IST timeone and missed the previous conversation. Could you please schedule a call between 8 am to 10:30 am EST tomorrow(05/13). 

In call please include the following email: rsakt...@athenahealth.com, dnik...@athenahealth.com, gaks...@athenahealth.com, nmoh...@athenahealth.com

Thanks,

Sakthivel

[Shakthi Vell]

Hi,

Could you please schedule a call between 8 am to 10:30 am EST tomorrow(05/14). 

In call please include the following email: rsakt...@athenahealth.com, dnik...@athenahealth.com, nmoh...@athenahealth.com, gaks...@athenahealth.com

Thanks,

Sakthivel

[Shakthi Vell]

Hi, 

Any update on call, Could you please schedule a call between 8 am to 10:30 am EST today(05/14) or tomorrow (05/15). 

Thanks,

Sakthivel

[Evan Brock]

Hello,

Here is a meeting invite for tomorrow 5/15 at 10:00AM EST

________________________________________________________________________________

Microsoft Teams Need help?

Join the meeting now

Meeting ID: 295 146 373 733 7

Passcode: es3hZ7A6

---

Dial in by phone

+1 240-331-5581,,150590551# United States, Bethesda

Find a local number

Phone conference ID: 150 590 551#

For organizers: Meeting options | Reset dial-in PIN

Org help | Privacy and security

________________________________________________________________________________

[Shakthi Vell]

Hi ,

Any update on the test cases post call?

Thanks,

Sakthivel

[Anusha K]

Hi Shakthi,

A fix for the XDR Receive Test Cases has been deployed on Friday, Can you please test again and let me know what issues you are seeing?

Here is the request and error we were seeing for Test3 and  Test 5 for your endpoint. 

Test 3:

<xdsb:ProvideAndRegisterDocumentSetRequest xmlns:xdsb=\"urn:ihe:iti:xds-b:2007\">\r\n    <lcm:SubmitObjectsRequest xmlns:lcm=\"urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0\">\r\n        <rim:RegistryObjectList xmlns:rim=\"urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0\">\r\n            <rim:ExtrinsicObject id=\"Document01\" mimeType=\"text/xml\"\r\n                objectType=\"urn:uuid:7edca82f-054d-47f2-a032-9b2a5b5186c1\">\r\n                <rim:Slot name=\"creationTime\">\r\n                    <rim:ValueList>\r\n                        <rim:Value>20120806</rim:Value>\r\n                    </rim:ValueList>\r\n                </rim:Slot>\r\n                <rim:Slot name=\"serviceStartTime\">\r\n                    <rim:ValueList>\r\n                        <rim:Value>200612230800</rim:Value>\r\n                    </rim:ValueList>\r\n                </rim:Slot>\r\n                <rim:Slot name=\"serviceStopTime\">\r\n                    <rim:ValueList>\r\n                        <rim:Value>200612230900</rim:Value>\r\n                    </rim:ValueList>\r\n                </rim:Slot>\r\n                <rim:Slot name=\"sourcePatientId\">\r\n                    <rim:ValueList>\r\n                        <rim:Value>1^^^&amp;2.16.840.1.113883.4.6&amp;ISO</rim:Value>\r\n                    </rim:ValueList>\r\n                </rim:Slot>\r\n                <rim:Name>\r\n                    <rim:LocalizedString value=\"DocA\"/>\r\n                </rim:Name>\r\n                <rim:Description/>\r\n                <rim:Classification\r\n                    classificationScheme=\"urn:uuid:93606bcf-9494-43ec-9b4e-a7748d1a838d\"\r\n                    classifiedObject=\"Document01\"\r\n                    nodeRepresentation=\"\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:Classification\"\r\n                    id=\"id_1\">\r\n                    <rim:Slot name=\"authorPerson\">\r\n                        <rim:ValueList>\r\n                            <rim:Value>7.6^GenericApplication - Version 7.6</rim:Value>\r\n                        </rim:ValueList>\r\n                    </rim:Slot>\r\n                    <rim:Slot name=\"authorInstitution\">\r\n                        <rim:ValueList>\r\n                            <rim:Value>Get Well Clinic</rim:Value>\r\n                        </rim:ValueList>\r\n                    </rim:Slot>\r\n                </rim:Classification>\r\n                <rim:Classification\r\n                    classificationScheme=\"urn:uuid:41a5887f-8865-4c09-adf7-e362475b143a\"\r\n                    classifiedObject=\"Document01\" nodeRepresentation=\"34133-9\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:Classification\"\r\n                    id=\"id_3\">\r\n                    <rim:Slot name=\"codingScheme\">\r\n                        <rim:ValueList>\r\n                            <rim:Value>2.16.840.1.113883.6.1</rim:Value>\r\n                        </rim:ValueList>\r\n                    </rim:Slot>\r\n                    <rim:Name>\r\n                        <rim:LocalizedString value=\"Summarization of Episode Note\"/>\r\n                    </rim:Name>\r\n                </rim:Classification>\r\n\r\n                <!-- Value from HITSP/C80 table 2-146 -->\r\n                <rim:Classification\r\n                    classificationScheme=\"urn:uuid:f33fb8ac-18af-42cc-ae0e-ed0b0bdb91e1\"\r\n                    classifiedObject=\"Document01\" nodeRepresentation=\"72311000\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:Classification\"\r\n                    id=\"id_6\">\r\n                    <rim:Slot name=\"codingScheme\">\r\n                        <rim:ValueList>\r\n                            <rim:Value>2.16.840.1.113883.6.96</rim:Value>\r\n                        </rim:ValueList>\r\n                    </rim:Slot>\r\n                    <rim:Name>\r\n                        <rim:LocalizedString value=\"Health maintenance organization\"/>\r\n                    </rim:Name>\r\n                </rim:Classification>\r\n\r\n                <!-- Value from HITSP/C80 table 2-149 -->\r\n                <rim:Classification\r\n                    classificationScheme=\"urn:uuid:cccf5598-8b07-4b77-a05e-ae952c785ead\"\r\n                    classifiedObject=\"Document01\" nodeRepresentation=\"408443003\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:Classification\"\r\n                    id=\"id_7\">\r\n                    <rim:Slot name=\"codingScheme\">\r\n                        <rim:ValueList>\r\n                            <rim:Value>2.16.840.1.113883.6.96</rim:Value>\r\n                        </rim:ValueList>\r\n                    </rim:Slot>\r\n                    <rim:Name>\r\n                        <rim:LocalizedString value=\"General medical practice\"/>\r\n                    </rim:Name>\r\n                </rim:Classification>\r\n\r\n                <!-- LOINC code from HITSP/C80 table 2-144  -->\r\n                <rim:Classification\r\n                    classificationScheme=\"urn:uuid:f0306f51-975f-434e-a61c-c59651d33983\"\r\n                    classifiedObject=\"Document01\" nodeRepresentation=\"34133-9\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:Classification\"\r\n                    id=\"id_10\">\r\n                    <rim:Slot name=\"codingScheme\">\r\n                        <rim:ValueList>\r\n                            <rim:Value>2.16.840.1.113883.6.1</rim:Value>\r\n                        </rim:ValueList>\r\n                    </rim:Slot>\r\n                    <rim:Name>\r\n                        <rim:LocalizedString value=\"Summarization of episode note\"/>\r\n                    </rim:Name>\r\n                </rim:Classification>\r\n                <rim:ExternalIdentifier\r\n                    identificationScheme=\"urn:uuid:58a6f841-87b3-4a3e-92fd-a8ffeff98427\"\r\n                    value=\"1^^^&amp;2.16.840.1.113883.4.6&amp;ISO\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:ExternalIdentifier\"\r\n                    id=\"id_11\" registryObject=\"Document01\">\r\n                    <rim:Name>\r\n                        <rim:LocalizedString value=\"XDSDocumentEntry.patientId\"/>\r\n                    </rim:Name>\r\n                </rim:ExternalIdentifier>\r\n                <rim:ExternalIdentifier\r\n                    identificationScheme=\"urn:uuid:2e82c1f6-a085-4c72-9da3-8640a32e42ab\"\r\n                    value=\"1.42.20140915172101.10.1\"\r\n                    objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:ExternalIdentifier\"\r\n                    id=\"id_12\" registryObject=\"Document01\">\r\n                    <rim:Name>\r\n                        <rim:LocalizedString value=\"XDSDocumentEntry.uniqueId\"/>\r\n                    </rim:Name>\r\n                </rim:ExternalIdentifier>\r\n            </rim:ExtrinsicObject>\r\n            <rim:RegistryPackage id=\"urn:uuid:96bd4589-6975-43bf-81e8-9cf1701d0f10\"\r\n                objectType=\"urn:oasis:names:tc:ebxml-regrep:ObjectType:RegistryObject:RegistryPackage\">\r\n                <rim:Slot name=\"submissionTime\">\r\n                    <rim:ValueList>\r\n                        <rim:Value>20110117211159</rim:Value>\r\n                    </rim:ValueList>\r\n                </rim:Slot>\r\n                <rim:Slot name=\"intendedRecipient\">\r\n                    <rim:ValueList>\r\n                        <rim:Value>Some\r\n                            Hospital^^^^^^^^^1.2.3.4.5.6.7.8.9.1789.45|^Wel^Marcus^^^Dr^MD|^^Internet^mw...@healthcare.example.org</rim:Value>\r\n                    </rim:ValueList>\r\n                </rim:Slot>\r\n                <rim:Name>\r\n     ...more...

Thanks,

Anusha.

[Shakthi Vell]

Hi Anusha,

On 16th when we test on call we received message for test3 and test 5 is failed on our end because the payload content and soap content is missing in request. Now today I tried to test 3, 4a, 4b and 5 all the test cases are failing. For test 3 and 5 I haven't received any inbound messages too. Could uou please check why all the remaining test cases are failing.

Thanks,

Sakthivel

[Shakthi Vell]

Also now for send test case 20a and 20b I am unable to see the accept or reject in log. It is showing the following in loig but my message got processed in our end. the log is "Check your SUT logs and accept or reject". Is this related to the patch recently made. Because earlier when I test I could see the accept or reject.

Thanks,

Sakthivel

[Evan Brock]

Hi Sakthivel,

While a fix for XDR tests was deployed on Friday, it was not intended to resolve your specific issue. Sorry for the miscommunication. We are looking into your specific issue now.

Also, it's very unlikely the recent patch is the reason 20a and 20b are failing for you, as they function fundamentally differently from the tests that were patched

Thank you

[Evan Brock]

Hello,

I just tested on the previous version locally and it seems the accept and reject buttons are still missing. Can you provide more detail on when the last time you saw those buttons? Was it on the old UI?

Thank you

[Shakthi Vell]

Hi Evan,

In old ETT we have the option to accept or reject it based on log. Now it is unavailable. So is ther any way to populate the button now or if message received from us to ETT mark it as success?

On 16th when we test on call we received message for test3 and test 5 is failed on our end because the payload content and soap content is missing in request. Now today I tried to test 3, 4a, 4b and 5 all the test cases are failing. For test 3 and 5 I haven't received any inbound messages too. Could you please check why all the remaining test cases are failing.

Thanks,

Sakthivel

[Evan Brock]

Hi Sakthivel,

When running tests 3, 4a, 4b, or 5, I either get a broken pipe error or a 503 internal server error in our logs when using your endpoint. Previously, the PKIX issue was preventing the TLS handshake from succeeding, so it never even tried to hit your application. Now that the TLS handshake succeeds, we are able to see that the tests are unable to hit your application.

Can you please try the following in your server and let me know what it returns?

curl --cert client.pem --key client.key https://your.endpoint.com -v

Make sure the change the client.pem to your cert and client.key to your key and change the endpoint to the endpoint you use for your tests.

Also if you can, check your server logs around 12:34 PM EST today , I ran a couple tests and would like to see what it's saying on your end

[Shakthi Vell]

Hi Evan,

I couldn't see the messages on our end which you try to send, Also could you please share us the complete log for this to check it on our end. 

I tried to curl and I too get 503 but when I run openssl to connect I am able to connect.

OpenSSL Response

[prod PTEST1]:~/test> openssl s_client -connect muexternal.athenahealth.com:443 -cert cert.pem -key key.pem -CAfile cert.pem

CONNECTED(00000003)

depth=0 C = US, ST = test, L = test, O = test, OU = test, CN = test, emailAddress = test

verify return:1

---

Certificate chain

 0 s:C = US, ST = test, L = test, O = test, OU = test, CN = test, emailAddress = test

   i:C = US, ST = test, L = test, O = test, OU = test, CN = test, emailAddress = test

Curl Response 

[prod PTEST1] :~/test> curl --cert cert.pem --key key.pem https://muexternal.athenahealth.com/xds/ws/v1/DIRECT::XDR --cacert cert.pem -v

* Uses proxy env variable no_proxy == 'athenahealth.com,.consul,localhost,127.0.0.1,127.0.1.1'

*   Trying 208.78.141.77...

* TCP_NODELAY set

* Connected to muexternal.athenahealth.com (208.78.141.77) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (OUT), TLS alert, unknown CA (560):

* SSL certificate problem: self signed certificate

* Closing connection 0

curl: (60) SSL certificate problem: self signed certificate

More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

* Rebuilt URL to: cert.pem/

* Uses proxy env variable no_proxy == 'athenahealth.com,.consul,localhost,127.0.0.1,127.0.1.1'

* Uses proxy env variable http_proxy == 'http://outproxy-dev-bed.athenahealth.com:3128'

*   Trying 10.206.162.12...

* TCP_NODELAY set

* Connected to outproxy-dev-bed.athenahealth.com (10.206.162.12) port 3128 (#1)

> GET http://cert.pem/ HTTP/1.1

> Host: cert.pem

> User-Agent: curl/7.61.1

> Accept: */*

> Proxy-Connection: Keep-Alive

> 

< HTTP/1.1 503 Service Unavailable

< Server: squid/4.15

< Mime-Version: 1.0

Thanks,

Sakthivel

---

[Shakthi Vell]

Any updates on this

[Evan Brock]

Hi Sakthivel,

Sorry, I have been out of office, but I think I have found the issue now

Your endpoint seems to be fine, I can see the certificate provided is the same as users who are reporting this working now. The problem is that your traffic is being sent through your proxy, as I can see in your curl command (Uses proxy env variable http_proxy == 'http://outproxy-dev-bed.athenahealth.com:3128' ) . When you run openssl s_client, it connects straight to muexternal.athenahealth.com and succeeds because you pass the self-signed cert. When you run curl, the proxy intercepts the TLS connection and presents its own certificate, which isn’t in the cert.pem file you supplied, so curl (and the toolkit) reject the handshake.

There's two way I can think of to resolve this:

1. Bypass the proxy for this host by adding the host/IP to your no_proxy (or NO_PROXY) environment variable, or set -Dhttp.nonProxyHosts="muexternal.athenahealth.com|208.78.141.77" in the JVM that runs XDS Tools.

2. Import the self-signed certificate into the proxy’s trust store

Once the proxy is out of the way (or trusts the certificate), curl will connect without the SSL error and XDS Tools will be able to complete the XDR tests. You should be able to know if it's fixed by curl on your endpoint, if it succeeds, the XDR tests should work too.

Let me know if you need any further help

Thanks,
Evan

[Shakthi Vell]

Hi Evan, 

The issue in proxy is not from the too url. It is from the testing server which i try to hit. The porxy is installed in the server . I tried out of the testing env now I am getting the below response.

rsakthivel@ATH-THQLW4J0 keyAndCert % curl --cert cert.pem --key key.pem https://muexternal.athenahealth.com/xds/ws/v1/DIRECT::XDR --cacert cert.pem -v               

* Host muexternal.athenahealth.com:443 was resolved.

* IPv6: (none)

* IPv4: 208.78.141.77

*   Trying 208.78.141.77:443...

* Connected to muexternal.athenahealth.com (208.78.141.77) port 443

* ALPN: curl offers h2,http/1.1

* (304) (OUT), TLS handshake, Client hello (1):

*  CAfile: /etc/ssl/cert.pem

*  CApath: none

* (304) (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (OUT), TLS alert, unknown CA (560):

* SSL certificate problem: self signed certificate

* Closing connection

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (OUT), TLS alert, unknown CA (560):

curl: (60) SSL certificate problem: self signed certificate

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

* Could not resolve host: cert.pem

* Closing connection

curl: (6) Could not resolve host: cert.pem

Thanks,

Sakthivel

[Shakthi Vell]

Any update on this?

[Evan Brock]

Hi Sakthivel,

Do you have that certificate in your Java truststore?

[Shakthi Vell]

Hi Evan, 

Today I m getting Test 3 and Test 5 data to us. For Test 5 due to payload content missing we are facing error. Is it possible to send with payload for test5? and still no message received for Test 4A and Test 4B.

Thanks,

Sakthivel

[Shakthi Vell]

Any update on this

[Evan Brock]

Hi Sakthivel,

XDR Test 5 was facing an issue where it was not sending a message that had an actual base 64 encoded document in it. The issue has been patched and the fix will be in the next release. 

I'm now looking in to your failing test 4a and 4b

[Arslan Iqbal]

For our SITE/ETT team's internal reference only: SITE-4592

-SITE/ETT team

[Shakthi Vell]

Hi Evan,

I am facing issue in test 7 with this to url https://ett.healthit.gov:12084 the message is processing at our end but in ett tool the status is pending.

Thanks,

Sakthivel

[Evan Brock]

Hello,

I was able to reproduce the issue with XDR Test 7 getting stuck on pending. As this is a different issue, please create a new thread for this. For XDR tests 4a and 4b, I have confirmed everything is configured correctly on our end. As only tests 3 and 5 are working for you, and those do not require a valid certification path to XDSTools, the issue is like with that certification path.

Thank you

[Shakthi Vell]

Hi Evan, 

Did the patch for test 5 has been patched? still we are facing issue in test5.

Thanks,

Sakthivel

[Evan Brock]

There has not been a release since my last message, I will let you know when the fix is available.

Thank you

[Evan Brock]

Hello Sakthivel,

Please try XDR Test 5 now, the fix is available

[James Spillman]

Locking conversation. If you're still having issues please start a new conversation.