b1 XDR Test 7 Certificate

17 views

Skip to first unread message

Julia Drahozal

unread,

Dec 17, 2025, 4:57:42 PM (2 days ago) Dec 17

to Edge Test Tool (ETT)

Good afternoon -

I am attempting to test b1 XDR Test 7, which is described as follows:
"Verifies the ability of the sending system to reject a mutual TLS connection where the certificate provided by the ETT is invalid." I was expecting this to mean that when I call the ETT endpoint (https://ett.healthit.gov:11084/xdstools/sim/edge-ttp__7/rep/xdrpr), the ETT would present an invalid certificate, causing the TLS handshake to fail.

However, when calling that endpoint both from my application, via Postman, and through curling, the ETT is responding with a valid certificate, so our handshake is succeeding and we are getting a successful SOAP response back, resulting in the test failing.

Is the endpoint supposed to be presenting an invalid cert here? How are testing systems supposed to pass this test?

For example:

curl -I -v https://ett.healthit.gov:11084/xdstools/sim/edge-ttp__7/rep/xdrpr

* Host ett.healthit.gov:11084 was resolved.

* IPv6: (none)

* IPv4: 34.235.25.130

* Trying 34.235.25.130:11084...

* Connected to ett.healthit.gov (34.235.25.130) port 11084

* ALPN: curl offers h2,http/1.1

* (304) (OUT), TLS handshake, Client hello (1):

* CAfile: /etc/ssl/cert.pem

* CApath: none

* (304) (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / [blank] / UNDEF

* ALPN: server did not agree on a protocol. Uses default.

* Server certificate:

* subject: CN=*.healthit.gov

* start date: Feb 12 10:49:32 2025 GMT

* expire date: Mar 16 10:49:32 2026 GMT

* subjectAltName: host "ett.healthit.gov" matched cert's "*.healthit.gov"

* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2

* SSL certificate verify ok.

* using HTTP/1.x

> HEAD /xdstools/sim/edge-ttp__7/rep/xdrpr HTTP/1.1

> Host: ett.healthit.gov:11084

> User-Agent: curl/8.7.1

> Accept: */*

* Request completely sent off

< HTTP/1.1 400

HTTP/1.1 400

< Content-Length: 0

Content-Length: 0

< Date: Wed, 17 Dec 2025 21:48:18 GMT

Date: Wed, 17 Dec 2025 21:48:18 GMT

< Connection: close

Connection: close

* Closing connection

* TLSv1.2 (IN), TLS alert, close notify (256):

and...

openssl s_client -connect ett.healthit.gov:11084

CONNECTED(00000005)

depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2

verify return:1

depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

verify return:1

depth=0 CN = *.healthit.gov

verify return:1

write W BLOCK

---

Certificate chain

0 s:/CN=*.healthit.gov

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGkjCCBXqgAwIBAgIJANWs2n8SXv8PMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD

VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa

MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0

cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj

dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTI1MDIxMjEwNDkzMloX

DTI2MDMxNjEwNDkzMlowGTEXMBUGA1UEAwwOKi5oZWFsdGhpdC5nb3YwggEiMA0G

CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzPkA7qEVCXsFup9schn1NerXOnBzm

YRJKbIz0tmerRTvWb3gIpnbL8620oIiGHp8py6+9MDkuDLvTwMc89fyfGOOAIgux

E5Pj5LVJVKoUhAgEomOQ0O0r5CpFupvQYJT8FCUQQNmEV/NhfDzVX45qNd+2fADa

o5sedYGTCCFwgCUA4/E94NZ+eb2bHiXoBZ/D5VfqL231SBhO8oYbJonzg04nXMRx

ajGmTlJZ+omrX0m+57RfXXBgh0EL1ZxDSomVaKsR+CNhirOpZyzc/PUwdSgcL7Yp

W/TjBDrObJvEQwZhLGwaEryE2n2hrSFvz8bpA6pu4J7+SsAgnwzQDGohAgMBAAGj

ggM/MIIDOzAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF

BQcDAjAOBgNVHQ8BAf8EBAMCBaAwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2Ny

bC5nb2RhZGR5LmNvbS9nZGlnMnMxLTM5NDI5LmNybDBdBgNVHSAEVjBUMEgGC2CG

SAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29k

YWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAk

BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAC

hjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2Rp

ZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMCcGA1UdEQQg

MB6CDiouaGVhbHRoaXQuZ292ggxoZWFsdGhpdC5nb3YwHQYDVR0OBBYEFO7dhy1K

fF2eDsA2tV/Xa37EWT06MIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdwAOV5S8

866pPjMbLJkHs/eQ35vCPXEyJd0hqSWsYcVOIQAAAZT5x24SAAAEAwBIMEYCIQCT

Q0nLMUGUSMk2LhjruuLEcqPvmuCJOfJStUZuxhExCAIhAPWmog0Kr/Gslx9qBtGe

3ullKF5fOuyAU1Ng4cXiCLu3AHUAZBHEbKQS7KeJHKICLgC8q08oB9QeNSer6v7V

A8l9zfAAAAGU+cdvSQAABAMARjBEAiA3VXqJpjHgdUeXgB/76zthCN7aBFXKoymp

K0Pmu1a2OQIgMNb0FrIvdgb0Ueq53h5urIkYxsvN0XOjMI239NSEfzIAdwDLOPcV

iXyEoURfW8Hd+8lu8ppZzUcKaQWFsMsUwxRY5wAAAZT5x2/XAAAEAwBIMEYCIQCQ

E7gz0xMimPLnQyuqOmN+YaIMrD0QlDpBA+j+AUHhbgIhAK2tlHSTuHZbd6E/1kA3

zTOFf5u69/EQtAvvdHWhnXzuMA0GCSqGSIb3DQEBCwUAA4IBAQBmKOK7TxhEgpRZ

uDrQbjmUIsKiNrHU+HsuQ+0/7Donzcg8pyPcC32NRKjkzcLPNKOaVHoukicFxOzC

gJ36zjt2Ic+1USPBUFh/4dgxIpyiS6YEW4egv1BezCHhovwOc7xkVv4paDRpgLVQ

F9YbcJ6lxDbmVJzDQ9hElDEgNIOtTmSLuEcPpzu9MaOI0MoSM/7wMQNbgVyZ5r4H

vma6PmEc9vPSs/w4nIdbWqeENExHm4wy/+j6nEn7eDi8HKZJqZtD9+yFa2vwUGSe

phDhUZNHkK8Ye9T1J0fH6GIqvsLonBfIS3EkFTktcCGSuTylfrjRPLz+Ieumj/2n

kLFdmWRK

-----END CERTIFICATE-----

subject=/CN=*.healthit.gov

issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

---

No client certificate CA names sent

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 5596 bytes and written 413 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID: 9BBF582D20B686C6441DDA7F8F2810E430D2DC9198EEF3FCEBC2CDDB4B448C4B

Session-ID-ctx:

Master-Key: 3F15595DA88893AD94142420BBBD9800B73D79BD615C499229DCA20FF57C217C438E8FCAE469FF34230C38E35DABF915

Start Time: 1766008453

Timeout : 7200 (sec)

Verify return code: 0 (ok)

---

closed

Similarly, going to that URL in a browser gets a 400, but the certificate for *.healthit.gov is valid.

Reply all

Reply to author

Forward

0 new messages