XDR Receiving Test 8

[Pepper Pancoast]

We're getting a failure on XDR Test 8 (admittedly we skipped the others just to confirm mtls). with a failed message.  The logs say " ran tc 8" without any other discernable data.

It may be that we don't have the truststore uploaded with what's expected (we did pull from the main page) and we can get it to work through postman.

Our endpoint is https://medallies.netsmartcloud.com/DocumentRecipientPort/DocumentRecipient

Is there an easy check we can see with why it's failing?

[Sai Valluripalli]

1. Can you confirm you have installed provided TLS certs on your server?
2. Is your endpoint open to the outside network?

--
You received this message because you are subscribed to the Google Groups "Edge Test Tool (ETT)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to edge-test-too...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/edge-test-tool/69834ef2-6bbc-41b6-877a-4cf161c1e51dn%40googlegroups.com.

[Pepper Pancoast]

Yes!

### TEST 1: TLS Certificate Verification (Port 443) ✅

**Command:**
```bash
openssl s_client -connect medallies.netsmartcloud.com:443 -showcerts < /dev/null 2>&1 | grep -A 10 'Acceptable client certificate CA names'
```

**Output:**
```
Acceptable client certificate CA names
C = US, ST = MD, L = Boyds, O = Drajer LLC, CN = healthit.gov, emailAddress = healthit.gov
C = US, ST = MD, L = Boyds, O = Drajer LLC, CN = intermediate.healthit.gov, emailAddress = intermediate.healthit.gov
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA224:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA224:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4682 bytes and written 423 bytes
Verification: OK
```

**Result:** ✅ **PASS**
- Both ONC certificates are installed and active
- mTLS client certificate verification is enabled
- Certificate validation successful

---

### TEST 2: Full TLS Handshake (Port 443) ✅

**Command:**
```bash
echo 'Q' | openssl s_client -connect medallies.netsmartcloud.com:443 2>&1
```

**Output (Summary):**
```
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = *.netsmartcloud.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.netsmartcloud.com
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M03
   Valid until: Mar  4 23:59:59 2026 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M03
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   Valid until: Aug 23 22:26:04 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   Valid until: Dec 31 01:00:00 2037 GMT
---
Protocol: TLSv1.3
Cipher: TLS_AES_128_GCM_SHA256
Verify return code: 0 (ok)
```

**Result:** ✅ **PASS**
- TLS 1.3 enabled (latest secure protocol)
- Strong cipher suite
- Valid certificate chain
- SSL verification successful

---

### TEST 3: Port 80 TCP Connectivity ✅

**Command:**
```bash
timeout 3 bash -c '</dev/tcp/medallies.netsmartcloud.com/80' && echo 'Port 80: OPEN'
```

**Output:**
```
Port 80: OPEN - Successfully connected
```

**Result:** ✅ **PASS** - Port 80 is accessible from internet

---

### TEST 4: Port 443 TCP Connectivity ✅

**Command:**
```bash
timeout 3 bash -c '</dev/tcp/medallies.netsmartcloud.com/443' && echo 'Port 443: OPEN'
```

**Output:**
```
Port 443: OPEN - Successfully connected
```

**Result:** ✅ **PASS** - Port 443 is accessible from internet

The other point is it looks like the XDR Test Tool is rewriting the host name we pass in with xdr.sitenv.org.

Is that a known bug?