SSL test cases failing in Inferno V 2.1

[praneethyaji]

Hi Team,

We are testing standalone launch sequence of SMART application through custom developed IDP, authorize and token endpoints are secured by TLS 1.2 version and the test cases related to TLS check were passing in old inferno i.e. 1.9 but post upgrading inferno to 2+ versions the TLS testcases are failing saying server did not support an allowed TLS versions. PFB screenshot of testcase result in 2.1 version and 1.9 V respectively. In version 2.1

where as in version 1.9 testcases pass

Please help . Thanks in advance. Any suggestions would be very helpful.

[arscan]

Hi @praneethyaji -- thanks for the report.

Are the two versions of Inferno located in the same spot, so they are subject to the same network configuration? These TLS tests can be affected by network proxies -- e.g. if your network intercepts and proxies SSL traffic.

Also, in v1.9 we had a setting where you could disable SSL certificate validation. Do you have access to the v1.9 config.yml? Is disable_verify_peer set to true? Unforunately, we do not print out this setting in the web UI, but if you have access to the v1.9 application logs, you would see something like this around each request:

inferno_1            | WARNING: OpenSSL::SSL::VERIFY_PEER == OpenSSL::SSL::VERIFY_NONE
inferno_1            | This dangerous monkey patch leaves you open to MITM attacks!
inferno_1            | Try passing :verify_ssl => false instead.

[praneethyaji]

Hi Rob,

Thanks for the quick reply.

I am using public inferno site from https://inferno.healthit.gov/ so they are not installed anywhere in local or on server. My concern is TLS testcases are passing in inferno V 2.0+ in below option

But when I run ONC Certfication g10 test cases

TLS tests are failing. I am not much concentrating on inferno V1.9 as it would be removed from healthit.gov by May 2022.

[praneethyaji]

Just to add on to same context, we are using same authorization endpoints for TLS suites as well as ONC certification Standard test suite. The TLS specific test suite passes with message "Server allowed TLS 1.2 connection where as ONC certification Standard test suite fails with message "Server did not support any allowed TLS versions".

Please suggest your thoughts on this, it would be very helpful.

[arscan]

Thanks @praneethyaji, this is very helpful to figure out what is going on here. Could you paste in a screenshot of the 'Messages' tab from the 'TLS Test Kit' test, because it will provide messages of which versions work and which do not. While the tests within g10 use the same code as the ones you can access through the 'TLS Test Kit', they are perhaps configured slightly differently regarding a minimal allowed set.

[praneethyaji]

Sure @arscan. PFB snap for messages tab of tls testcase where it says none of the allowed TLS were supported by server.

[arscan]

I'm sorry @praneethyaji -- I may not have been clear. Could you provide the same screenshot of messages but for the 'TLS Tests' suite that you had used (1.01 Server only supports secure versions of TLS). In your last response you sent a screenshot of the TLS tests in the (g)(10) Standardized API test suite.

[praneethyaji]

I'm sorry for posting wrong screenshot. PFB screenshot of messages tab of 'TLS Tests' suite which allowed TLS v1.2

[praneethyaji]

Thanks @arscan for your suggestions. The issue is resolved now after both token receiver and token provider entity are TLS secured.