AS2 Interoperability Issues Resolved (Certificate AS2 MDNS)
AS2 Interoperability Issues Resolved (Certificate AS2 MDNS)
Provides a list of issues resolved over the course of multiple AS2 Interoperability Tests through AS2-1Q09
page 1
Table of Contents
Interoperability Issues ................................................................................................................................. 3 Interoperability Issues Resolved or Affirmed AS2-1Q09 ................................................................... 3 Interoperability Issues Resolved or Affirmed AS2-3Q08 ................................................................... 5 Interoperability Issues Resolved or Affirmed AS2-1Q08 ................................................................... 6 Interoperability Issues Resolved or Affirmed AS2-3Q07 ................................................................... 7 Interoperability Issues Resolved or Affirmed AS2-1Q07 ................................................................... 8 Interoperability Issues Resolved or Affirmed AS2-3Q06 ................................................................... 9 Interoperability Issues Resolved or Affirmed AS2-1Q06 ................................................................. 10 Interoperability Issues Resolved or Affirmed from previous Test Rounds .................................... 11 About Drummond Group Inc. ................................................................................................................... 14
page 2
Interoperability Issues
During the course of interoperability tests, interoperability issues were discovered or questioned and then resolved through the debugging stage of the test. All products from a given test comply with the corresponding resolved issues. These issues are listed below to assist in resolving any supply-chain trading problem which may occur between productswith-version from this test and AS2 products-with-version from outside the test, including backward versions of these test products.
page 3
12. There was an incompatibility between curl (as a client) and JSSE (as a server) in https. This causes failure because of TLS Extension "Ticket Session" sent by curl and not understood (TLS 1.1) or rejected silently (TLS 1.0) by JSSE. An upgrade to both sides was the solution (curl 7.9.14/openssl 0.9.8j and Java 1.6.0u12). RFC 2246 that TLS 1.0 with extensions should be supported:
"Forward compatibility note: In the interests of forward compatibility, it is permitted for a client hello message to include extra data after the compression methods. This data must be included in the handshake hashes, but must otherwise be ignored. This is the only handshake message for which this is legal; for all other messages, the amount of data in the message must match the description of the message precisely."
13. One participant was using a key size of RSA 4096 bits in their public key but other participant does not support that key size. Per the AS2 test plan, Testing will assume 128 bit and 1024/2048 bit keys and 24 byte 3DES unless consensus for larger keys is reached with all participants. Participant changed change certificate to agreed key size. 14. Participant was returned Signature verification fails when verifying signature on compressed payload for test case G and J. Participant modified default contenttransfer-encoding on the body part when there is none specified. Participant was using Bouncy Castle as their S/MIME library. If content-transfer-encoding is not specified on the body part, Bouncy Castle uses 7-bit encoding as a default value. Participant modified code to set "binary" as the default content-transfer-encoding. NOTE: This issue also occurred as issue No.3 as reported for AS2-1Q08" in this AS2 Interoperability Issues Report". 15. Participant was not providing the Content-Length header in the MDN returned. This caused the message digest to be calculated incorrectly and thus fail. Participant modified code to add Content-Length. 16. Participant was not returning the proper Disposition for MDN Conformance test case K.3. Participant could getting a processing error:
2009-04-17 08:32:46,137 Process[PID: 646, Desc.: No description] ERROR [..] indefinite length primitive encoding encountered
Participants newer version of their S/MIME toolkit was causing the issue as newer version threw different exception: (IllegalStateException). Participant changed code to catch new exception code. Proper MDN response should have been:
Disposition: automatic-action/MDN-sent-automatically; processed/error: decompression-failed
17. First participant sent a Bravo CEM request to a second participant and their Bravo cert was in a pending state. Second participant then sent a Bravo CEM request to first participant before accepting their Bravo cert request. First participant immediately accepted Bravo cert (and as per the spec, as soon as a partner accepts the new signing cert, they must be prepared to accept messages signed with the new certificate). Second participant then sent a response to their Bravo CEM request
page 4
signed with new Bravo cert (since first participant had accepted it) but the MDN returned from that request contained an authentication error since first participant had not yet updated the second participants profile with the new Bravo certificate.
10. Participant was not including Content-Type header for the second attachment of the MA test cases. Recipient was requiring a Content-Type and modified code to default to text/plain per the specifications; however attachment was actually a PDF file. Sending participant modified code to add Content-Type header. Below is example of missing Content-Type;
--boundarySA==
page 5
Correct:
Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7signature"; boundary="----=_Part_361_1392923398.1207140899485" 3. Bouncy Castle 1.38 assumes that if Content Transfer Encoding is not specified in the
body part that the encoding is 7-bit instead of binary. Participant was getting:
org.bouncycastle.cms.CMSException: invalid signature format in message: content hash found in signed attributes different
page 6
4. Participant was receiving Content-Length with leading zeros but the participant did not have support for leading zeros. Example:
Content-Length: 000000000000977
RFC2616 says the content length is formatted as 1*DIGIT. This means that at least 1 digit must be present and it can repeat. The value of DIGIT is 0-9. Therefore the following values 000000000000977 and 977 would satisfy the rule and should be considered equivalent. See: 14.13 Content-Length http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 See: BNF notation http://www.apps.ietf.org/rfc/rfc2234.html 5. One Participants outer Content-Type header was missing the micalg (and protocol) element. Receiving participant was reporting and error: Unknown MIC algorithm: null. 6. One participant during persistent HTTP connections was not resetting the Async MDN flag, hence they were sending HTTP 200 response with html message body (in addition to regular MDN) for test cases requesting Sync MDN after Async MDN test case was executed. 7. One participant assumed that the Message-ID in Async MDNs was required however it is optional. 8. Participant was acknowledging receiving AS2 message with a 200 OK, but not closing the connection until after the Async MDN Receipt was returned.
page 7
5. One participant enabled base64 encoding at transport level but some participants failed to process AS2 message. Earlier consensus determined that base64 encoding at transport level is not allowed. 6. One participant was not adding quotes to MDN AS2-To field value in as required for AS2 identifiers which include spaces. 7. One participant reported incorrect Disposition for K.1 Test Case. Reported processed only, no reason given and evaluated positive when it should have been evaluated negative. 8. One participant reported incorrect Disposition value of for K.2 Test Case: automaticaction/MDN-sent-automatically; processed/error: decryption-failed;/processed/error: decryption-failed; 9. One participant reported incorrect Disposition on K.3 Test Case. Reported as Processed, should have reported: Processed/Error: decompression-failed 10. HTTPs SSL handshake issue resolved by increasing response timeout. 11. One participant introduced new SSL layer issues reported and resolved. 12. One participant could not support MA payloads if one of the attachments was not XML or EDI. MA payloads contained were PDF and TIFF. 13. One participant was calculating incorrect MIC for MA AS2 message. 14. One participant was not terminating properly the MIME inner boundary on MA AS2 messages. 15. One participant was enveloping valid MIME content with an extraneous boundary marker prior to encryption, for encrypted-only MA AS2 messages.
page 8
5. Several participants were sending folded headers in the MDNs. However, an earlier Consensus item stated that headers should not be folded. The participants unfolded their headers to resolve Interop issues. 6. One participant was encoding their data as 8bit (used in SMTP), however, binary transfer encoding is the default over HTTP. The participant switched to binary encoding to resolve Interop issues as a result of using 8bit encoding. 7. The Message-ID in the MDN is not required. One participant was failing test cases because of the misunderstanding that the Message-ID was required in the MDNs. This continues to be a source for misinterpretation. The Original-Message-ID, however, is required in the MDNs. 8. AS2-From and AS2-To do not have to be UPPER CASE. One participant was failing test cases because they misunderstood that the AS2 portion must be UPPERCASE. MIME/HTTP headers are not case sensitive.
page 9
8. Base64 encoding the entire HTTP body was being used. Note however, that Content Transfer Encoding (CTE) of MIME body parts within the AS2 message is allowed. Consensus was arrived that if the MIME bodies were already encrypted and or compressed, CTE was neither necessary nor practical for performance reasons. Participants agreed to remove Base64 encoding over the entire HTTP body, which helped resolve Interop issues, and theoretically improved processing performance of messages. Performance metrics are not measured in Interop testing 9. It was agreed that HTTP/1.0 servers are required to close HTTP connections, and it is not the responsibility of HTTP clients. At least one participant was relying on a timeout for the connection to close on the server-side, or for the HTTP client to close the connection. When the HTTP /1.0 Server waited for the HTTP /1.1 Client to close the connection and the Client waited for the Server to close the connection but the Server did not close then the Client timed-out and perceived it as an aborted connection and flagged the test failed. The HTTP 1.0 Servers must close the connection based on the HTTP/1.0 specification. 10. Certificates needed to have two-character country code. This was in the list Interoperability Issues Resolved or Affirmed from previous Test Rounds, but it occurred in this round as well. 11. A participant had a certificate organizational unit name specified as R&D and it was encoded as an IA5String. This is supposed to be a DirectoryString. The participant discovered that their certificate generation tool used to create their certificates was using the outdated IA5String encoding for some of the elements within the Subject and or Issuer name fields. 12. At least one participant found an issue with LF of CRLF being removed on the outgoing payload data which was causing payload mismatches (the sent payload did not match the received).
page 10
3. The AS2 specification requires that human-readable portion of MDN must contain Final-Recipient. Please see http://www.ietf.org/rfc/rfc4130.txt section 7.4.2. A participant was not sending Final-Recipient however it was required. 4. A participant was sending folded headers in the MDNs and this caused an error because at least one other participant did not process folded headers". In previous Interops, it was a consensus item to not fold the headers. Example: Content-Type: multipart/report; report-type=disposition-notification; boundary="----=_Part_1139974138134" 5. An AS2 server was attempting to connect to port 80 instead of 443 when the URL was provided without a port, for example: https://hostname/ The correct port to connect to should be 443, (the default port for SSL when port is not specified). The default port for non-ssl is port 80. Please see: http://rfc.net/rfc2616.html 6. MDN conformance testing revealed that one participants MDN disposition text says, Disposition: automatic-action/MDN-sent-automatically; processed. It should have returned error text processed/error: authentication-failed or processed/error: integritycheck-failed.
page 11
7. The Message-ID header is not required in MDNs. 8. Chunked encoding for HTTP 1.1 requests and responses is acceptable for AS2. Rules for implementing, supporting and understanding chunked encoding can be found in the HTTP 1.1 standard, RFC2616. 9. Some products require valid EDI/XML documents on inbound messages and will generate MDNs with errors if they are invalid. This includes both valid formatting and/or recognized identifiers. 10. Certificate serial numbers must not be negative, per RFC3280. While some AS2 systems accept negative serial numbers, other systems cannot accept negative values. 11. Certificates are uniquely identified through their Issuer name and their serial number. As with negative serial numbers, certain AS2 systems will reject duplicate certificates, but others can accept them. 12. Some products utilizing the open source OpenSSL experienced problems in SSL transactions. The cause was due to the sending of empty fragments in the transaction which caused some trading partner products to corrupt the inbound document. The solution was to modify configuration flags within OpenSSL. 13. HTTP Content-length header is not necessarily required on MDN. The HTTP standard specifies the use and requirement of this header, and the AS2 draft is being updated to refer back to the HTTP standard for the use of content-length. 14. MIME Folded headers continue to cause problems with several products due to their associated web server. Folded headers were not used during the test and should be avoided in actual implementation. 15. The use of quotation marks on AS2 System Identifiers should not be used for atomic names. Also, the use of quotation marks on AS2 System Identifiers must be consistent for both the payload messages as well as for the MDNs. That is, if quotation marks are used in the payload message, they also must be present in MDNs. 16. A 204 (No content) HTTP response would be acceptable in an HTTP response of an async MDN request. This should be accepted (assuming the response has no body). From the latest version (13) of the AS2 draft, section 7.6, notice the comment of the response being "in the 200 range." HTTP RFC2616 states that if a 204 is returned, there is to be no message body and the message is terminated by the first empty line after the header fields. So, the 204 will work as long as there are only HTTP headers in the response. 17. If certificates use the country attribute, the country attribute may only contain two characters. For example, "C=USA" is invalid and instead should be listed as "C=US". 18. Encrypted messages can contain multiple RecipientInfo structures within the CMS data, including one describing the originator. Refer to RFC 2630 Section 6 for more details. 19. Consensus was reached that AS2 messages with EDI payloads should identify the content-type either as application/EDI-X12 or application/EDIFACT and NOT application/EDI-CONSENT. 20. The Message-ID is not required in Asynch MDNs because the AS2 standard states it SHOULD be contained, that is, it is not required. Asynch MDNs should not be rejected
page 12
if MDNs do not contain Message-ID because it is not required. It is recommended that it be present. Please refer to the meanings of SHOULD and MUST.
page 13
page 14