NextGen Knowledge Center

4.3.0 Upgrade Notes

Application upgrades for the 4.3.0 release.

New Functionality for the Mirth® Connect Setup Wizard

New features are added to the Mirth® Connect Setup Wizard that include, but are not limited to, the following:

  • Added more information on the screens with links to the What's New, Upgrade Guide, and documentation. This helps users understand what information to enter on the screens.

  • Added the ability to install your extensions at the time the application is installed or upgraded. This simplifies the process so that users no longer have to install extensions manually and restart the service.

  • Added the ability to enter your license key for extensions. This will default to the license.key value from your mirth.properties file during an upgrade.

  • Added the updated logo and a list of each dialog screens so that users know exactly where they are in the process.

Resource Classloaders Load Classes Child-First By Default

Resources now load classes "child-first" instead of "parent-first" by default. In cases where a resource uses a class that is already included with Mirth® Connect (for example a PostgreSQL driver), previously the class from the parent classloader was loaded instead of the custom class that the user wanted to use. By loading "child-first", users can achieve the desired behavior.

Updated Deprecated Docker Base Images

The OpenJDK and AdoptOpenJDK base images are deprecated, so Mirth® Connect is now built with the eclipse-temurin image instead. If you were customizing your Mirth® Connect Docker containers, you may need to update your configuration to be compatible with eclipse-temurin.

Updated Encryption Settings

The default encryption algorithm is updated from AES to AES/CBC/PKCS5Padding. In addition, before being encrypted, strings will be encoded using UTF-8 instead of the JVM default charset.

  • If you did not have encryption.algorithm already overridden in mirth.properties, then no action is required. Any newly encrypted data will use the new default algorithm, and old encrypted data will still be able to be decrypted (using the old default algorithm).

  • If you had encryption.algorithm overridden and set to AES, then you should consider updating that, for example to AES/CBC/PKCS5Padding or AES/GCM/NoPadding. Mirth® Connect will warn you on startup with this message as well. Support for AES (without any mode/padding specified) will be removed in a future version.

Disabled TLS Cipher Suites

The default TLS cipher suites are updated. Weaker, potentially exploitable cipher suites are disabled as a best practice.

The following cipher suites are disabled:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA

If you updated your https.ciphersuites in mirth.properties previously, you will see a https.ciphersuites.old property which contains your previous values. If you didn't update https.ciphersuites, then https.ciphersuites will be updated removing the cipher suites above.

If any of your connectors, either connecting to external servers, or allowing clients to connect are using these older cipher suites then it is possible they may fail a Transport Layer Security (TLS) handshake after upgrading to 4.3.0.

If you encounter a TLS handshake error after upgrading, it is best to let the external entity know they need to switch to a more secure cipher suite.

If this is not possible, if you are using the SSL Manager commercial extension, you can select a weaker cipher suite for the connector which needs to allow the weaker legacy cipher suites.
Set Cipher Suites window

If you are not using the SSL Manager commercial extension, you can manually add back any of the cipher suites removed above to your https.ciphersuites property (in mirth.properties) to restore previous, less secure, behavior for all of your connectors.

Removed the View User Guide Option

The View User Guide option is removed from the Other menu. The Help option will continue to navigate users to docs.nextgen.com to access the online documentation.

Administrator Launcher

Mirth® Connect 4.3.0 is signed with an updated certificate. You will need to update the Administrator Launcher to the latest version, 1.3.1, to avoid seeing security warnings.