Loading...
Recommendations
Explore
Secure Configuration
Encryption Settings
Encrypt Database Password
Plain HTTP Main Web Server
Default TLS/SSL Settings
Default Supported Cipher Suites
Password Requirements
SSL Manager Extension
Encryption Settings
Encrypt Database Password
Plain HTTP Main Web Server
Default TLS/SSL Settings
Default Supported Cipher Suites
Cipher Suites Removed From Earlier Versions
New Protocol/Cipher Suite Support in Java 11
Password Requirements
SSL Manager Extension
Mirth® Connect by NextGen Healthcare User Guide
Default TLS/SSL Settings
The following properties can be set to modify the default TLS settings: Property Default Value Description https.client.protocols TLSv1.3,TLSv1.2 The protocols to support by default for all TLS/SSL/HTTPS client traffic. CAUTION: Changing this property could leave your server vulnerable to certain SSL-based attacks. Note: The SSL Manager enables you to adjust protocol settings on a per-connector basis, rather than having to change the value for the entire server. Note: TLSv1.3 is only available when running Mirth Connect on Java 11 or later. https.server.protocols TLSv1.3,TLSv1.2,SSLv2Hello The protocols to support by default for all TLS/SSL/HTTPS server traffic. CAUTION: Changing this property could leave your server vulnerable to certain SSL-based attacks. Note: The SSL Manager enables you to adjust protocol settings on a per-connector basis, rather than having to change the value for the entire server. Note: TLSv1.3 is only available when running Mirth Connect on Java 11 or later. ht
Mirth® Connect by NextGen Healthcare User Guide
Cipher Suites Removed From Earlier Versions
The following cipher suites were removed from mirth.properties starting in version 3.5 to address vulnerabilities like SWEET32. Upon upgrade the cipher suites should automatically be updated to remove any that use TripleDES. Check your mirth.properties file to make sure that they are not included: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA The following cipher suites were removed from mirth.properties starting in version 4.0. Check your mirth.properties file to make sure they are not included: TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Mirth® Connect by NextGen Healthcare User Guide
Default Supported Cipher Suites
The following cipher suites are supported by default for the overall server when using TLS / SSL / HTTPS: TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_EMPTY_RENEGOTIATION_INFO_SCSV Depending on your Java installation and other factors (like having the JCE Unlimited Strength policy files installed), not all the cipher
Mirth® Connect by NextGen Healthcare User Guide
SSL Manager Extension
This section only applies if you have the SSL Manager extension installed. This guide will summarize the available settings, but there is a separate user guide specifically written for the SSL Manager that goes into depth about all the available features. Contact our help desk to obtain a copy of the SSL Manager guide. Source Connector Settings Client Authentication: Client authentication (sometimes called mutual or bi-lateral authentication) can provide additional security as both the client and server must present certificates that the other can choose to trust or not. The Trusted Client Certificatessection determines which client certs (or intermediate/root certs) to trust. Present Issuer DNs: This is only applicable when Client Authentication is used. If enabled, during the SSL handshake the server will respond with a list of accepted client issuer distinguished names (DNs). Disabling this can provide extra security as potential attackers are given less information about the correc
Mirth® Connect by NextGen Healthcare User Guide
Encryption Settings
You can change the default encryption settings for Mirth® Connect as you see fit. The following can be set in mirth.properties: Property Default Value Description encryption.algorithm AES/CBC/PKCS5Padding The algorithm to use for symmetric encryption. This applies to messages, exports, and anything that is used along with the keystore to encrypt / decrypt. You must include the explicit mode and padding settings with the algorithm. The mode must also require an initialization vector. Note: The default value is updated in version 4.3. If you did not explicitly set this property, then no action is needed. Mirth® Connect will automatically start using the new default. If you did explicitly set this property, then NextGen Healthcare highly recommends you to update it to include the mode/padding options as well. Support for "AES" (without any mode/padding specified) will be removed in a future version. encryption.charset UTF-8 The charset to use when encoding textual data into bytes before e
Mirth® Connect by NextGen Healthcare User Guide
New Protocol/Cipher Suite Support in Java 11
Java 11 added support for TLS v1.3. This should be added to your supported protocols list in mirth.properties when you upgrade to version 3.7 or later. If you do not want to support TLS v1.3, you can remove that from the list. Java 11 also added support for new and more secure cipher suites. Upon upgrade to version 3.7 or later they should be automatically added. Check your mirth.properties file for these cipher suites: TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 Parent topic: Secure Configuration
