Enabled TLS/SSL Cipher Suites

SSL Manager User Guide

Enabled TLS/SSL Protocols

The protocol is the version of the TLS/SSL standard that is used by both the client and server. By default, only the most secure protocols are enabled, but if you are communicating with a legacy server that only supports an older, weaker protocol, you can configure your connector to use it without affecting any other connectors or channels. Enabled Protocols option on SSL Settings window Select the wrench icon to open the Set Protocols window: Set Protocols window The server defaults refers to the protocols configured for the overall Mirth® Connect by NextGen Healthcare server, in mirth.properties. If your connector is a listener (for example, HTTP Listener), then the defaults will extend from the server protocols ("https.server.protocols"). Otherwise they will extend from the client protocols ("https.client.protocols"). For more information, go to the Mirth Connect download site and download the User Guide for Mirth® Connect by NextGen Healthcare, then look at the mirth.properties sec

Mirth® Connect by NextGen Healthcare User Guide

Default TLS/SSL Settings

The following properties can be set to modify the default TLS settings: Property Default Value Description https.client.protocols TLSv1.3,TLSv1.2 The protocols to support by default for all TLS/SSL/HTTPS client traffic. CAUTION: Changing this property could leave your server vulnerable to certain SSL-based attacks. Note: The SSL Manager enables you to adjust protocol settings on a per-connector basis, rather than having to change the value for the entire server. Note: TLSv1.3 is only available when running Mirth Connect on Java 11 or later. https.server.protocols TLSv1.3,TLSv1.2,SSLv2Hello The protocols to support by default for all TLS/SSL/HTTPS server traffic. CAUTION: Changing this property could leave your server vulnerable to certain SSL-based attacks. Note: The SSL Manager enables you to adjust protocol settings on a per-connector basis, rather than having to change the value for the entire server. Note: TLSv1.3 is only available when running Mirth Connect on Java 11 or later. ht

Mirth® Connect by NextGen Healthcare User Guide

3.1.1 Upgrade Notes

Due to the recent POODLE vulnerability, we have disabled SSLv3 for all of our relevant connectors and connections that use SSL. In case you are connecting to some legacy systems that require SSLv3, it is possible to re-enable SSLv3. In your mirth.properties file, you will find the following two properties: https.client.protocols = TLSv1.2,TLSv1.1,TLSv1https.server.protocols = TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello If you need to use SSLv3, simply add "SSLv3" into the comma separated list for the client or server protocols and restart your server. These two properties also allow you to configure exactly which SSL protocols you wish to use. Similarly, if you need to add or remove cipher suites, you can update the https.ciphersuites property in the mirth.properties file. Please note that if you are making HTTPS connections programmatically in JavaScript, you will still need to update your code accordingly in order to disable SSLv3. When upgrading to Mirth® Connect by NextGen Healthcare 3.1.1+ O

SSL Manager User Guide

Saving Changes

Once all necessary fields are complete, select OK on the SSL Settings window. In the Channel Tasks panel, select Save Changes, then deploy the channel. The connector automatically uses the configured SSL settings. You do not need to restart the Mirth® Connect by NextGen Healthcare server. Parent topic: Apply Destination Connector SSL Settings

Mirth® Appliance by NextGen Healthcare Deployment Guide, 4.1

Using the SSL Tunnels Service

Secure Sockets Layer (SSL) is a cryptographic protocol for providing secure communications over TCP/IP networks. Using SSL enables you to securely exchange messages over public networks such as the Internet. With the SSL Tunnels service, Mirth® Appliance by NextGen Healthcare you can accept SSL connections for any of the listener-based Mirth® Connect connector types such as HTTP, LLP/MLLP, SOAP, and TCP. You can also add SSL to the corresponding destination connectors. Inbound tunnels accept an SSL connection from a remote host and pass it to the listening port of a Mirth® Connect channel on the local system. Outbound tunnels listen on a local port for a Mirth® Connect destination connector, add an SSL layer to the connection, and pass it on to a specific remote host. Note: Consult your network administrators regarding setting up two-way SSL authentication. Select Services > SSL Tunnels to open the SSL Tunnel Management window, which shows all of the currently configured tunnels on the

Mirth® Connect by NextGen Healthcare User Guide

New Protocol/Cipher Suite Support in Java 11

Java 11 added support for TLS v1.3. This should be added to your supported protocols list in mirth.properties when you upgrade to version 3.7 or later. If you do not want to support TLS v1.3, you can remove that from the list. Java 11 also added support for new and more secure cipher suites. Upon upgrade to version 3.7 or later they should be automatically added. Check your mirth.properties file for these cipher suites: TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 Parent topic: Secure Configuration

Enabled TLS/SSL Cipher Suites

Recommendations

Enabled TLS/SSL Protocols

Default TLS/SSL Settings

3.1.1 Upgrade Notes

Saving Changes

Using the SSL Tunnels Service

New Protocol/Cipher Suite Support in Java 11

Enabled TLS/SSL Protocols

Default TLS/SSL Settings

3.1.1 Upgrade Notes

Saving Changes

Using the SSL Tunnels Service

New Protocol/Cipher Suite Support in Java 11