Announcement

Collapse
No announcement yet.

Mirth HL7 and SSL support

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mirth HL7 and SSL support

    Hi there,

    My company has recently undertaken a project to integrate with Rhapsody in order to exchanged HL7 2 ADT messages. These messages are sent over MLLP on an SSL encrypted channel. We have bought the SSL Manager component to make our lives easier. So here is the setup:

    1. On our mirth box we have a single client certificate installed that will be used for use when we initiate a connection to the rhapsody server
    2. In the public certificates section we have installed the public component of the root and intermediate certificates used to sign the rhapsody certificate
    3. In SSL settings we have the following
    • Server Certificate Validation: Enabled
    • Trusted server certificates: The two mentioned above
    • Hostname Validation: Disabled (on the test box we only have IP addresses not fully qualified domain names)
    • My Client Certificate: The client certificate installed above
    • Enabled Protocols: TLSv1, TLSv1.1, TLSv.12
    • Enabled Cipher Suites: Server default: 50 enabled


    So everything looks good as far as I can tell however when we attempt to send a message we immediately get the following error in the logs "SSLProtocolException: Handshake message sequence violation, 1".

    Has anyone encountered this before or could give an edicated guess as to what the root issue may be?

  • #2
    Did you make sure to import your client certificate head into the truststore of the remote server? Are you 100% that the remote server requires mutual authentication?

    Also, maybe the server is one of those badly implemented TLSv1 servers where forward compatibility doesn't work correctly. Maybe try setting the protocols to only enable TLSv1 and see if that works.

    If none of that works, set the properties back to what you had, take a network capture, and post it here.
    Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

    Nicholas Rupley
    Work: 949-237-6069
    Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


    - How do I foo?
    - You just bar.

    Comment


    • #3
      Thanks for the quick reply. Unfortunately I don't have direct access to rhapsody server as that is managed by another party. I will relay their your questions and see what they say.

      After a little more testing i did notice in the log that we occasionally did manage to establish a connection but mirth rejected it because the server did not present a certificate.

      Its looking more and more like a protocol mismatch.

      Comment


      • #4
        Even if you don't have control over the remote server, you should still be able to take a network capture (e.g. with Wireshark) on the client side. You'll be able to see the TLS handshake.
        Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

        Nicholas Rupley
        Work: 949-237-6069
        Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


        - How do I foo?
        - You just bar.

        Comment


        • #5
          I have experience with Rhapsody SSL connections. They have a very granular configuration and you really need to dot all the I's and cross all the T's. This is really going to be a joint effort if you don't have access to the Rhapsody server. I second the use of Wireshark for troubleshooting as issue like this. Without it you're shooting in the dark, with it you're at least shooting in a dimly lit room.

          Comment

          Working...
          X