web stats
Mirth HL7 and SSL support - Mirth Community

Go Back   Mirth Community > Mirth Connect > Support

Reply
 
Thread Tools Display Modes
  #1  
Old 01-14-2017, 05:30 AM
ServelecABSE ServelecABSE is offline
What's HL7?
 
Join Date: Jan 2017
Posts: 3
ServelecABSE is on a distinguished road
Default Mirth HL7 and SSL support

Hi there,

My company has recently undertaken a project to integrate with Rhapsody in order to exchanged HL7 2 ADT messages. These messages are sent over MLLP on an SSL encrypted channel. We have bought the SSL Manager component to make our lives easier. So here is the setup:

1. On our mirth box we have a single client certificate installed that will be used for use when we initiate a connection to the rhapsody server
2. In the public certificates section we have installed the public component of the root and intermediate certificates used to sign the rhapsody certificate
3. In SSL settings we have the following
  • Server Certificate Validation: Enabled
  • Trusted server certificates: The two mentioned above
  • Hostname Validation: Disabled (on the test box we only have IP addresses not fully qualified domain names)
  • My Client Certificate: The client certificate installed above
  • Enabled Protocols: TLSv1, TLSv1.1, TLSv.12
  • Enabled Cipher Suites: Server default: 50 enabled

So everything looks good as far as I can tell however when we attempt to send a message we immediately get the following error in the logs "SSLProtocolException: Handshake message sequence violation, 1".

Has anyone encountered this before or could give an edicated guess as to what the root issue may be?
Reply With Quote
  #2  
Old 01-14-2017, 09:22 AM
narupley's Avatar
narupley narupley is online now
Mirth Employee
 
Join Date: Oct 2010
Posts: 7,123
narupley is on a distinguished road
Default

Did you make sure to import your client certificate head into the truststore of the remote server? Are you 100% that the remote server requires mutual authentication?

Also, maybe the server is one of those badly implemented TLSv1 servers where forward compatibility doesn't work correctly. Maybe try setting the protocols to only enable TLSv1 and see if that works.

If none of that works, set the properties back to what you had, take a network capture, and post it here.
__________________
Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

Nicholas Rupley
Work: 949-237-6069
Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


- How do I foo?
- You just bar.
Reply With Quote
  #3  
Old 01-15-2017, 04:22 AM
ServelecABSE ServelecABSE is offline
What's HL7?
 
Join Date: Jan 2017
Posts: 3
ServelecABSE is on a distinguished road
Default

Thanks for the quick reply. Unfortunately I don't have direct access to rhapsody server as that is managed by another party. I will relay their your questions and see what they say.

After a little more testing i did notice in the log that we occasionally did manage to establish a connection but mirth rejected it because the server did not present a certificate.

Its looking more and more like a protocol mismatch.
Reply With Quote
  #4  
Old 01-16-2017, 06:23 AM
narupley's Avatar
narupley narupley is online now
Mirth Employee
 
Join Date: Oct 2010
Posts: 7,123
narupley is on a distinguished road
Default

Even if you don't have control over the remote server, you should still be able to take a network capture (e.g. with Wireshark) on the client side. You'll be able to see the TLS handshake.
__________________
Step 1: JAVA CACHE...DID YOU CLEAR ...wait, ding dong the witch is dead?

Nicholas Rupley
Work: 949-237-6069
Always include what Mirth Connect version you're working with. Also include (if applicable) the code you're using and full stacktraces for errors (use CODE tags). Posting your entire channel is helpful as well; make sure to scrub any PHI/passwords first.


- How do I foo?
- You just bar.
Reply With Quote
  #5  
Old 01-16-2017, 09:38 AM
dharding dharding is offline
Mirth Newb
 
Join Date: Jul 2010
Posts: 9
dharding is on a distinguished road
Default

I have experience with Rhapsody SSL connections. They have a very granular configuration and you really need to dot all the I's and cross all the T's. This is really going to be a joint effort if you don't have access to the Rhapsody server. I second the use of Wireshark for troubleshooting as issue like this. Without it you're shooting in the dark, with it you're at least shooting in a dimly lit room.
Reply With Quote
Reply

Tags
certificate, hl7, mllp, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -8. The time now is 12:43 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Mirth Corporation