| Info |
|---|
This is only affecting handful of clients as the majority is connecting to use over HSCN. |
Changes
We plan to add three new endpoints and deprecate the current one for Hl7.
| Tip |
|---|
This change only affects customers whom are connecting to our Hl7 API over the Public Internet and not using HSCN. |
New endpoints
Introduction of We plan to introduce three new endpoints on Port 443:
Deprecations
my.patientsknowbest.com:7443 is getting deprected.
Motivations/Goals
We want to tighten our security. Efforts we make on this front include:
deprecate/remove support for
ciphers and,Status colour Yellow title weak implement WAF.
We also want to use the standard 443port instead of the cutom 7443 we are currently using.
This is going to allow us to automate the server certificate rotation in a more standard way.
get a WAF in place and
use standard ports.
All new endpoints have WAF protection. Two out of the three new only accepts ciphers that are deemded as
| Status | ||||
|---|---|---|---|---|
|
| Status | ||||
|---|---|---|---|---|
|
Better support clients in the clould
We offer mtls.hl7.uk.patientsknowbest.com to those customers who moved to the cloud and can’t use static IPs when accessing our services. It is also our prefered setup for new customers.
Identity is still derived from client credentials and not the client certificate. mTLS in this scenario is only used to replace IP allow listing.
Improve security
Customers, who have
up-to-date client software toosl tools that support to the state of the art cipher suitssuites,
have static IPs that we can allow-list and
can’t allocate budget to implement mTLS in short term
can move to no-mtls.hl7.uk.patientsknowbest.com.
Backward compatibilty
deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com is intended as a short term solution for customers whom are on ore out of date software systems hence still who are not as yet up to date with their software systems and still require support for using ciphers that are considered to be weak and cannot update their system in short term.
| Note |
|---|
We urge all our customers to get their systems up to date as it is a common best interest to exchange data as safely as possible. |
Standard ports
Using standard ports (443) will allow us to consolidate our server certificate management and fully automate the renewall process for all our endpoints.
Supported ciphers
my.patientsknowbest.com:7443 supports all ciphers in below table. The new endpoints are compared with this - now deprecated - endpoint.
Legend
supported,
not-supported,
might be supported, but our stats indicates that nobody is using it in production,‼️some customers are using it, but we cannot support these ciphers on the new endpoints.
*: not supported (for technical reasons)
Name (OpenSSL) | mtls | no-mtls | deprecated-ciphers.no-mtls | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||||
|
|
|
| ||||||||||
|
|
|
| |||||||
|
|
|
| ||||||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||||
|
|
|
| |||||||||
|
|
|
| |||||||||
|
|
|
| |||||||||
|
|
|
| ||||||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
| |||||||
|
|
|
|