PKB Production UK (HL7) Public

Status	Active
Last Updated	8th January, 2025
Version	2

This only applies to customers who are connecting to our Hl7 API over the Public Internet and not using HSCN.

Available endpoints on Port 443:

Deprecations

my.patientsknowbest.com:7443 is now deprecated.

Overview

All new endpoints have WAF protection. Two out of the three will only accepts ciphers that are deemed as recommeded and secure by the industry, while the third provides backward compatibility.

Better support clients in the clould

We offer mtls.hl7.uk.patientsknowbest.com to those customers who have moved to the cloud and can’t use static IPs when accessing our services. It is also our prefered setup for new customers.

Identity is still derived from client credentials and not the client certificate. mTLS in this scenario is only used to replace IP allow listing.

Security

Customers, who have

up-to-date client software tools that support the state of the art cipher suites,
have static IPs that we can allow-list and
can’t allocate budget to implement mTLS in short term

can move to no-mtls.hl7.uk.patientsknowbest.com.

Backward compatibilty

deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com is intended as a short term solution for customers who are not as yet up to date with their software systems and still require support for using ciphers that are considered to be weak.

We urge all our customers to get their systems up to date as it is a common best interest to exchange data as safely as possible.

Standard ports

Using standard ports (443) allows us to consolidate our server certificate management and fully automate the renewall process for all our endpoints.

Supported ciphers

Legend

supported,
not-supported,
*: not supported (for technical reasons)

Name (OpenSSL)		mtls	no-mtls	deprecated-ciphers.no-mtls

Name (OpenSSL)		deprecated-ciphers.no-mtls
TLS_AES_128_GCM_SHA256	recommended
TLS_AES_256_GCM_SHA384	recommended
TLS_CHACHA20_POLY1305_SHA256	recommended
ECDHE-ECDSA-AES128-GCM-SHA256	recommended
ECDHE-ECDSA-AES256-GCM-SHA384	recommended
ECDHE-ECDSA-CHACHA20-POLY1305	recommended
ECDHE-RSA-AES128-GCM-SHA256	secure
ECDHE-RSA-AES256-GCM-SHA384	secure
ECDHE-RSA-CHACHA20-POLY1305	secure
ECDHE-ECDSA-AES128-SHA256	weak
ECDHE-ECDSA-AES256-SHA384	weak
ECDHE-RSA-AES128-SHA256	weak
ECDHE-RSA-AES256-SHA384	weak
AES128-SHA256	weak
AES256-SHA256	weak
ECDHE-ECDSA-AES128-SHA	weak
ECDHE-RSA-AES128-SHA	weak
ECDHE-RSA-AES256-SHA	weak
DHE-RSA-AES128-SHA256	weak	`*`
DHE-RSA-AES128-GCM-SHA256	weak	`*`
DES-CBC3-SHA	weak
EDH-RSA-DES-CBC3-SHA	weak
AES128-SHA	weak
DHE-RSA-AES128-SHA	weak
AES256-SHA	weak
DHE-RSA-AES256-SHA	weak
DHE-RSA-AES256-SHA256	weak
AES128-GCM-SHA256	weak
AES256-GCM-SHA384	weak
DHE-RSA-AES256-GCM-SHA384	weak
ECDHE-ECDSA-AES256-SHA	weak
ECDHE-ECDSA-DES-CBC3-SHA	weak
ECDHE-RSA-DES-CBC3-SHA	weak