We plan to add three new endpoints and deprecate the current one for Hl7.
This change only affects customers whom are connecting to our Hl7 API over the Public Internet and not using HSCN.
New endpoints
We plan to introduce three new endpoints on Port 443:
Deprecations
my.patientsknowbest.com:7443 is getting deprected.
Motivations/Goals
We want to tighten our security. Efforts we make on this front include:
deprecate/remove support for WEAK ciphers,
get a WAF in place and
use standard ports.
All new endpoints have WAF protection. Two out of the three new only accepts ciphers that are deemded as RECOMMEDED and SECURE by the industry, while the third provides backward compatilibity.
Better support clients in the clould
We offer mtls.hl7.uk.patientsknowbest.com to those customers who moved to the cloud and can’t use static IPs when accessing our services. It is also our prefered setup for new customers.
Identity is still derived from client credentials and not the client certificate. mTLS in this scenario is only used to replace IP allow listing.
Improve security
Customers, who have
up-to-date client software tools that support to state of the art cipher suits,
have static IPs that we can allow-list and
can’t allocate budget to implement mTLS in short term
can move to no-mtls.hl7.uk.patientsknowbest.com.
Backward compatibilty
deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com is intended as a short term solution for customers who are not as yet up to date with their software systems and still require support for using ciphers that are considered to be weak.
We urge all our customers to get their systems up to date as it is a common best interest to exchange data as safely as possible.
Standard ports
Using standard ports (443) will allow us to consolidate our server certificate management and fully automate the renewall process for all our endpoints.
Supported ciphers
my.patientsknowbest.com:7443 supports all ciphers in below table. The new endpoints are compared with this - now deprecated - endpoint.
Legend
supported,
not-supported,
*
: not supported (for technical reasons)
Name (OpenSSL) | mtls | no-mtls | deprecated-ciphers.no-mtls | |
---|---|---|---|---|
RECOMMENDED | ||||
RECOMMENDED | ||||
RECOMMENDED | ||||
RECOMMENDED | ||||
RECOMMENDED | ||||
RECOMMENDED | ||||
SECURE | ||||
SECURE | ||||
SECURE | ||||
WEAK |
| |||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK |
| |||
WEAK | ||||
WEAK | ||||
WEAK | | |||
WEAK | | |||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK | ||||
WEAK |