Todd Johnson · Mar 2, 2017

TLS Cipher Suite selection

Our client is a test out of 2016.1 (Build 656U) Healthshare that wants to do a one way SSL connection to our Java 1.7/Tomcat 8.0 server.  We have yet to come up with a secure cipher set that Healthshare and Java agree on for the handshake.  So far we've had to use these ciphers identified which are not recommended (though it does do a handshake properly).  Our definition of "secure cipher set" comes from this best practices section 2.3 and ideally we'd like to use the ciphers identified.  Are any of these available in HealthShare 2016+?

Our setup:  In Healthshare, we have an SSL/TLS configuration setup that sets a Client type, points to a trusted CA certificate, set for TLSv1.0, TLSv1.1, and TLSv1.2 protocols, and enables these ciphers:  ALL:!aNULL:!eNULL:!EXP:!SSLv2.  With the weaker ciphers selected, we establish handshake successfully.


0 856
Discussion (1)0
Log in or sign up to continue

SSL support in Healthshare uses the OpenSSL library.  Which version of the library you have will depend on your exact maintenance kit.  For example: 2016.1.0 has openssl 1.0.1p, 2016.1.1 has 1.0.1t, and 2016.1.2 has 1.0.2h.

You can see which ciphers your version supports by running the following command in the bin directory of your install:

./openssl ciphers ALL

On my install of 2016.1.0 the first cipher listed when I do this is ECDHE-RSA-AES256-GCM-SHA384, which is on your list of preferred ciphers.

If adding less secure ciphers to the list in Healthshare is making your connection work, then I suspect the problem is in the ciphers the other side supports.  You could try to confirm or deny this by looking at the SSL handshake with a tool like Wireshark.