HTTPS and CURLOPT_SSL_VERIFYPEER

[Michael Burrows]

We are implementing our first HTTPS interface, using Cloverleaf’s http protocol, to send realtime vaccination info to the state (Georgia).

I didn’t quite know what I was doing, and the state couldn’t provide much help, but after consulting Cloverleaf’s Help files, I configured the thread to the best of my knowledge with:

• the supplied endpoint
• method: POST
• the HTTPS box checked
• Driver Mode: Message Driven
• Query TPS: httpQuery {MSGUSE DATA}

…this didn’t work initially. I received certificate errors. So I did a little research on the certificate error I received and found that I could get past it by setting cURL option “CURLOPT_SSL_VERIFYPEER” to 0.

Now I am able to test the connection and get responses from the state. All the rest should be basic message configuration.

But I am concerned that “CURLOPT_SSL_VERIFYPEER=0” has made us less secure… I am guessing because Cloverleaf is not contacting the issuing authority to verify the cert.

Am I right in this assessment? Is there something else I am overlooking here? Do I need to configure Cloverleaf in some other way to contact the CA – maybe an entry in a file somewhere?

Any advice would be much appreciated.

Thanks!

Michael Burrows

Topic

[Michael Burrows]

I should have mentioned:

We are on Cloverleaf 19.1 on an AIX 7.1 system.

[Charlie Bursell]

See this and make your own conclusion

https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

 

[Michael Burrows]

Thanks, Charlie.

So the cert is not being validated with the CA when I use that option, as I guessed.

Any ideas *how* I can make sure that Cloverleaf does it? I am pretty sure it’s not a problem with the state’s cert.

Thanks,

 

Michael

[Charlie Bursell]

If you are sure their certs are OK just go with it as you have it.

[Lisa Nanney]

Michael,

You probably have this figured out, but here’s some info in case anyone else runs into the same problem.  When it happened to us, I searched Clovertech and didn’t find much info.

We have been sending vaccinations and history inquiries to GA DHEC (GRITS) for several years.  Earlier this year, they updated their certs of course not telling anyone.  It caused problems on our end.  We started getting errors.  We contracted with Infor to get the certs loaded.

I’ve attached documentation that Infor gave me along with the config changes that I made.

Attachments:

You must be logged in to view attached files.

[Michael Burrows]

Hi Lisa.

Thanks for the info!

Unfortunately I don’t think this solution will work for us because we don’t have a WS-Client protocol available (unless I am overlooking it somewhere). I think you may have either a more recent Cloverleaf install than us (19.1), or you have a Web Services add-on that we don’t have. I do recall them offering something like that to us at a hefty premium.

Nevertheless, we did find a good workaround of our own by using a regular http-client protocol combined with our web proxy server which lives in the DMZ.

We created a new http entry on our proxy server, which we can reach locally from Cloverleaf, which redirects to the GRITS https connection. In this way, we offload the security to our proxy server without having to do anything extra in Cloverleaf.

We haven’t finished implementing it yet, but we have had several successful tests and should have it implemented this summer.

Thanks again for the help. It’s good to make the acquaintance of another Cloverleaf user familiar with our struggles here in Georgia!

-Michael

[Michael Burrows]

Did some more poking around and found the java/ws-client protocol which I think may be what you’re referencing there. Having never used that protocol and having little-to-no experience with Java, it would have never crossed my mind to use it and probably wouldn’t know how anyway. But hopefully your solution helps someone else.

Thanks again!

-Michael

[Lisa Nanney]

Glad you found a solution.   If you think you might want to try the ws-client,  I can share the TCL procs for the soap wrapper.  We only have one physician office in Georgia so I pass the login parms.  For SC DHEC, I use a table to fill in credentials for each practice registry.

Feel free to send me a direct email. Lisa.Nanney@anmedhealth.org

[Lisa Nanney]

Michael,

Would you mind sharing your config screens for the http-client?  We are starting to work with Agiliti Health to send ADTs.  They want to use a RESTful https API which we haven’t done.  As you had mentioned, Infor doesn’t provide much help.  Agiliti prefers API, but will use VPN which we do a lot of.  We may just require them to use VPN so that our other interface engineers can support it, but it would be helpful if to see some netconfig screen shots for the https connection.

[Michael Burrows]

Hi again, Lisa.

My attachment outlines the way we’re doing this. (HL7 -> SOAP MSG -> SOAP REPLY -> HL7)

Let me know if you have questions, suggestions, or feedback.

Attachments:

You must be logged in to view attached files.

[Lisa Nanney]

Thanks for your input.  There is an option in netconfig using Process.. configure tabs at the top to route replies to a different thread.  See attached.  Good luck with GA DHEC.  I hope you have better luck than we do for patient matching.  Their algorithm for patient matching is not very good.  We had to turn off automatic reconciliation for query responses.

Attachments:

You must be logged in to view attached files.

[Michael Burrows]

Oh, wow. That’s good to know.

Process configuration is not where I would have thought something like that would be found.

Much appreciated!

[Author]

Replies