HTTPS and CURLOPT_SSL_VERIFYPEER

Homepage Clovertech Forums Cloverleaf HTTPS and CURLOPT_SSL_VERIFYPEER

  • Creator
    Topic
  • #119564
    Michael Burrows
    Participant

    We are implementing our first HTTPS interface, using Cloverleaf’s http protocol, to send realtime vaccination info to the state (Georgia).

    I didn’t quite know what I was doing, and the state couldn’t provide much help, but after consulting Cloverleaf’s Help files, I configured the thread to the best of my knowledge with:

    • the supplied endpoint
    • method: POST
    • the HTTPS box checked
    • Driver Mode: Message Driven
    • Query TPS: httpQuery {MSGUSE DATA}

    …this didn’t work initially. I received certificate errors. So I did a little research on the certificate error I received and found that I could get past it by setting cURL option “CURLOPT_SSL_VERIFYPEER” to 0.

    Now I am able to test the connection and get responses from the state. All the rest should be basic message configuration.

    But I am concerned that “CURLOPT_SSL_VERIFYPEER=0” has made us less secure… I am guessing because Cloverleaf is not contacting the issuing authority to verify the cert.

    Am I right in this assessment? Is there something else I am overlooking here? Do I need to configure Cloverleaf in some other way to contact the CA – maybe an entry in a file somewhere?

    Any advice would be much appreciated.

    Thanks!

    Michael Burrows

Viewing 10 reply threads
  • Author
    Replies
    • #119565
      Michael Burrows
      Participant

      I should have mentioned:

      We are on Cloverleaf 19.1 on an AIX 7.1 system.

    • #119566
      Charlie Bursell
      Participant

      See this and make your own conclusion

      https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html

       

      • #119567
        Michael Burrows
        Participant

        Thanks, Charlie.

        So the cert is not being validated with the CA when I use that option, as I guessed.

        Any ideas *how* I can make sure that Cloverleaf does it? I am pretty sure it’s not a problem with the state’s cert.

        Thanks,

         

        Michael

    • #119571
      Charlie Bursell
      Participant

      If you are sure their certs are OK just go with it as you have it.

    • #119762
      Lisa Nanney
      Participant

      Michael,

      You probably have this figured out, but here’s some info in case anyone else runs into the same problem.  When it happened to us, I searched Clovertech and didn’t find much info.

      We have been sending vaccinations and history inquiries to GA DHEC (GRITS) for several years.  Earlier this year, they updated their certs of course not telling anyone.  It caused problems on our end.  We started getting errors.  We contracted with Infor to get the certs loaded.

      I’ve attached documentation that Infor gave me along with the config changes that I made.

      Attachments:
      You must be logged in to view attached files.
    • #119764
      Michael Burrows
      Participant

      Hi Lisa.

      Thanks for the info!

      Unfortunately I don’t think this solution will work for us because we don’t have a WS-Client protocol available (unless I am overlooking it somewhere). I think you may have either a more recent Cloverleaf install than us (19.1), or you have a Web Services add-on that we don’t have. I do recall them offering something like that to us at a hefty premium.

      Nevertheless, we did find a good workaround of our own by using a regular http-client protocol combined with our web proxy server which lives in the DMZ.

      We created a new http entry on our proxy server, which we can reach locally from Cloverleaf, which redirects to the GRITS https connection. In this way, we offload the security to our proxy server without having to do anything extra in Cloverleaf.

      We haven’t finished implementing it yet, but we have had several successful tests and should have it implemented this summer.

      Thanks again for the help. It’s good to make the acquaintance of another Cloverleaf user familiar with our struggles here in Georgia!

      -Michael

    • #119766
      Michael Burrows
      Participant

      Did some more poking around and found the java/ws-client protocol which I think may be what you’re referencing there. Having never used that protocol and having little-to-no experience with Java, it would have never crossed my mind to use it and probably wouldn’t know how anyway. But hopefully your solution helps someone else.

      Thanks again!

      -Michael

    • #119768
      Lisa Nanney
      Participant

      Glad you found a solution.   If you think you might want to try the ws-client,  I can share the TCL procs for the soap wrapper.  We only have one physician office in Georgia so I pass the login parms.  For SC DHEC, I use a table to fill in credentials for each practice registry.

      Feel free to send me a direct email. Lisa.Nanney@anmedhealth.org

    • #119771
      Lisa Nanney
      Participant

      Michael,

      Would you mind sharing your config screens for the http-client?  We are starting to work with Agiliti Health to send ADTs.  They want to use a RESTful https API which we haven’t done.  As you had mentioned, Infor doesn’t provide much help.  Agiliti prefers API, but will use VPN which we do a lot of.  We may just require them to use VPN so that our other interface engineers can support it, but it would be helpful if to see some netconfig screen shots for the https connection.

    • #119772
      Michael Burrows
      Participant

      Hi again, Lisa.

      My attachment outlines the way we’re doing this. (HL7 -> SOAP MSG -> SOAP REPLY -> HL7)

      Let me know if you have questions, suggestions, or feedback.

      Attachments:
      You must be logged in to view attached files.
    • #119774
      Lisa Nanney
      Participant

      Thanks for your input.  There is an option in netconfig using Process.. configure tabs at the top to route replies to a different thread.  See attached.  Good luck with GA DHEC.  I hope you have better luck than we do for patient matching.  Their algorithm for patient matching is not very good.  We had to turn off automatic reconciliation for query responses.

      Attachments:
      You must be logged in to view attached files.
    • #119776
      Michael Burrows
      Participant

      Oh, wow. That’s good to know.

      Process configuration is not where I would have thought something like that would be found.

      Much appreciated!

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Forum Statistics

Registered Users
4,978
Forums
28
Topics
9,052
Replies
33,408
Topic Tags
238