Versions Compared

Old Version 1

changes.mady.by.user Aryn Wiebe

Saved on

compared with

New Version 2

changes.mady.by.user Aryn Wiebe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

DRAFT

Protocols like HTTP, FTP, LLP, and SMTP may use TLS to encrypt communication. When using the various Network Client APIs in the Translator, TLS can be used.

General TLS configurations:

  1. One-way TLS. Only the client verifies the server’s certificate.

  2. Two-way Mutual TLS (mTLS). Both the client and the server authenticate each other’s certificates.

...

There are a few key parameters used to enable these TLS configurations:

  • verify_peer - Ensures that the server's certificate is valid and trusted by verifying it against a CA.

  • verify_host - Ensures that the server's certificate is specifically intended for the hostname you are connecting to.

  • ca_file - Optional, if you need to specify the path to a custom cafile.

  • cert - For mTLS, the client is required to provide a certificate to be verified by the server.

  • key - For mTLS, the client is required to use a private key to provide a signature proving that the client has the private key associated with the public certificate it presents.

API-specific Configuration:

The Network Client APIs have slightly different configuration parameters, choose the dropdown below to view the specific configurations and an example with each client API:

Expand
titleHTTPS - net.http

By default, the net.http.* client APIs are set to verify peer and verify host

ssl parameters can be passed as a table to the net.http.* client APIs.

Parameter

Description

Default

cert

The name of your certificate file.

cert_type

Your certificate's type: PEM (default) or DER.

PEM

key

The name of your private key file.

key_pass

The password to access your private key.

key_type

Your private key's type: PEM, DER, or ENG.

PEM

ssl_engine

The engine to use with 'key_type' ENG.

verify_peer

Ensures that the server's certificate is valid and trusted by verifying it against a CA.

true

verify_host

Ensures that the server's certificate is specifically intended for the hostname you are connecting to.

true

ca_file

The certificate(s) file to use for peer verification.

issuer_cert

The PEM certificate file to validate the issuer of the peer's certificate during peer validation.

crl_file

The name of the certificate revocation list to use during peer validation.

ssl_version

Use a particular SSL version(s). Possible values for ssl_version are tls-v1, tls-v1.1, tls-v1.2, tls-v1.3. See Overriding TLS Defaults.

Tries tls-v1.3 and then tls-v1.2.

cipher_list

Provide a list of ciphers in OpenSSL format to use. See Overriding TLS Defaults.

cipher_suite_list

Provide a list of TLSv1.3 cipher suites in OpenSSL format to use. See Overriding TLS Defaults.

Expand
titleFTP and FTPS - net.ftp and net.ftps

FTP and FTPS use one way TSL by default.

  • net.ftp.* as the The use_ssl parameter is set to 'try' (meaning optional) as default.

To use two-way mTLS, you can provide the following parameters:

Expand
titleFTPS - net.ftps

  • net.ftps.init used to initialize the connection. By default, the force_ssl parameter is true to use TLS.

To use two-way mTLS, you can provide the following parameters:

Expand
titleLLP over TLS - net.tcp

Also see Enable SSL for the HL7 Server.

...