Skip to content

4.3.0 Upgrade Guide

Jump to bottom
Peter Ladesma edited this page Mar 15, 2023 · 12 revisions

Added New Functionality to the Mirth Connect Setup Wizard (Installation Process)

We added new features to the Mirth Connect Setup Wizard that include, but are not limited to, the following:

  1. We added more information on the screens with links to the What's New, Upgrade Guide, and documentation. This helps users understand what options to enter on the screens.
  2. We added the ability to install your extensions at the time Mirth Connect is installed or upgraded. This simplifies the process so that users no longer have to install extensions manually and restart the service.
  3. We added the ability to enter your license key for extensions. This will default to the license.key value from your mirth.properties file during an upgrade.
  4. We added our new logo and a list of each dialog screen so that users know exactly where they are in the process.

Resource Classloaders Now Load Classes Child-First By Default

Resources now load classes "child-first" instead of "parent-first" by default. In cases where a resource uses a class that is already included with Mirth Connect (for example a PostgreSQL driver), previously the class from the parent classloader was loaded instead of the custom class that the user wanted to use. By loading "child-first" now, users can achieve the desired behavior.

If you still need to load "parent-first", you can enable the "Load Parent-First" option on individual resources.

Updated Deprecated Docker Base Images

The OpenJDK and AdoptOpenJDK base images were deprecated, so we now build Mirth Connect with the eclipse-temurin image instead. If you were customizing your Mirth Connect Docker containers, you may need to update your configuration to be compatible with eclipse-temurin. Additionally, all images are now built using Java 17.

Encryption Settings

The default encryption algorithm has been updated from AES to AES/CBC/PKCS5Padding. In addition, before being encrypted, strings will be encoded using UTF-8 instead of the JVM default charset.

  • If you did not have encryption.algorithm already overridden in mirth.properties, then no action is required. Any newly encrypted data will just use the new default algorithm, and old encrypted data will still be able to be decrypted (using the old default algorithm).

  • If you had encryption.algorithm overridden and set to AES, then you should consider updating that, for example to AES/CBC/PKCS5Padding or AES/GCM/NoPadding. Mirth Connect will warn you on startup with this message as well. Support for AES (without any mode/padding specified) will be removed in a future version.

TLS Cipher Suites

Default TLS cipher suites have been updated. Weaker, potentially exploitable cipher suites have been disabled as a best practice.

Cipher Suites

The following cipher suites have been disabled:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA

If you had updated your https.ciphersuites in mirth.properties previously, you will see a https.ciphersuites.old property which contains your previous values. If you had not updated https.ciphersuites then https.ciphersuites will have been updated removing the cipher suites above.

Impact

If any of your connectors, either connecting to external servers, or allowing clients to connect were using these older cipher suites then it is possible they may fail a TLS handshake after upgrading to 4.3.0.

Resolution

If you encounter a TLS handshake error after upgrading it is best to let the external entity know they need to switch to a more secure cipher suite.

If this is not possible:

SSL Manager Options

SSL Manager TLS Options

If you are using the SSL Manager commercial extension, you can select a weaker cipher suite for the connector(s) which need to allow these weaker legacy cipher suites.

Server Wide Options

If you are not using the SSL Manager commercial extension, you can manually add back any of the cipher suites removed above to your https.ciphersuites property (in mirth.properties) to restore previous, less secure, behavior for all of your connectors.

Removed the View User Guide Option

We removed the View User Guide option from the Other menu. The Help option will continue to navigate to docs.nextgen.com to allow access to our new online documentation tool.

Administrator Launcher

Mirth Connect 4.3.0 is signed with an updated certificate, so you will need to update the Administrator Launcher to the latest version, 1.3.1, to avoid seeing security warnings.

Clone this wiki locally