Starting with stunnel...

[Coooz]

At a customer of ours, we need to manage https connections in Mirth Connect (4.4.2), and after some googling it looks like stunnel https://www.stunnel.org/ may be a good tool to use. Actually I am looking for some insight here:

• is it easy to implement...
• ...and how to go about it,
• any positive/negative experiences,
• are there actually any other https plugins that are recommended over stunnel and then why are they recommended?

Since I am entirely new to implementing and managing https connections in Mirth Connect, any valuable information that would help me along will be greatly appreciated. Thanks!

[JoeFox82]

Take a look at this: https://github.com/pacmano1/mirthstunnel

Do you use a windows or a linux system?

[jonbartels]

are there actually any other https plugins that are recommended over stunnel and then why are they recommended

There are options and choices. I've done my best to curate a listing here and explain a decisionmaking process for which one to use. In my opinion, all of the Mirth SSL options are useful and valid there is no best choice overall. Each one is a trade off of time, money, and area of expertise.

https://gist.github.com/jonbartels/8abd121901eb930f46245d9ef0f5710e

[pacmano1]

Firstly - your choice of TLS management often depends on the direction of your connection. i.e. are you calling endpoints only? Are you standing up your own secure listeners?

Secondly - is this for one server? Dozens of servers?

What is often missed in this question and answers is the fact the Nextgen TLS plugin also comes with other valuable plugins:

• Channel History. IMHO indispensable to roll back mistakes in Mirth and do diffs.
• Message Generator. Very handy to create HL7 messages in the fly.

As for the mirthstunnel stuff linked above (which I wrote), yes it works fine but at some point I need to refactor it.

@jonbartels article omits AWS ALBs (for https), AWS NLBs (for TCP TLS) which is an option. This is TLS termination like haproxy or nginx.

If standing up https listeners there are some real advantages to something like an AWS ALB and haproxy. The former can auto renew certificates and apply them. Haproxy coupled with certbot/ACME can do the same thing. However your organization must assess if an unencrypted connection between the load balancer and mirth itself is OK using a proxy.

[Coooz]

Sorry, forgot all about this post since it is no longer relevant... but thanks @jonbartels, @JoeFox82 and @pacmano1 for taking the time and effort to reply.