The Hyland Message Engine is a service for forwarding TCP traffic securely between two instances of the Message Engine. The two Message Engine instances act as a bridge between local and remote systems, for example HL7 sending systems and listeners, forming connections used to pass data over the Internet between the systems.
The TCP traffic is encrypted by the Message Engine as it is transmitted, and decrypted by the corresponding Message Engine on reception. Connections between each Message Engine are secured by TLS encryption and mutual authentication using x509 certificates.
The minimum TLS version that is supported is TLS 1.3. This needs to be set through Windows, using the MinimumTlsVersion key in the NT service settings.json.
Message Engine connections are protected using the Cipher Suite, Hash algorithm, and key exchange for TLS, which is deferred to the OS. The exact cipher used is determined in the handshake between client and server as per the TLS standard. Microsoft maintains a default ordered list of enabled algorithms, and it can be modified by group policy. The Cipher Suite will be selected as the first item shared by both the client and server. If there are no matches, the handshake fails, and no connection will be established.
- Default cipher selection for each OS version can be found here: https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
- Custom Cipher Suite ordering can be configured via group policy from here: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls
See the following for descriptions of the different types of connections the Message Engine uses to pass traffic between systems: