Overview
Providers and Consumers are required to maintain a secure connection to the NRL and SSP.
The technical requirements that support this are detailed below.
Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols
Following consultation with the Infrastructure Security, Operational Security, and Spine DDC teams, the following SSL protocols MUST be supported.
-
TLSv1.2
Note: Protocol versions SSLv2, SSLv3, TLSv1.0, and TLSv1.1 are not supported and MUST NOT be used. All consumer and provider systems MUST be configured to implement the protocol version TLSv1.2.
Supported Ciphers
Following consultation with the Infrastructure Security, Operational Security, and Spine DDC teams, the following ciphers MUST be supported.
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA
Client Certificates (TLSMA)
Provider and consumer systems MUST only accept client certificates issued by the NHS Digital Deployment Issue and Resolution (DIR) team.
Provider and consumer systems MUST only accept client certificates with a valid Spine ‘chain of trust’ (that is, linked to the Spine SubCA and RootCA).
Provider and consumer systems MUST only accept client certificates that have not expired or been revoked.
Provider and consumer systems MUST verify that the FQDN
presented in the client certificate is that of the Spine Secure Proxy (SSP).
The NHS Digital Deployment Issue and Resolution (DIR) team will be able to confirm this at the point at which EndPoint registration is required.
External Documents/Policy Documents
Name | Author | Version | Updated |
Approved Cryptographic Algorithms Good Practice Guidelines | NHS Digital | v4.0 | |
Warranted Environment Specification (WES) | NHS Digital | v1.0 |