DICOM TLS issue

Thanasis Iliopoulos

unread,

Jun 23, 2021, 7:16:05 AM6/23/21

to Orthanc Users

Hi all!

I am trying to configure Orthanc (1.9.3) to use DICOM TLS as it is described in the relevant section of the documentation:

https://book.orthanc-server.com/faq/dicom-tls.html

As a first step I am trying to implement the "Secure TLS connections without certificate" configuration which looks simpler.

I have created a self-signed certificate for orthanc:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout orthanc_local.key -out orthanc_local.crt -subj "/C=GR/CN=localhost"

And in my ortahnc.json configuration file, I have the following settings:

...

"DicomTlsEnabled" : true,

"DicomTlsCertificate" : "C:\Program Files (x86)\Orthanc Server\Configuration\orthanc_local.crt",

"DicomTlsPrivateKey" : "C:\Program Files (x86)\Orthanc Server\Configuration\orthanc_local.key",

**/

"DicomTlsTrustedCertificates" : "C:\Program Files (x86)\Orthanc Server\Configuration\orthanc_local.crt",

"DicomTlsRemoteCertificateRequired" : false,

...

However, when I try to start the orthanc service, I am getting the following error:

E0623 14:14:03.643885 OrthancException.cpp:57] Parameter out of range: DICOM TLS is enabled in Orthanc SCP, but no certificate was provided

E0623 14:14:03.646910 ServerContext.cpp:431] INTERNAL ERROR: ServerContext::Stop() should be invoked manually to avoid mess in the destruction order!

I0623 14:14:03.753258 JobsEngine.cpp:288] (jobs) Stopping the jobs engine

W0623 14:14:03.851704 JobsEngine.cpp:312] The jobs engine has stopped

I0623 14:14:04.055110 ServerIndex.cpp:319] Stopping the database flushing thread

I0623 14:14:04.055110 ServerIndex.cpp:502] Closing the monitor thread for stable resources

E0623 14:14:04.071853 main.cpp:1999] Uncaught exception, stopping now: [Parameter out of range] (code 3)

W0623 14:14:04.076195 main.cpp:2030] Orthanc has stopped

I am attaching the entire orthanc.json config file for your reference.

orthanc.json

Sébastien Jodogne

unread,

Jun 23, 2021, 7:26:18 AM6/23/21

to Orthanc Users

Hello,

After a quick read of your "orthanc.json", I see two problems:

- Your options "DicomTlsCertificate", "DicomTlsPrivateKey" and "DicomTlsTrustedCertificates" are all enclosed in comments (from "/**" to "**/"), so they are not taken into consideration by Orthanc.

- In JSON, you must escape the backslashes (i.e. double them): Replace "\" by "\\".

Sébastien-

Thanasis Iliopoulos

unread,

Jun 24, 2021, 5:46:49 AM6/24/21

to Orthanc Users

Hi Sebastien,

So I have now configured my local Orthanc for "Secure TLS connections without certificate" as described in the document (orthanc.json re-attached). I am using version 1.9.3 32-bit to be able and have more info in the log.

To test it, I am using as a client the dcm4che storescu tool: https://github.com/dcm4che/dcm4che/tree/master/dcm4che-tool/dcm4che-tool-storescu

I am trying to disable also "certification verification" on storescu side by setting its --tls-noauth parameter (disable client authentication for TLS); from what I understand this is similar to dcmtk's command: --anonymous-tls on the client side. But I am not really sure about that. I assume this is not working since I test it with the following command (so I am not using any trust-store and I just set the --tls-noauth parameter):

storescu -c ORTHANC@localhost:4242 --tls-cipher TLS_RSA_WITH_AES_128_CBC_SHA --ssl2Hello --key-store dicom\dicomrouter_local_keystore.jks --key-pass dicomrouter --key-store-pass dicomrouter --tls-noauth dicom\1.dcm

And this is what I get in Orthanc's log:

E0624 12:23:57.387319 CommandDispatcher.cpp:283] Receiving Association failed: DUL secure transport layer: sslv3 alert certificate unknown

I have also imported orthanc's certificate into my JRE's cacerts file, so the storescu can use it like:

storescu -c ORTHANC@localhost:4242 --tls-cipher TLS_RSA_WITH_AES_128_CBC_SHA --ssl2Hello --key-store dicom\dicomrouter_local_keystore.jks --key-pass dicomrouter --key-store-pass dicomrouter --trust-store "C:\Program Files\Java\jre1.8.0_261\lib\security\cacerts" --trust-store-pass changeit --trust-store-type JKS dicom\1.dcm

And in that case I am getting:

E0624 12:41:53.884914 CommandDispatcher.cpp:283] Receiving Association failed: DUL secure transport layer: certificate verify failed

So it seems to me (correct me if I am wrong) that Orthanc is performing certificate validation.

From what I understand, and here is where I need some help, in order to establish TLS connection between orthanc and storescu, certificate verification needs to be disabled on BOTH sides. Is that correct?

Could you please give some insight on how to correctly setup my nodes for "Secure TLS connection without certificate verification"? What is causing the failures above / What am I missing in my setup and tests?

Thanks!

orthanc.json

Sébastien Jodogne

unread,

Jun 24, 2021, 4:32:23 PM6/24/21

to Orthanc Users

Hello,

I have added instructions to use dcm4che as client to Orthanc over DICOM TLS:

https://book.orthanc-server.com/faq/dicom-tls.html#using-dcm4che

HTH,

Sébastien-

Reply all

Reply to author

Forward