Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Orthanc 1.9.x DICOM TLS Peer Certificate Validation

78 views
Skip to first unread message

Mark Davis

unread,
Apr 29, 2021, 9:05:16 AM4/29/21
to Orthanc Users
The DICOM TLS capability introduced in 1.9.0 hard-codes the option to require peer certificate validation in the underlying DCMTK implementation.  This causes the connection to fail when modalities that have not been issued client certificates attempt a TLS connection to Orthanc server when DicomTlsEnabled has been set to true.

Would either setting the DCMTK peer verification option to optional, as shown in the patch below, or making this a configurable option, be accepted as an enhancement?

The error received when this occurs is:
CommandDispatcher.cpp:283] Receiving Association failed: DUL secure transport layer: peer did not return a certificate

The proposed patch (based on 1.9.2) is:
--- OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp 2021-04-22 05:33:28.000000000 -0400
+++ patch/DicomTls.cpp 2021-04-29 08:43:58.000000000 -0400
@@ -147,7 +147,7 @@
       }
 #endif

-      tls->setCertificateVerification(DCV_requireCertificate /*opt_certVerification*/);
+      tls->setCertificateVerification(DCV_checkCertificate /*opt_certVerification*/);

       if (ASC_setTransportLayer(network, tls.get(), 0).bad())
       {

Thank you,
Mark

John Murray

unread,
Apr 29, 2021, 10:20:34 AM4/29/21
to Orthanc Users
This patch just saved us!  We have been chasing this for a week.  The session was failing because the client was not sending in a client certificate.  With this patch, we are now working.  Thank you!!!

John

Jay Sridhar

unread,
Apr 29, 2021, 10:21:08 AM4/29/21
to Orthanc Users
Many thanks for the code snippet, Mark. This resolved an issue we have been having for a week.

Sébastien Jodogne

unread,
May 6, 2021, 12:59:15 PM5/6/21
to Orthanc Users
Hello,

I have just added a new configuration option entitled "DicomTlsRemoteCertificateRequired":

If set to "false", this option allows connections from a remote DICOM SCU that doesn't provide any DICOM TLS certificate. This is documented in the Orthanc Book:

This new feature will be part of forthcoming Orthanc 1.9.3 release.

HTH,
Sébastien-

Jay Sridhar

unread,
May 7, 2021, 12:47:01 AM5/7/21
to Orthanc Users
Fantastic! Can I check it out now?

Thanks

Sébastien Jodogne

unread,
May 7, 2021, 1:02:00 AM5/7/21
to Orthanc Users
For sure, Orthanc is free and open-source software:

Sébastien-

Reply all
Reply to author
Forward
0 new messages