Configuring HTTPS in built-in server
596 views
Skip to first unread message
vl...@jhmi.edu
Jun 26, 2018, 4:19:37 AM6/26/18
to Orthanc Users
Hi all,
W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA certificates from this file: /etc/orthanc/It looks a bit worrisome to me as my SslCertificate property in the configuration file is set to "/etc/orthanc/certificate.pem", so shouldn't it be read as:
W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA certificates from this file: /etc/orthanc/certificate.pem?
Also, should certificate.pem also include certificates for the intermediate servers?
Thanks in advance for help!
vl...@jhmi.edu
Jun 26, 2018, 2:57:39 PM6/26/18
to Orthanc Users
After researching this a bit more, when
SslEnabled and SslCertificate are defined in the configuration file, the server fails to start and throws Segmentation Fault error. Upon examining /var/log/syslog file, I see the following related message:Jun 26 12:06:36 superpacs-prod-1 kernel: [438878.581955] Orthanc[15770]: segfault at ffffffffc61c97a0 ip 00007fa5c494c646 sp 00007ffd1593bac8 error 5 in libc-2.27.so[7fa5c489b000+1e7000]Have anyone encountered something similar?
Bryan Dearlove
Jun 27, 2018, 9:16:41 PM6/27/18
to Orthanc Users
I haven't seen it, but would recommend a proxy in front managing the SSL component. http://book.orthanc-server.com/faq/apache.html
Thibault Nélis
Jun 28, 2018, 4:15:39 AM6/28/18
to orthan...@googlegroups.com
On Tue, 2018-06-26 at 01:19 -0700, vl...@jhmi.edu wrote:
> W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA
> certificates from this file: /etc/orthanc/
>
> It looks a bit worrisome to me as my SslCertificate property in the
> configuration file is set to "/etc/orthanc/certificate.pem", so
> shouldn't it be read as:
>
> W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA
> certificates from this file: /etc/orthanc/certificate.pem
This log output line relates to the HTTP client, not the server. This
> W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA
> certificates from this file: /etc/orthanc/
>
> It looks a bit worrisome to me as my SslCertificate property in the
> configuration file is set to "/etc/orthanc/certificate.pem", so
> shouldn't it be read as:
>
> W0626 01:15:14.168662 HttpClient.cpp:686] HTTPS will use the CA
> certificates from this file: /etc/orthanc/certificate.pem
implies the path in question is used to search for many certificates
for CAs (certificate authorities) for Orthanc to use in order to verify
peers (other TLS-enabled servers it connects to). This is controlled
with the HttpsCACertificates setting, not SslCertificate.
https://bitbucket.org/sjodogne/orthanc/src/78e5414d57f8874cfe88997726b9
7bd3b25e48df/OrthancServer/main.cpp#lines-981
https://bitbucket.org/sjodogne/orthanc/src/78e5414d57f8874cfe88997726b9
7bd3b25e48df/Core/HttpClient.cpp#lines-678
> Also, should certificate.pem also include certificates for the
> intermediate servers?
it's not strictly necessary. In general however, I'd say yes. You want
to keep the trusted roots small to avoid churn since most clients
typically don't update it often enough. If you have control over both
the clients and the server, I'd say it doesn't really matter (but then
you might as well just use a self-signed cert and check the
fingerprints).
--
Thibault Nélis <t...@osimis.io>
Osimis
Thibault Nélis
Jun 28, 2018, 4:45:45 AM6/28/18
to orthan...@googlegroups.com
On Tue, 2018-06-26 at 11:57 -0700, vl...@jhmi.edu wrote:
> After researching this a bit more,
> when SslEnabled and SslCertificate are defined in the configuration
> file, the server fails to start and throws Segmentation Fault error.
> Upon examining /var/log/syslog file, I see the following related
> message:
>
> Jun 26 12:06:36 superpacs-prod-1 kernel: [438878.581955]
> Orthanc[15770]: segfault at ffffffffc61c97a0 ip 00007fa5c494c646 sp
> 00007ffd1593bac8 error 5 in libc-2.27.so[7fa5c489b000+1e7000]
>
> Have anyone encountered something similar?
A kernel will typically dump the core of processes that fault like
> After researching this a bit more,
> when SslEnabled and SslCertificate are defined in the configuration
> file, the server fails to start and throws Segmentation Fault error.
> Upon examining /var/log/syslog file, I see the following related
> message:
>
> Jun 26 12:06:36 superpacs-prod-1 kernel: [438878.581955]
> Orthanc[15770]: segfault at ffffffffc61c97a0 ip 00007fa5c494c646 sp
> 00007ffd1593bac8 error 5 in libc-2.27.so[7fa5c489b000+1e7000]
>
> Have anyone encountered something similar?
that[1]. If you give the list a reference to the exact build you're
using along with that core dump then someone can use debug symbols to
extract a meaningful stack trace from it (and of course you can try to
do that yourself).
At the same time, you might consider sharing the certificate here (make
absolutely sure the file doesn't embed the private key), maybe someone
will spot something odd. If it's truly because of the certificate then
I'd say it's a bug (possibly in one of the dependencies of Orthanc). In
that case, you'll want to file an issue in the tracker[2].
[1] http://man7.org/linux/man-pages/man5/core.5.html
[2] https://bitbucket.org/sjodogne/orthanc/issues/
Reply all
Reply to author
Forward
0 new messages