I am trying to create a secure communication between Orthanc(client on my local (Mac)) and pynetDicom(server on my EC2). For this I obtained X.509 certificate from Lets Encrypt. I have added the certs to pynetDicom like this in the pythons ssl context
# Set up TLS context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE, password=None) # If a certificate chain file is needed context.load_verify_locations(cafile=CHAIN_FILE) ae.tls_server_context = context assoc = ae.start_server( (NODE_IP, NODE_PORT), ae_title=AE_TITLE, evt_handlers=handlers, ssl_context=ae.tls_server_context # Enable TLS )I tried testing the TLS connection with openssl and it works with -partialChain tag, with an error at the end: openssl s_client -connect pacs.avendahealth.com:443 -CAfile /Users/sumitjanawlekar/pynetDicom_cert/fullchain.pem -partial_chain with
Start Time: 1695710162 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- 80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:Without the partialChain tag it fails with error
Start Time: 1695710953 Timeout : 7200 (sec) Verify return code: 2 (unable to get issuer certificate) Extended master secret: no --- 80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:When I try sending Dicom data from Orthanc, it fails with this reason.
ErrorCode: 9 ErrorDescription: Error in the network protocol ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL errorI am new to this, how can I make this work?
PSA: the connection works fine as I turn off TLS. Also the request flows like this DICOM Client -> aws network load balancer (NLB) -> Ec2(pynetDicom running here). I even tried terminating TLS at the NLB level, still same error
I have tried TLS termination, encryption at pynetDicom level, I even tried local setup (client and server both as Orthanc running on local), restricting Pynet to use TLSv1.2 etc. All did not work.