Hi All,
I tried executing storescp and storescu using "+tls" option with privatekey and certificate as parameters(including peer name and the port number).
Its throwing the following error:
[1st Terminal]
storescp -v -d 55001 +tls /usr/lib64/dcmtk-3.6.0/bin/Mybin/key.pem /usr/lib64/dcmtk-3.6.0/bin/Mybin/mycertificate
D: $dcmtk: storescp v3.6.0 2011-01-06 $
D:
D: setting network receive timeout to 60 seconds
E: Receiving Association failed: 0006:031e DUL secure transport layer: tlsv1 alert unknown ca
[2nd Terminal]
storescu localhost 55001 +tls /usr/lib64/dcmtk-3.6.0/bin/Mybin/key.pem /usr/lib64/dcmtk-3.6.0/bin/Mybin/mycertificate ~/Desktop/VenuDCMImages/XA
E: TLS client handshake failed
F: Association Request Failed: 0006:031b Failed to establish association
F: 0006:0317 Peer aborted Association (or never connected)
F: 0006:031e DUL secure transport layer: certificate verify failed
This is happening even with echoscu command also..
How to ovecome this DUL Failure.. Kindly suggest me on same.
FYI,
I have created PrivateKey and the Certificate using OpenSSL tool, which is been already installed along with DCMTK 3.6.0 in my LINUX machine.
Example showing how i created PrivateKey and Certificate using Openssl commands:
#md privatekey
#chmod 777 privatekey
#vi priv
#openssl genrsa 2048 > /usr/lib64/dcmtk-3.6.0/dcmtls/apps/privatekey/priv [Generate privatekey]
#chmod 400 priv
#md certificate
#chmod 777 certificate
#vi cert
#openssl req -new -x509 -nodes -sha1 -days 3650 -key /usr/lib64/dcmtk-3.6.0/dcmtls/apps/privatekey/priv > /usr/lib64/dcmtk-3.6.0/dcmtls/apps/certficate/cert [Generate Certificate]
#openssl x509 -in cert -text -noout [To see the contents of Generated Certificate]
Doing all these things in procedure, am able to see only DUL fault. Can anybody suggest me anyother way!!
Thanks in advance
storescu and storescp problem using tls option under dcmtls module
Moderator: Moderator Team
-
- DCMTK Developer
- Posts: 120
- Joined: Thu, 2009-11-26, 08:15
SSL is confusing. Here is how I made this finally work:
DCMTLS comes with a script for generating the certificates. Let's use it! (This assumes your current working directory is dcmtk's source folder, the script is not installed)
Now we want a certificate from this CA:
Now that we got the certificates set up, we can use them:
To remove the requirement for the client cert, use --verify-peer-cert or --ignore-peer-cert on the server and --anonymous-tls on the client.
DCMTLS comes with a script for generating the certificates. Let's use it! (This assumes your current working directory is dcmtk's source folder, the script is not installed)
It will require you to enter a passphrase with a minimum length of 4. The directory /tmp/myca must not yet exist.dcmtls/tests/dcmtk_ca.pl newca /tmp/myca
Now we want a certificate from this CA:
All the answers to the various questions that are being asked don't really matter (neither do they for the CA). However, the "Common Name (eg, YOUR name)" when generating the cert must not be empty or the script will fail.mkdir /tmp/mycert
dcmtl/tests/dcmtk_ca.pl mkcert -des no /tmp/myca/ /tmp/mycert/cert /tmp/mycert/key
Now that we got the certificates set up, we can use them:
Since I'm lazy, I let the SCP and SCU use the same certificate. I hope this also works if they use different certificates. It certainly works when you use --ignore-peer-cert on either side so that no verification on the certificate is done.storescp 1234 +tls /tmp/mycert/key /tmp/mycert/cert --add-cert-file /tmp/myca/cacert.pem
storescu localhost 1234 +tls /tmp/mycert/key /tmp/mycert/cert --add-cert-file /tmp/myca/cacert.pem path_to_some_file
To remove the requirement for the client cert, use --verify-peer-cert or --ignore-peer-cert on the server and --anonymous-tls on the client.
Who is online
Users browsing this forum: Google [Bot] and 1 guest