TLS question need help

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
Airwolfe
Posts: 5
Joined: Tue, 2017-01-24, 18:35

TLS question need help

#1 Post by Airwolfe »

Im trying to use STORESCU to send to your PACS img router which is called Compass from http://www.laurelbridge.com. It has a feature to allow me to send via TLS, however, I am new to certs. It seems I can either do a PFX file or a PERM files. How would I get STORESCU to send vis TLS if it only works with a one file cert( .p21, .pfx, .cer, .pem, .der)?

Airwolfe
Posts: 5
Joined: Tue, 2017-01-24, 18:35

Re: TLS question need help

#2 Post by Airwolfe »

ok I was able to convert the PFX file into a key and crt. put those onto the ubuntu box I have running storescu using the following command:

sudo storescu http://www.tciwebpacs.com 2762 +tls /tmp/mycert/key /tmp/mycert/cert /tmp/myca/cacert.pem -ll info +sd /home/cprbox/Pictures
I: determining input files ...
I: checking input files ...
I: Requesting Association
E: TLS client handshake failed
F: Association Request Failed: 0006:031b Failed to establish association
F: 0006:0317 Peer aborted Association (or never connected)
F: 0006:031e DUL secure transport layer: certificate verify failed
cprbox@cprbox-OptiPlex-380:~/Desktop/Python$

--------------On Compass router I get the following error-----------------

DicomSocket (server mode) this = LaurelBridge.DCS.DicomSocket
local_address = 192.168.99.13:2762
remote_address = 64.191.161.210:43298
socket = LaurelBridge.Compass.Core.Network.f
[ DEBUG AuthAsServer 2017/07/26 11:03:03.184 thrd='105' ]
Server about to authenticate connection 64.191.161.210:43298=>192.168.99.13:2762
[ ERROR AuthAsServer 2017/07/26 11:03:03.213 thrd='105' ]
Server authentication error on connection 64.191.161.210:43298=>192.168.99.13:2762 (accepted at 2017/07/26 11:03:03.183; server started authentication at 2017/07/26 11:03:03.184; authentication timeout set to 10000 ms)
Message: System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
--- End of inner exception stack trace ---
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at LaurelBridge.Compass.Core.Network.f.f()
[ ERROR cs_lib/DCS 2017/07/26 11:03:03.214 thrd='105' ]
Error in HandlerThread. 64.191.161.210:43298=>192.168.99.13:2762, connection_id=776d16dd-6433-41cc-a476-04ded8d43a14:
LaurelBridge.DCS.IOReadException ---> LaurelBridge.DCS.IOException: DicomSocket.readSocketData: error during: read ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The certificate chain was issued by an authority that is not trusted
--- End of inner exception stack trace ---
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at LaurelBridge.Compass.Core.Network.f.f()
at LaurelBridge.Compass.Core.Network.f.Receive(Byte[] buffer, Int32 offset, Int32 count)
at LaurelBridge.DCS.DicomSocket.a(ByteBuffer A_0, Int32 A_1, Int32 A_2, Boolean A_3, Boolean A_4)
--- End of inner exception stack trace ---
at LaurelBridge.DCS.DicomSocket.a(ByteBuffer A_0, Int32 A_1, Int32 A_2, Boolean A_3, Boolean A_4)
at LaurelBridge.DCS.DicomSocket.readPDUData(Int32 timeout, Boolean f_data_channel, DicomBuffer dicom_buffer)
at LaurelBridge.DCS.DicomSocket.readPDU(Int32 timeout, Boolean f_data_channel)
--- End of inner exception stack trace ---
at LaurelBridge.DCS.DicomSocket.readPDU(Int32 timeout, Boolean f_data_channel)
at LaurelBridge.DCS.DicomSocket.readPDU(Int32 timeout)
at LaurelBridge.DCS.AssociationManager.a(Object A_0)
[ DEBUG cs_lib/DCS 2017/07/26 11:03:29.596 thrd='57' ]
session_name=COMPASSROUTER:192.168.99.13:55838==>TCIRADPACS:192.168.99.13:104::2017/07/25::15:55:25.769::7328.0
DicomSocket (server mode) this = LaurelBridge.DCS.DicomSocket

Need some help please...

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: TLS question need help

#3 Post by Marco Eichelberg »

By default, the TLS protocol does not only use the public/private key pair extracted from the certificate and key file to securely exchange the random session key, it also verifies whether the certificate that is used by the remote side to identify itself is trustable. A certificate is trustable if the Certification Authority (CA) that has issued and signed the certificate is trustable, and so on, unless a chain of trust to a trustable root certificate can be established.

In DCMTK, you can use the --add-cert-file and --add-cert-dir command line options to add individual certificates of trusted CAs. Note that the file name structure within a certificate directory needs to follow a specific pattern (see OpenSSL documentation). So at least you need to add the certificate of the CA that generated the certificate used by the Compass router here. Alternatively, you can disable the certificate verification with --ignore-peer-cert, but that opens your connection to man-in-the middle attacks, so this should only be used for testing.

The same applies to the other side: You will probably have to somehow install the CA certificate of the CA that generated your certificate (or your certificate, if it is self-signed) in the list of trusted certificates for the Compass router.

Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 1 guest