DICOM @ OFFIS

Discussion Forum for OFFIS DICOM Tools - For registration, send email with desired user name to the OFFIS DICOM team
It is currently Wed, 2017-11-22, 06:25

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Sat, 2017-04-01, 08:18 
Offline

Joined: Fri, 2016-12-02, 09:51
Posts: 20
Hello,
I tried to make dcmtk for visual studio 2017. Library is compiling fine if i didn't use ssl library.
I want to use ssl and i need to recompile openssl. I recompile openssl but in bin dir it makes libcrypto-1_1.dll and libssl-1_1.dll.
In dcmtk precompiled library in bin directory is dcmtkeay.dll and dcmtkssl.dll.
What i need to do? to rename libcrypto-1_1.dll -> dcmtkeay.dll and libssl-1_1.dll ->dcmtkssl.dll ?

thanks


Top
 Profile  
 
PostPosted: Mon, 2017-04-03, 09:06 
Offline
OFFIS DICOM Team
OFFIS DICOM Team

Joined: Mon, 2014-03-03, 09:51
Posts: 218
Location: Oldenburg, Germany
It is appropriate to try that on the first of April, since compiling OpenSSL under Windows seems like an April fools joke (a bad one). We have a page in our internal Wiki that a colleague wrote when he figured out how to build OpenSSL for Windows. I could provide it as a PDF, it is in German though. Alternatively, you may give LibreSSL a try.


Top
 Profile  
 
PostPosted: Thu, 2017-04-06, 06:56 
Offline

Joined: Fri, 2016-12-02, 09:51
Posts: 20
Thank,
Can you provide me that pdf at email adress redacted?
Thanks


Top
 Profile  
 
PostPosted: Thu, 2017-04-06, 10:30 
Offline
OFFIS DICOM Team
OFFIS DICOM Team

Joined: Mon, 2014-03-03, 09:51
Posts: 218
Location: Oldenburg, Germany
I've just sent it to your email address.


Top
 Profile  
 
PostPosted: Mon, 2017-08-21, 10:12 
Offline

Joined: Wed, 2017-06-14, 11:00
Posts: 6
Hi,

could you also send me this pdf, as my colleague is also trying to make this work using openssl and dcmtk 3.6.2?

Thanks in advance,
Marco Kemper
ict.nl


Top
 Profile  
 
PostPosted: Mon, 2017-09-04, 16:42 
Offline
OFFIS DICOM Team
OFFIS DICOM Team

Joined: Mon, 2014-03-03, 09:51
Posts: 218
Location: Oldenburg, Germany
Please note that the tutorial does not really apply for newer versions of OpenSSL (but can still be used to get some ideas).


Top
 Profile  
 
PostPosted: Thu, 2017-09-07, 08:22 
Offline

Joined: Wed, 2017-06-14, 11:00
Posts: 6
Hi Jan,

thanks for the clarification, will let you know whether it works when we start with the security story in our project.

With kind regards,
Marco


Top
 Profile  
 
PostPosted: Thu, 2017-09-07, 14:28 
Offline
OFFIS DICOM Team
OFFIS DICOM Team

Joined: Mon, 2014-03-03, 09:51
Posts: 218
Location: Oldenburg, Germany
Btw, you saw these, right? Did we miss to create binaries for your specific Compiler/Settings? If so, I might be able to add them (the files are auto generated using a script; I'm also thinking about making the script public but it would need some polishing first).


Top
 Profile  
 
PostPosted: Wed, 2017-10-25, 08:47 
Offline

Joined: Wed, 2017-06-14, 11:00
Posts: 6
Hi Jan,

sorry for the late reply
We did not know about these binaries, so your reply did help us, thanks!
We are now using one of the versions of the libs and header files (so no need for another version), that has saved us time.

With kind regards,
Marco


Top
 Profile  
 
PostPosted: Mon, 2017-10-30, 14:25 
Offline

Joined: Wed, 2017-06-14, 11:00
Posts: 6
Hi,

I have one question about the binaries you supplied.
When we use the OpenSSL binaries under Windows compiled by Offis (that one supplied using the link in this posting), the cipher suite “TLS_RSA_WITH_3DES_EDE_CBC_SHA” (defined as "DES-CBC3-SHA" in OpenSSL) is not supported (and this just happens to be the one we need for the DICOM secure profile). This is supported when we use the source code of the same version of DCMTK/OpenSSL under Ubuntu.

Any ideas why?
See below for what the openssl executable reports under Windows and Ubuntu.

Regards,
Marco Kemper

----------------------

Supported cipher suites by OpenSLL executable under Windows:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
RSA-PSK-AES256-GCM-SHA384
DHE-PSK-AES256-GCM-SHA384
RSA-PSK-CHACHA20-POLY1305
DHE-PSK-CHACHA20-POLY1305
ECDHE-PSK-CHACHA20-POLY1305
AES256-GCM-SHA384
PSK-AES256-GCM-SHA384
PSK-CHACHA20-POLY1305
RSA-PSK-AES128-GCM-SHA256
DHE-PSK-AES128-GCM-SHA256
AES128-GCM-SHA256
PSK-AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
ECDHE-PSK-AES256-CBC-SHA384
ECDHE-PSK-AES256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA
RSA-PSK-AES256-CBC-SHA384
DHE-PSK-AES256-CBC-SHA384
RSA-PSK-AES256-CBC-SHA
DHE-PSK-AES256-CBC-SHA
AES256-SHA
PSK-AES256-CBC-SHA384
PSK-AES256-CBC-SHA
ECDHE-PSK-AES128-CBC-SHA256
ECDHE-PSK-AES128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA
RSA-PSK-AES128-CBC-SHA256
DHE-PSK-AES128-CBC-SHA256
RSA-PSK-AES128-CBC-SHA
DHE-PSK-AES128-CBC-SHA
AES128-SHA
PSK-AES128-CBC-SHA256
PSK-AES128-CBC-SHA


Supported cipher suites by OpenSLL executable under Ubuntu:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
SRP-3DES-EDE-CBC-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA
ECDH-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
PSK-3DES-EDE-CBC-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
PSK-AES128-CBC-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
ECDH-RSA-RC4-SHA
ECDH-ECDSA-RC4-SHA
RC4-SHA
RC4-MD5
PSK-RC4-SHA
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA


Top
 Profile  
 
PostPosted: Thu, 2017-11-02, 17:25 
Offline

Joined: Wed, 2017-06-14, 11:00
Posts: 6
Hi,

already found out what was happening, when using the same version of the OpenSSL library (1.1.0f) under Ubuntu, the cipher suite “TLS_RSA_WITH_3DES_EDE_CBC_SHA” was also not supported anymore.

Meaning that to be able to support a DICOM security profile, you may need to use an older version of OpenSSL.

With kind regards,
Marco


Top
 Profile  
 
PostPosted: Thu, 2017-11-02, 17:32 
Offline
DCMTK Developer

Joined: Fri, 2004-11-05, 13:47
Posts: 1634
Location: Oldenburg, Germany
Hi,

I think using an old OpenSSL version is not a good idea. Is it possible to configure OpenSSL during build? Did you try/check LibreSSL?

Best,
Michael


Top
 Profile  
 
PostPosted: Fri, 2017-11-03, 09:36 
Offline
OFFIS DICOM Team
OFFIS DICOM Team

Joined: Tue, 2004-11-02, 17:22
Posts: 1208
Location: Oldenburg, Germany
The following post https://www.openssl.org/blog/blog/2016/08/24/sweet32/ explains the issue: Starting with OpenSSL 1.1.0, support for the 3DES ciphers is disabled by default.
OpenSSL has to be configured with the “enable-weak-ssl-ciphers” option before compiling to re-active 3DES support. I guess we should provide updated DCMTK TLS binaries that have support for 3DES enabled, because as you correctly mention this is still used in the DICOM basic secure profile.


Top
 Profile  
 
PostPosted: Wed, 2017-11-08, 10:01 
Offline

Joined: Wed, 2017-06-14, 11:00
Posts: 6
Hi Marco,

that probably would be the best solution. Even when enable-weak-ssl-ciphers is set to true, you will still have full control on which cipher suites to support in your software.

Regards,
Marco

P.S. For now, this is not an issue anymore for us, would of course help future implementations based on DCMTK.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group