Hello,
With the help of some of the posts in this BB, I have successfully created a certificate for use in storescp-tls and storescu-tls. However, I'm getting error message "DUL secure transport layer: certificate verify failed".
Here's what I did:
1) create certificate:
openssl genrsa -out ca.key 2048
openssl req -config openssl.cfg -new -x509 -days 365 -key ca.key -out ca.crt
2) open listening port 123
storescp-tls -v 123 +tls ca.key ca.crt
3) send dicom file
storescu-tls localhost 123 c:\test.dcm +tls ca.key ca.crt
Enter passphrase: ********
Error messages:
storescu: Association Request failed:
0006:031b Failed to establish connection
0006:0317 Peer aborted Association (or never connected)
0006:031e DUL secure transport layer: certificate verify failed
At the storescp-tls window, i get this verbose error message:
DUL secure transport layer: tlsv1 alert unknown ca
What am I doing wrong? Please advise
DCMTK with TLS
Moderator: Moderator Team
-
Marco Eichelberg
- OFFIS DICOM Team
- Posts: 1444
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
The certificate verification failed (actually on both sides) because you have not told either tool which certificates are to be accepted. Either disable certificate verification using the --ignore-peer-cert command line options on both sides, or use --add-cert-file or --add-cert-dir to make the CA certificate known.
Re: DCMTK with TLS
Hello,
I have the same question with the first floor writer, and I have tried the solution by Mr. Marco using --add-cert-file, but still can't resolve the problem. I am writing like this,
storescp-tls.exe -v 123 +tls cert/ca.key cert/ca.crt --add-cert-dir cert
storescu-tls.exe localhost 123 dcm/111.DCM +tls cert/ca.key cert/ca.crt --add-cert-dir cert
Do I write wrong ? Please give me some advice how to resolve the problem? Thank you.
I have the same question with the first floor writer, and I have tried the solution by Mr. Marco using --add-cert-file, but still can't resolve the problem. I am writing like this,
storescp-tls.exe -v 123 +tls cert/ca.key cert/ca.crt --add-cert-dir cert
storescu-tls.exe localhost 123 dcm/111.DCM +tls cert/ca.key cert/ca.crt --add-cert-dir cert
Do I write wrong ? Please give me some advice how to resolve the problem? Thank you.
-
Marco Eichelberg
- OFFIS DICOM Team
- Posts: 1444
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: DCMTK with TLS
As a general remark, it is not a good idea to post a follow-up question to someone else's thread. The chances are rather high that nobody will see this.
Now concerning your question: When you use the --add-cert-dir option, the certificate files in the cert directory must have specific filenames, because OpenSSL looks up filenames based on some hashing scheme. See the file "certstor.txt", which is provided as part of the documentation, for details.
Now concerning your question: When you use the --add-cert-dir option, the certificate files in the cert directory must have specific filenames, because OpenSSL looks up filenames based on some hashing scheme. See the file "certstor.txt", which is provided as part of the documentation, for details.
Re: DCMTK with TLS
Hi Mr. Marco,
I am glad to receive your reply. Sorry to follow-up someone's topic. Next I will make a new one.
I have read the file "certstor.txt" you mentioned, but I did not understand very well. I am still confused how to set the options, so I go back to the original question. My problem is when I try to use store in TLS mode, I can not transfer successfully.
My code is that,
storescp-tls.exe 123 +tls cert/ca.key cert/ca.crt
storescu-tls.exe localhost 123 dcm/111.DCM +tls cert/ca.key cert/ca.crt
The wrong information is that,
F: Association Request Failed: 0006:031b Failed to establish association
F: 0006:0317 Peer aborted Association (or never connected)
F: 0006:031c TCP Initialization Error: The operation completed successfully.
So is the syntax wrong or I use the wrong options or the certificate file I generated by OpenSSL is not correct? Please give me some advice how to resolve the problem? I am stuck here for a long time. Thank you.
I am glad to receive your reply. Sorry to follow-up someone's topic. Next I will make a new one.
I have read the file "certstor.txt" you mentioned, but I did not understand very well. I am still confused how to set the options, so I go back to the original question. My problem is when I try to use store in TLS mode, I can not transfer successfully.
My code is that,
storescp-tls.exe 123 +tls cert/ca.key cert/ca.crt
storescu-tls.exe localhost 123 dcm/111.DCM +tls cert/ca.key cert/ca.crt
The wrong information is that,
F: Association Request Failed: 0006:031b Failed to establish association
F: 0006:0317 Peer aborted Association (or never connected)
F: 0006:031c TCP Initialization Error: The operation completed successfully.
So is the syntax wrong or I use the wrong options or the certificate file I generated by OpenSSL is not correct? Please give me some advice how to resolve the problem? I am stuck here for a long time. Thank you.
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 1 guest