Problems setting up a TLS connection using self-issued certificates

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
ntne
Posts: 1
Joined: Fri, 2020-06-12, 09:32

Problems setting up a TLS connection using self-issued certificates

#1 Post by ntne » Mon, 2020-06-15, 08:15

I have been trying for the last few days to set up a TLS connection using selfcreated certificates but to no avail.

The setup is as follows:

- The PacsTestServer runs on my development VM (Ubuntu 16.04LTS)
- The PacsClient is part of a C++ application on an embedded linux machine. It uses the DCMTK library.
- The version of the DCMTK on both machines is 3.6.5.
- I created the certificates using the dcmtk_ca.pl script included in the toolkit the same way as is described here (yes, I filled out the "Common Name" field):
https://forum.dcmtk.org/viewtopic.php?t=2946

then copied the whole folder to the client machine.

- The PacsTestServer is started by a script using this command:

Code: Select all

xfce4-terminal --tab --title="PACS 1 (1231  $PACS1DIR)" --execute env DCMDICTPATH=$DCMDICT_PATH/dicom.dic $DCMTKBIN/storescp -d 1231 \
    +tls /path/to/my/certs/PacsServer.key /path/to/my/certs/PacsServer.cert +cf /path/to/my/certs/CA/cacert.pem +pw 12345 -fe .dcm -od $PACS1DIR


On the client side I set up the connection in the code as follows:

Code: Select all

 // mpScu is of type DcmTLSSCU from the tlsscu in the toolkit

    OFCondition cond;
    DcmTransportLayerStatus status;

    // Initialize network
    if ((cond = mpScu->initNetwork()).bad())
    {
    	// logging, no errors occur here
    }

    status = mpScu->setTLSProfile(DcmTLSSecurityProfile::TSP_Profile_BCP195);

    if ( status != DcmTransportLayerStatus::TCS_ok)
    {
        // logging, no errors occur here
    }
    
    mpScu->addTrustedCertFile(OFString("/path/to/my/cert/CA/cacert.pem"));  
    
    OFString privateKey("/path/to/my/cert/PacsClient.key");
    OFString certFile("/path/to/my/cert/PacsClient.cert");
    const char* passphrase = "12345";    

    mpScu->enableAuthentication(privateKey, certFile, passphrase);

If I log the authentication parameters using the getAuthenticationParams() function I see all the parameters are set correctly.

The errors I receive are as follows:

Code: Select all

On the server side:    
Receiving Association failed: 0006:031e DUL secure transport layer: tlsv1 alert unknown ca
    
On the client side:    
handleAssociation() ERROR: 795: Failed to establish association<LF>0006:0317 Peer aborted Association (or never connected)<LF>0006:031e DUL secure transport layer: unspecified TLS error
If I use the option to ignore certificates on both sides the connection is established without problems.

I have tried adding every combination of certificates as trusted certificates using the "+cf/+cd"-option on the server and addTrustedCertFile/addTrustedCertDir on the client but nothing helps.

What makes matters harder is that the client machine has no debugger, so the only way to look for errors is the logging in our own application.

Can anybody point out what I may be missing here?

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 1 guest