Secure Connection issue

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Secure Connection issue

#1 Post by amal.jesudas »

Hi,

Observed an issue for secure communication.
When sending data through multiple association in a single session, serverSideHandshake() fails for the second association (Secure Connection).

(*association)->connection->serverSideHandshake())) from dul.cc returned below error
" Could not receive association request: 0006:031e DUL secure transport layer: session id context uninitialized"

When we add "SSL_set_session_id_context(newConnection, arr, 2)" in DcmTransportConnection *DcmTLSTransportLayer::createConnection() it works as expected.

It would be of great help if someone could attend to my below queries:
  • Is multiple associations failure a known issue for secure connection?
  • Is the addition of "SSL_set_session_id_context()" as stated above, the correct fix for my issue?

Also, please suggest if there is any other way to solve multiple association issue in case of a secure connection.

Regards,
Amal

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1435
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Secure Connection issue

#2 Post by Marco Eichelberg »

Can you please let us know what "arr" is and how this structure is created?

In general, the problem seems to be caused by an attempted TLS session reuse. Apparently DVT tries to re-use to already negotiated TLS session, which is somewhat dangerous and not supported by DCMTK. However, apparently, DCMTK does not properly "tell" the OpenSSL library that session reuse should be disabled. You could try to add the following code to DcmTLSTransportLayer::DcmTLSTransportLayer() (after the call to setBuiltInDHParameters()):

Code: Select all

SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF);
Please let us know if this solves the problem.

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: Secure Connection issue

#3 Post by amal.jesudas »

Thanks Marco for the reply.

I forgot to mention that I am using dcmtk version 3.6.5 in my earlier query.
I could not find the setBuiltInDHParameters() function inside the source.
Still I tried adding the below code to DcmTLSTransportLayer::DcmTLSTransportLayer(T_ASC_NetworkRole networkRole, const char *randFile, OFBool initOpenSSL)
SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF);

I added the call after the section for the creation of the default set of dh parameters. Ialso ensured that "SSL_CTX_set_session_cache_mode" was getting called.

Still, the issue is there. No change in behavior is observed.
Same error is generated "Could not receive association request: 0006:031e DUL secure transport layer: session-id context uninitialized"


Can you suggest any other solution that I could try for the same?



Regarding your other question:
Can you please let us know what "arr" is and how this structure is created?

arr is basically the session id given to SSL_set_session_id_context. Since I was trying a workaround naming of variable was not logical.
But basically, it is the sessionid string

The structure creation was done as below:
const unsigned char* arr = reinterpret_cast<const unsigned char*>("securesessionId");
int status = SSL_set_session_id_context(newConnection, arr, sizeof(sessionidcontext));
if (status == 0)
{
DCMTLS_ERROR("Error occured while setting session Id Context");
}

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1435
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Secure Connection issue

#4 Post by Marco Eichelberg »

Then I will probably have to reproduce and debug the issue here. Can you provide me with further details on what exactly you do on the SCU side (which DVT tool, which version, which settings, how are certificates configured) ?

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1435
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Secure Connection issue

#5 Post by Marco Eichelberg »

You might want to try this patch. Note that this is a patch for DCMTK testing (i.e. the current git repository), not for DCMTK 3.6.6 release.

Code: Select all

diff --git a/dcmtls/libsrc/tlslayer.cc b/dcmtls/libsrc/tlslayer.cc
index e2131c6c5..eff23f9c9 100644
--- a/dcmtls/libsrc/tlslayer.cc
+++ b/dcmtls/libsrc/tlslayer.cc
@@ -47,6 +47,7 @@ END_EXTERN_C
 #include "dcmtk/dcmtls/tlslayer.h"
 #include "dcmtk/dcmtls/tlstrans.h"
 #include "dcmtk/dcmnet/dicom.h"
+#include "dcmtk/ofstd/ofrand.h"

 #ifdef HAVE_SSL_CTX_GET0_PARAM
 #define DCMTK_SSL_CTX_get0_param SSL_CTX_get0_param
@@ -281,6 +282,17 @@ DcmTLSTransportLayer::DcmTLSTransportLayer(T_ASC_NetworkRole networkRole, const
      if (!setBuiltInDHParameters())
        DCMTLS_ERROR("unable to create Diffie-Hellman parameters.");

+     // set a random 32-bit number as TLS session ID
+     OFRandom rnd;
+     Uint32 session_id = rnd.getRND32();
+     if (0 == SSL_CTX_set_session_id_context(transportLayerContext, OFreinterpret_cast(const unsigned char *, &session_id), sizeof(session_id)))
+     {
+       DCMTLS_ERROR("unable to set TLS session ID context.");
+     }
+
+     // disable session caching (and, thus, session re-use)
+     SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF);
+
      // create Elliptic Curve DH parameters
 #ifndef OPENSSL_NO_ECDH
 #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: Secure Connection issue

#6 Post by amal.jesudas »

Thanks Marco for the reply.

I tried adding the below fix suggested by you in dcmtk 3.6.5 source in DcmTLSTransportLayer(T_ASC_NetworkRole networkRole, const char *randFile, OFBool initOpenSSL)

Code: Select all

+     // set a random 32-bit number as TLS session ID
+     OFRandom rnd;
+     Uint32 session_id = rnd.getRND32();
+     if (0 == SSL_CTX_set_session_id_context(transportLayerContext, OFreinterpret_cast(const unsigned char *, &session_id), sizeof(session_id)))
+     {
+       DCMTLS_ERROR("unable to set TLS session ID context.");
+     }
It worked and DVTk showed Pass status.

Should I also add the call:SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF)?
Because, just by setting session-id context using SSL_CTX_set_session_id_context itself the issue was resolved.

Please confirm if I need to add SSL_CTX_set_session_cache_mode() also along with SSL_CTX_set_session_id_context().

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1435
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Secure Connection issue

#7 Post by Marco Eichelberg »

Yes, please. And please let me know if everything still works as expected after that change.

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: Secure Connection issue

#8 Post by amal.jesudas »

Thanks Marco for confirming the same


I tried by adding the below fix suggested by you in DcmTLSTransportLayer::DcmTLSTransportLayer

Code: Select all

	 OFRandom rnd;
	 Uint32 session_id = rnd.getRND32();
	 if (0 == SSL_CTX_set_session_id_context(transportLayerContext, OFreinterpret_cast(const unsigned char *, &session_id), sizeof(session_id)))
	 {
		 DCMTLS_ERROR("unable to set TLS session ID context.");
	 }
	
	 // disable session caching (and, thus, session re-use)
	 SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF);
Functionality is working as expected.

The issue was reported as a part of the testing done before our delivery to the client.
Since the fix suggested by you is working fine Can we proceed by integrating the same in dcmtk 3.6.5 source code?

Please confirm?

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1435
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Secure Connection issue

#9 Post by Marco Eichelberg »

I will commit this patch to DCMTK today, so it will appear in the next release. Of course it is your decision which modifications you want to deliver to your customers, but I would recommend that you include this modification.

amal.jesudas
Posts: 36
Joined: Tue, 2017-12-19, 11:49

Re: Secure Connection issue

#10 Post by amal.jesudas »

Thanks Marco for the help.
Will include this modification in our code.

Regards,
Amal

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest