Observed an issue for secure communication.
When sending data through multiple association in a single session, serverSideHandshake() fails for the second association (Secure Connection).
(*association)->connection->serverSideHandshake())) from dul.cc returned below error " Could not receive association request: 0006:031e DUL secure transport layer: session id context uninitialized"
When we add "SSL_set_session_id_context(newConnection, arr, 2)" in DcmTransportConnection *DcmTLSTransportLayer::createConnection() it works as expected.
It would be of great help if someone could attend to my below queries:
Is multiple associations failure a known issue for secure connection?
Is the addition of "SSL_set_session_id_context()" as stated above, the correct fix for my issue?
Also, please suggest if there is any other way to solve multiple association issue in case of a secure connection.
Can you please let us know what "arr" is and how this structure is created?
In general, the problem seems to be caused by an attempted TLS session reuse. Apparently DVT tries to re-use to already negotiated TLS session, which is somewhat dangerous and not supported by DCMTK. However, apparently, DCMTK does not properly "tell" the OpenSSL library that session reuse should be disabled. You could try to add the following code to DcmTLSTransportLayer::DcmTLSTransportLayer() (after the call to setBuiltInDHParameters()):
I forgot to mention that I am using dcmtk version 3.6.5 in my earlier query.
I could not find the setBuiltInDHParameters() function inside the source.
Still I tried adding the below code to DcmTLSTransportLayer::DcmTLSTransportLayer(T_ASC_NetworkRole networkRole, const char *randFile, OFBool initOpenSSL) SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF);
I added the call after the section for the creation of the default set of dh parameters. Ialso ensured that "SSL_CTX_set_session_cache_mode" was getting called.
Still, the issue is there. No change in behavior is observed.
Same error is generated "Could not receive association request: 0006:031e DUL secure transport layer: session-id context uninitialized"
Can you suggest any other solution that I could try for the same?
Regarding your other question: Can you please let us know what "arr" is and how this structure is created?
arr is basically the session id given to SSL_set_session_id_context. Since I was trying a workaround naming of variable was not logical.
But basically, it is the sessionid string
The structure creation was done as below:
const unsigned char* arr = reinterpret_cast<const unsigned char*>("securesessionId");
int status = SSL_set_session_id_context(newConnection, arr, sizeof(sessionidcontext));
if (status == 0)
{
DCMTLS_ERROR("Error occured while setting session Id Context");
}
Then I will probably have to reproduce and debug the issue here. Can you provide me with further details on what exactly you do on the SCU side (which DVT tool, which version, which settings, how are certificates configured) ?
I tried adding the below fix suggested by you in dcmtk 3.6.5 source in DcmTLSTransportLayer(T_ASC_NetworkRole networkRole, const char *randFile, OFBool initOpenSSL)
+ // set a random 32-bit number as TLS session ID
+ OFRandom rnd;
+ Uint32 session_id = rnd.getRND32();
+ if (0 == SSL_CTX_set_session_id_context(transportLayerContext, OFreinterpret_cast(const unsigned char *, &session_id), sizeof(session_id)))
+ {
+ DCMTLS_ERROR("unable to set TLS session ID context.");
+ }
It worked and DVTk showed Pass status.
Should I also add the call:SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF)?
Because, just by setting session-id context using SSL_CTX_set_session_id_context itself the issue was resolved.
Please confirm if I need to add SSL_CTX_set_session_cache_mode() also along with SSL_CTX_set_session_id_context().
OFRandom rnd;
Uint32 session_id = rnd.getRND32();
if (0 == SSL_CTX_set_session_id_context(transportLayerContext, OFreinterpret_cast(const unsigned char *, &session_id), sizeof(session_id)))
{
DCMTLS_ERROR("unable to set TLS session ID context.");
}
// disable session caching (and, thus, session re-use)
SSL_CTX_set_session_cache_mode(transportLayerContext, SSL_SESS_CACHE_OFF);
Functionality is working as expected.
The issue was reported as a part of the testing done before our delivery to the client.
Since the fix suggested by you is working fine Can we proceed by integrating the same in dcmtk 3.6.5 source code?
I will commit this patch to DCMTK today, so it will appear in the next release. Of course it is your decision which modifications you want to deliver to your customers, but I would recommend that you include this modification.