DCMTK with TLS

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
Aruna
Posts: 4
Joined: Thu, 2022-02-17, 17:19

DCMTK with TLS

#1 Post by Aruna »

Hi,
I am trying to connect to Orthanc PACS server using dcmtk applications such as echoscu, storescu through secure connection.
With the help of documentation and forum, i am able to successfully connect to PACS through TLS connection using certificate and key files using command:
echoscu localhost 4242 -aet ORTHANC +tls "orthanc-crt.pem" "orthanc-key.pem" ++add-cert-file "trusted-crt.pem" -ll info

I could see that without adding trusted certificate, the above command is failing. I found the reason from the forum that: The problem is that Orthanc does not recognize the Certification Authority (CA) that has issued echoscu's certificate (i.e. my CA). To solve that problem, we can either switch off certificate verification using --ignore-peer-cert command line option or we must use --add-cert-file option.
My doubts are:
is the --add-cert-file option necessary every time to connect to any PACS server such as hospital server and private server other than Orthanc ?
As this option is needed because the PACS server couldn't recognize my CA, if we have the certificates from known CA, will we still need this option?
I mean if we are trying to connect to any hospital PACS server, do we need this --add-cert-file option?

Thanks!

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: DCMTK with TLS

#2 Post by Marco Eichelberg »

TLS as implemented in DCMTK uses a bi-directional authentication by default. That means the both the client and the server transmit their individual certificate during the TLS negotiation phase, and DCMTK based tools will also check the certificate and refuse the connection when the certificate is rejected. There are several reasons why this could happen, e.g.
  • certificate is expired
  • remote peer cannot prove ownership of the private key belonging to the certificate
  • certificate is valid but was created by a certification authority not trusted by DCMTK
The --ignore-peer-cert option requests DCMTK to not check the certificate sent by the remote peer and to simply accept any certificate. This may be useful for testing and debugging purposes, but should never be used in a routine setting, because it enables man-in-the-middle attacks since DCMTK now cannot check whether it is really talking to the right system. Instead, the CA certificate of the CA used to create the certificate used by Orthanc should be added to DCMTK's list of trusted CAs (--add-cert-file), and the CA certificate used to create the certificate for storescu should be installed in the CA keystore of Orthanc (however that works - I don't know).

Aruna
Posts: 4
Joined: Thu, 2022-02-17, 17:19

Re: DCMTK with TLS

#3 Post by Aruna »

Thanks Macro, i got the idea from your explanation.

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot] and 1 guest