Design proposal: Enable Windows certificate store with DcmTLSSCU

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
jogerh
Posts: 37
Joined: Mon, 2022-02-28, 08:55

Design proposal: Enable Windows certificate store with DcmTLSSCU

#1 Post by jogerh »

The DcmTLSSCU is a nice base class for implementing SCUs with TLS. On the Windows platform it is not optimal if we want to use the Windows Certificate Store. The reason is that the current API requires exporting all certificates to the filesystem. It would be nice with a mechanism that allowed customizations of how the transport layer is created, to enable populating the SSL context with in-memory certificates from the WIndows Certificate Store.

One possible way of achieving this is presented in https://github.com/DCMTK/dcmtk/pull/59, where DcmTLSSCU exposes a protected factory functions for TLS transport layers. With this extension, custom implementations of the DcmTLSSCU can provide its own factory function for transport layers, and populate the transport layers through DcmTLSTransportLayer::getNativeHandle()

Please have a look and let me know what you think.

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Design proposal: Enable Windows certificate store with DcmTLSSCU

#2 Post by Marco Eichelberg »

I think that in most cases using the Windows certificate store for DICOM TLS connections is an extremely bad idea. The Windows cert store is filled with the root certificates of all kinds of root CAs that should be trusted when Web servers are accessed from Internet Explorer or MS Edge. You don't want anybody who has a valid certificate issued by one of these CAs to be able to successfully negotiate a connection to your PACS server, or whatever the DICOM system is. Here I would expect a setup where perhaps one or at most two root CAs are considered valid in a certain PACS network. Perhaps your use case is different. If so, please explain why using the Windows cert store would be useful in your setting.

With regard to the implementation of the protected factory method, I see no problem in that, except that I would prefer to use DcmSCU instead of DcmTLSSCU since it would permit both encrypted and plain connections with the same code (see my other post in the thread on TLS support in DcmSCU). In that case, DcmTLSOptions::getTransportLayer() and/or DcmTLSOptions::createTransportLayer() should perhaps be made virtual.

jogerh
Posts: 37
Joined: Mon, 2022-02-28, 08:55

Re: Design proposal: Enable Windows certificate store with DcmTLSSCU

#3 Post by jogerh »

Thanks for very useful insights Marco. After switching to DcmSCU and using the DcmSCU::useSecureConnection() function as you suggested, there is no longer a need for this extension.

The rationale for interfacing with Windows Certificate Store, is to allow end users/IT personnel to install certificates on their DICOM client software in a way that is familiar to them. By using in-built OS functionality, we reduce the amount of custom code to manage certificates. In addition, I believe using Windows Certificate Store may simplify fleet management of these DICOM clients.

Thank you for your input on the challenges with uploading all Windows Certificate Store certificates to the SSL context. You are absolutely right that this can be a problem, and we will have to allow the end user to be able to specify which certificates they want to use. This should be straight-forward with the Windows Certificate Store, since we can create dedicated logical certificate stores for this purpose.

Thanks,
Jøger

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1437
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Design proposal: Enable Windows certificate store with DcmTLSSCU

#4 Post by Marco Eichelberg »

I see. If you can define a logical certificate store in Windows and only access that from your application, that would indeed be very useful as it would address the issue of renewing the certificates in the store before expiration, something for which Windows probably offers an automated solution. You just have to make sure that some Windows update does not suddenly (and unexpectedly) "flood" your logical cert store with the collection of the 100+ root CA certificates Windows supports in MS Edge.

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot] and 1 guest