Secure Connections with DCMTK

[thomb]

Hi All,
I'm new to this API. I'm investigating how I might use a secure connection between a product and a PACS or modality (device).
I noticed ASC_setTransportLayerType and ASC_receiveAssociation provide ways to request a secure connection. However,
these parameters aren't really honored because when DcmTransportLayer::createConnection is called, it returns null if useSecureLayer is true.
Are there other well accepted ways to secure a connection?
Thank you.

[Marco Eichelberg]

I would suggest that you look at how dcmnet/apps/findscu.cc does this, since this is one of the DCMTK command line tools that support secure TLS connections. dcmnet/apps/storescp.cc would be an example of a server application with TLS support.

[thomb]

Thanks Marco.
I was looking at the apps provided by DCMTK to see how they support TLS/secure connections.
I have some additional questions.

1. Once I build the toolkit using WITH_OPENSSL, I should be able to do secure and unsecure connections (I think the answer is yes)?

2. Is the only way to create, and use secure, connections with TLS to always create a DcmTLSTransportLayer and pass it to ASC_setTransportLayer?
I'd love to see documentation of the minimal steps to use TLS and then additional options with recommendations.
For example, should I use
tLayer->addTrustedCertificateFile,
tLayer->addTrustedCertificateDir,
tLayer->setPrivateKeyPasswd,
tLayer->setCipherSuites,
tLayer->setCertificateVerification

3. (For the DCMTK team) Would it be possible in a future release to encapsulate TLS support without the need to call ASC_setTransportLayer directly?

Perhaps I've missed some documentation regarding the use of TLS with DCMTK.
Thanks.

[Marco Eichelberg]

1. Once I build the toolkit using WITH_OPENSSL, I should be able to do secure and unsecure connections (I think the answer is yes)?

Correct.

2. Is the only way to create, and use secure, connections with TLS to always create a DcmTLSTransportLayer and pass it to ASC_setTransportLayer?

Yes, this is how the TLS code (which is a separate module and library) is "injected" into the network layer code at runtime. If ASC_setTransportLayer() does not get called, the network will use a transport layer object that uses unencrypted TCP/IP. This function asks the network layer to use TLS instead.

I'd love to see documentation of the minimal steps to use TLS and then additional options with recommendations.

Look at the implementation of DcmTLSOptions::createTransportLayer(). This function initializes the TLS transport layer object and supports all options for client and server operation. This is what most command line tools use internally.

3. (For the DCMTK team) Would it be possible in a future release to encapsulate TLS support without the need to call ASC_setTransportLayer directly?

What is the problem with calling ASC_setTransportLayer()?

[thomb]

What is the problem with calling ASC_setTransportLayer()?

It would be nice if we just turned on TLS with a preprocessing value set to true and then have the code inject the TLS layer
instead of having to do it ourselves.

[thomb]

Thanks for your replies!

[Marco Eichelberg]

It would be nice if we just turned on TLS with a preprocessing value set to true and then have the code inject the TLS layer
instead of having to do it ourselves.

It is certainly possible to make the code nicer. The TLS support was developed as an add-on years after the network module, which in part explains the ugly API.
However, one important use case we wanted to support was that the application can individually decide for each network connection whether it should be with or without TLS. ASC_setTransportLayer() makes that possible.