Send DICOM images from dcmqrscp-tls to tls-server failed

[ziyuan.song]

I'm trying to send a C-MOVE command to dcmqrscp-tls to transfer DICOM images stored in dcmqrscp-tls to a specified server.

The command to start dcmqrscp-tls is:

Code: Select all

dcmqrscp-tls.exe -dhl +tls "key.pem" "cert.pem" +cf "ca.crt" --log-level trace

Version: 3.6.9

Here is my dcmqrscp.cfg:

Code: Select all

NetworkTCPPort  = 3333  
MaxPDUSize      = 16384  
MaxAssociations = 16  

HostTable BEGIN  
SZY = (TEST_Server, 10.8.166.230, 30917)   
Company   = SZY  
HostTable END  

VendorTable BEGIN  
VendorTable END  

AETable BEGIN  
DCMTK  E:\DCMTK\images  RW (1000, 10240mb)   Company  
AETable END  

The TLS connection from the C-MOVE SCU to dcmqrscp-tls works fine, but the operation to send DICOM images from dcmqrscp-tls to the server (TEST_Server) fails.

Log from dcmqrscp-tls:

Code: Select all

D: ======================= END A-ASSOCIATE-RQ ======================
I: Requesting Sub-Association
T: DUL  FSM Table: State: 1 Event: 0
T: DUL  Event:  A-ASSOCIATE request (local user)
T: DUL  Action: AE 1 Transport Connect
D: setting network send timeout to 60 seconds
D: setting network receive timeout to 60 seconds
T: checking whether environment variable TCP_BUFFER_LENGTH is set
T:   environment variable TCP_BUFFER_LENGTH not set, using the system defaults
T: checking whether environment variable TCP_NODELAY is set
T:   environment variable TCP_NODELAY not set, using the default value (0)
T: DUL  FSM Table: State: 4 Event: 1
T: DUL  Event:  Transport conn confirmation (local)
T: DUL  Action: AE 2 Send Associate RQ PDU
D: Constructing Associate RQ PDU
T: setting timeout for first PDU to be read to 30 seconds
T: DUL  FSM Table: State: 5 Event: 17
T: DUL  Event:  ARTIM timer expired (rej/rel)
T: DUL  Action: AA 2 Close Transport (Read Timeout)
E: moveSCP: Sub-Association Request Failed: 0006:031a DUL network read timeout
I: Releasing Sub-Association
E: moveSCP: Sub-Association Release Failed: 0006:0106 ASC Caller passed in a NULL key
T: DcmItem::insert() Element (0008,0058) VR="UI" inserted at beginning
I: Move SCP Response 1 [status: Refused: OutOfResourcesSubOperations]
D: ===================== OUTGOING DIMSE MESSAGE ====================
D: Message Type                  : C-MOVE RSP
D: Message ID Being Responded To : 0
D: Affected SOP Class UID        : none
D: Remaining Suboperations       : none
D: Completed Suboperations       : none
D: Failed Suboperations          : none
D: Warning Suboperations         : none
D: Data Set                      : present
D: DIMSE Status                  : 0xa702: Refused: Out of resources - Unable to perform sub-operations
D: ======================= END DIMSE MESSAGE =======================
T: DcmItem::insert() Element (0000,0000) VR="UL" inserted at beginning
T: DcmItem::insert() Element (0000,0100) VR="US" inserted
T: DcmItem::insert() Element (0000,0120) VR="US" inserted
T: DcmItem::insert() Element (0000,0800) VR="US" inserted
T: DcmItem::insert() Element (0000,0900) VR="US" inserted
T: DcmItem::insert() Element (0000,0002) VR="UI" inserted
T: DcmItem::insert() Element (0000,1021) VR="US" inserted
T: DcmItem::insert() Element (0000,1022) VR="US" inserted
T: DcmItem::insert() Element (0000,1023) VR="US" inserted
T: DIMSE Command to be sent on Presentation Context ID: 51
T: DIMSE Command to send:
T:
T: # Dicom-Data-Set
T: # Used TransferSyntax: Little Endian Explicit
T: (0000,0000) UL 0                                        #   4, 1 CommandGroupLength
T: (0000,0002) UI =MOVEStudyRootQueryRetrieveInformationModel #  28, 1 AffectedSOPClassUID
T: (0000,0100) US 32801                                    #   2, 1 CommandField
T: (0000,0120) US 1                                        #   2, 1 MessageIDBeingRespondedTo
T: (0000,0800) US 1                                        #   2, 1 CommandDataSetType
T: (0000,0900) US 42754                                    #   2, 1 Status
T: (0000,1021) US 0                                        #   2, 1 NumberOfCompletedSuboperations
T: (0000,1022) US 10                                       #   2, 1 NumberOfFailedSuboperations
T: (0000,1023) US 0                                        #   2, 1 NumberOfWarningSuboperations
T:
T: DIMSE sendDcmDataset: sending 118 bytes
T: DUL  FSM Table: State: 6 Event: 8
T: DUL  Event:  P-DATA request primitive
T: DUL  Action: DT 1 Send P DATA PDU
T: DIMSE sendDcmDataset: sending 578 bytes
T: DUL  FSM Table: State: 6 Event: 8
T: DUL  Event:  P-DATA request primitive
T: DUL  Action: DT 1 Send P DATA PDU
E: Move SCP Failed: 0006:020e DIMSE Failed to send message
E: 0006:031d TCP I/O Error (你的主机中的软件中止了一个已建立的连接。) occurred in routine: writeDataPDU
E: DIMSE Failure (aborting association): 0006:020e DIMSE Failed to send message
E: 0006:031d TCP I/O Error (你的主机中的软件中止了一个已建立的连接。) occurred in routine: writeDataPDU
T: DUL  FSM Table: State: 6 Event: 14
T: DUL  Event:  A-ABORT request primitive
T: DUL  Action: AA 1 Send A ABORT PDU

I captured network traffic and noticed that dcmqrscp-tls does not seem to use TLS when sending to TEST_Server. When I modified TEST_Server's port to a non-TLS port (disabling TLS), the failed scenario worked.

After checking the dcmqrscp source code, the method OFCondition DcmQueryRetrieveMoveContext::buildSubAssociation(T_DIMSE_C_MoveRQ *request) does not appear to handle TLS connection setup.

Hypothesis: The failure occurs because TLS is not properly configured in buildSubAssociation for the sub-association to TEST_Server.

Is this a known limitation, or is there a configuration missing to enforce TLS for outgoing connections?

[Marco Eichelberg]

I would classify this as a bug. Note that the TLS support in dcmqrscp is new (introduced with the current version 3.6.9), and the movescu command line tool does not yet support TLS at all. This may explain why nobody has noticed this yet.
Currently dcmqrscp indeed opens move sub-associations using unencrypted connections even when running in TLS mode. That should not happen.