DcmTLSSCU negotiateAssociation fails

[acharyayogesh]

Hi,

I trying to use DcmTLSSCU for secure communication.
I am using Storage SCP Emulator as peer.

For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder.
For enableAuthentication function, key and certfile was created using openssl.

initNetwork function is success but negotiateAssociation function fails and gives the following error message :

E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.

Could you please tell me how to fix this issue ?

Regards,
Yogi.

[Chung-Yueh Lien]

Have you read this post?
viewtopic.php?f=1&t=3697

[acharyayogesh]

Hi,

I am trying to create a sample application using DcmTLSSCU class using following code.

DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);

varDcmScu.setReadSeedFile("randseed.txt");
varDcmScu.enableAuthentication("PrivateKey.key", "CertFile.crt", "password", 1, 1);

OFList<OFString> ts;
ts.push_back(UID_LittleEndianExplicitTransferSyntax);
ts.push_back(UID_BigEndianExplicitTransferSyntax);
ts.push_back(UID_LittleEndianImplicitTransferSyntax);

varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);

OFCondition cond = varDcmScu.initNetwork();

if (cond.bad())
{
DCMNET_INFO("init Network failed");
}

cond = varDcmScu.negotiateAssociation();
if (cond.bad())
{
DCMNET_ERROR("Unable to negotiate association: " << cond.text());
return 1;
}

cond = varDcmScu.sendECHORequest(0);
if (cond.bad())
{
DCMNET_ERROR("Could not process C-ECHO with the server: " << cond.text());
return 1;
}

I am using DVTk Storage SCP Emulator as peer.
For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder.
For enableAuthentication function, key and certfile was created using openssl.

Here, negotiateAssociation function fails and gives the following error message :

E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.

Regards,
Yogi.

[Chung-Yueh Lien]

For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder

.
This file is a guideline to create a "seed" file, which you should create by such OpenSSL or other tools instead of including it if you want use this option.

E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.
E: Unable to negotiate association: Failed to establish association

.

These errors indicate the main problems arisen from the incorrect settings about certificates on both of SCU and SCP such as: SSL certificates, private keys, CAs certificates, and trusted chain. You have to check if the SSL configuation of DVTk Storage SCP is correct or not, and then check SCU,....

You may also use the dcmtk tools like storescu, storescp for verification, to find out where is the exact problem which I posted before.

For example, some functions should be included like: DcmTLSSCU::addTrustedCertFile or DcmTLSSCU::addTrustedCertDir.

[acharyayogesh]

Hi,

DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);

varDcmScu.enableAuthentication("ClientCA.key", "ClientCA.crt", "", 1, 1);
varDcmScu.addTrustedCertFile("ServerCA.crt");
varDcmScu.addTrustedCertFile("RootCA.crt");

varDcmScu.initNetwork();

In DcmTLSSCU::initNetwork, privateKeyFile and certificateFile passed in enableAuthentication() is set in DcmTLSTransportLayer using m_tLayer->setPrivateKeyFile() and m_tLayer->setCertificateFile().
But the trusted certificate file added using addTrustedCertFile() function are not set in DcmTLSTransportLayer using m_tLayer->addTrustedCertificateFile() function in DcmTLSSCU::initNetwork().

How do I add the trusted certificate file to DcmTLSTransportLayer ?

Regards,
Acharya Yogish V.

[Chung-Yueh Lien]

But the trusted certificate file added using addTrustedCertFile() function are not set in DcmTLSTransportLayer using m_tLayer->addTrustedCertificateFile() function in DcmTLSSCU::initNetwork().
How do I add the trusted certificate file to DcmTLSTransportLayer ?

Did you try DcmTLSSCU::addTrustedCertDir ? Can you provide the error messages?

C.Y. Lien

[Michael Onken]

Hi,

as the author of DcmTLSSCU I must warn you that TLS support might not be well tested. So it is possible that a call like m_tLayer->addTrustedCertificateFile() is missing. Could you try inserting it, if that is the case? In tools like storescu you should be able to see how TLS configuration works in general.

You could also try out your certificates using storescu (and storescp for example as the server) first.

Best,
Michael

[acharyayogesh]

Hi,

I have added m_tLayer->addTrustedCertificateFile() in DcmTLSCU::initNetwork()

I tried the following :
storescp-tls.exe 104 +tls D:\Cert\ServerCA.key D:\Cert\ServerCA.crt +cf D:\Cert\ClientCA.crt +cf D:\Cert\RootCA.crt

storescu-tls.exe +tls D:\Cert\ClientCA.key D:\Cert\ClientCA.crt +cf D:\Cert\ServerCA.crt +cf D:\Cert\RootCA.crt localhost 104 D:\Cert\test.dcm

It worked. I was able to send the dicom file.

But when I try to do the same using DcmTLSSCU and storescp-tls, it fails and displays the following error message :
E: TLS client handshake failed
D: Association Request Failed: 0006:031b Failed to establish association
D: 0006:0317 Peer aborted Association (or never connected)
D: 0006:031e DUL secure transport layer: certificate verify failed
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed

Following is my code.

int main(int argc, char *argv[])
{

OFList<OFString> ts;
ts.push_back(UID_LittleEndianExplicitTransferSyntax);
ts.push_back(UID_BigEndianExplicitTransferSyntax);
ts.push_back(UID_LittleEndianImplicitTransferSyntax);

DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);

varDcmScu.addTrustedCertFile("D:\\Cert\\ServerCA.crt");
varDcmScu.addTrustedCertFile("D:\\Cert\\RootCA.crt");
varDcmScu.enableAuthentication("D:\\Cert\\ClientCA.key", "D:\\Cert\\ClientCA.crt", "", 1, 1);

varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);
varDcmScu.setPeerCertVerification(DCV_checkCertificate);

OFCondition cond = varDcmScu.initNetwork();

if (cond.good())
{
DCMNET_INFO("Connection initiated");
}

cond = varDcmScu.negotiateAssociation();
if (cond.bad())
{
DCMNET_ERROR("Unable to negotiate association: " << cond.text());
return 1;
}
}


Regards,
Yogi.

[J. Riesmeier]

Since "I: Connection initiated" is not shown, I guess that the call to initNetwork() failed. Unfortunately, this method seems to return EC_IllegalCall in most error cases, which is not very helpful

[Chung-Yueh Lien]

varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);

you have to add the SOPClassUID from the "D:\Cert\test.dcm" like

Code: Select all

varDcmScu.addPresentationContext(Input's StorageSOPClass, ts);

For debug, I suggest you using functions like DcmTLSSCU::getAuthenticationParams(), DcmTLSSCU::disableAuthentication(), etc., to narrow down the range of this problem. I think the errors may be arisen from two parts: certificates, and initNetwork() even though the errors seem coming from certificates' verification.