DcmTLSSCU negotiateAssociation fails
Moderator: Moderator Team
-
- Posts: 28
- Joined: Sat, 2013-08-10, 08:46
DcmTLSSCU negotiateAssociation fails
Hi,
I trying to use DcmTLSSCU for secure communication.
I am using Storage SCP Emulator as peer.
For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder.
For enableAuthentication function, key and certfile was created using openssl.
initNetwork function is success but negotiateAssociation function fails and gives the following error message :
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.
Could you please tell me how to fix this issue ?
Regards,
Yogi.
I trying to use DcmTLSSCU for secure communication.
I am using Storage SCP Emulator as peer.
For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder.
For enableAuthentication function, key and certfile was created using openssl.
initNetwork function is success but negotiateAssociation function fails and gives the following error message :
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.
Could you please tell me how to fix this issue ?
Regards,
Yogi.
-
- Posts: 61
- Joined: Wed, 2010-05-19, 09:27
- Location: Taipei, Taiwan
Re: DcmTLSSCU negotiateAssociation fails
Have you read this post?
viewtopic.php?f=1&t=3697
viewtopic.php?f=1&t=3697
-
- Posts: 28
- Joined: Sat, 2013-08-10, 08:46
Re: DcmTLSSCU negotiateAssociation fails
Hi,
I am trying to create a sample application using DcmTLSSCU class using following code.
DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);
varDcmScu.setReadSeedFile("randseed.txt");
varDcmScu.enableAuthentication("PrivateKey.key", "CertFile.crt", "password", 1, 1);
OFList<OFString> ts;
ts.push_back(UID_LittleEndianExplicitTransferSyntax);
ts.push_back(UID_BigEndianExplicitTransferSyntax);
ts.push_back(UID_LittleEndianImplicitTransferSyntax);
varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);
OFCondition cond = varDcmScu.initNetwork();
if (cond.bad())
{
DCMNET_INFO("init Network failed");
}
cond = varDcmScu.negotiateAssociation();
if (cond.bad())
{
DCMNET_ERROR("Unable to negotiate association: " << cond.text());
return 1;
}
cond = varDcmScu.sendECHORequest(0);
if (cond.bad())
{
DCMNET_ERROR("Could not process C-ECHO with the server: " << cond.text());
return 1;
}
I am using DVTk Storage SCP Emulator as peer.
For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder.
For enableAuthentication function, key and certfile was created using openssl.
Here, negotiateAssociation function fails and gives the following error message :
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.
Regards,
Yogi.
I am trying to create a sample application using DcmTLSSCU class using following code.
DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);
varDcmScu.setReadSeedFile("randseed.txt");
varDcmScu.enableAuthentication("PrivateKey.key", "CertFile.crt", "password", 1, 1);
OFList<OFString> ts;
ts.push_back(UID_LittleEndianExplicitTransferSyntax);
ts.push_back(UID_BigEndianExplicitTransferSyntax);
ts.push_back(UID_LittleEndianImplicitTransferSyntax);
varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);
OFCondition cond = varDcmScu.initNetwork();
if (cond.bad())
{
DCMNET_INFO("init Network failed");
}
cond = varDcmScu.negotiateAssociation();
if (cond.bad())
{
DCMNET_ERROR("Unable to negotiate association: " << cond.text());
return 1;
}
cond = varDcmScu.sendECHORequest(0);
if (cond.bad())
{
DCMNET_ERROR("Could not process C-ECHO with the server: " << cond.text());
return 1;
}
I am using DVTk Storage SCP Emulator as peer.
For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder.
For enableAuthentication function, key and certfile was created using openssl.
Here, negotiateAssociation function fails and gives the following error message :
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.
Regards,
Yogi.
-
- Posts: 61
- Joined: Wed, 2010-05-19, 09:27
- Location: Taipei, Taiwan
Re: DcmTLSSCU negotiateAssociation fails
.acharyayogesh wrote: For setReadSeedFile fucntion, used randseed.txt in dcmtls\docs folder
This file is a guideline to create a "seed" file, which you should create by such OpenSSL or other tools instead of including it if you want use this option.
.acharyayogesh wrote: E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed.
E: Unable to negotiate association: Failed to establish association
These errors indicate the main problems arisen from the incorrect settings about certificates on both of SCU and SCP such as: SSL certificates, private keys, CAs certificates, and trusted chain. You have to check if the SSL configuation of DVTk Storage SCP is correct or not, and then check SCU,....
You may also use the dcmtk tools like storescu, storescp for verification, to find out where is the exact problem which I posted before.
For example, some functions should be included like: DcmTLSSCU::addTrustedCertFile or DcmTLSSCU::addTrustedCertDir.
-
- Posts: 28
- Joined: Sat, 2013-08-10, 08:46
Re: DcmTLSSCU negotiateAssociation fails
Hi,
DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);
varDcmScu.enableAuthentication("ClientCA.key", "ClientCA.crt", "", 1, 1);
varDcmScu.addTrustedCertFile("ServerCA.crt");
varDcmScu.addTrustedCertFile("RootCA.crt");
varDcmScu.initNetwork();
In DcmTLSSCU::initNetwork, privateKeyFile and certificateFile passed in enableAuthentication() is set in DcmTLSTransportLayer using m_tLayer->setPrivateKeyFile() and m_tLayer->setCertificateFile().
But the trusted certificate file added using addTrustedCertFile() function are not set in DcmTLSTransportLayer using m_tLayer->addTrustedCertificateFile() function in DcmTLSSCU::initNetwork().
How do I add the trusted certificate file to DcmTLSTransportLayer ?
Regards,
Acharya Yogish V.
DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);
varDcmScu.enableAuthentication("ClientCA.key", "ClientCA.crt", "", 1, 1);
varDcmScu.addTrustedCertFile("ServerCA.crt");
varDcmScu.addTrustedCertFile("RootCA.crt");
varDcmScu.initNetwork();
In DcmTLSSCU::initNetwork, privateKeyFile and certificateFile passed in enableAuthentication() is set in DcmTLSTransportLayer using m_tLayer->setPrivateKeyFile() and m_tLayer->setCertificateFile().
But the trusted certificate file added using addTrustedCertFile() function are not set in DcmTLSTransportLayer using m_tLayer->addTrustedCertificateFile() function in DcmTLSSCU::initNetwork().
How do I add the trusted certificate file to DcmTLSTransportLayer ?
Regards,
Acharya Yogish V.
-
- Posts: 61
- Joined: Wed, 2010-05-19, 09:27
- Location: Taipei, Taiwan
Re: DcmTLSSCU negotiateAssociation fails
Did you try DcmTLSSCU::addTrustedCertDir ? Can you provide the error messages?acharyayogesh wrote: But the trusted certificate file added using addTrustedCertFile() function are not set in DcmTLSTransportLayer using m_tLayer->addTrustedCertificateFile() function in DcmTLSSCU::initNetwork().
How do I add the trusted certificate file to DcmTLSTransportLayer ?
C.Y. Lien
-
- DCMTK Developer
- Posts: 2052
- Joined: Fri, 2004-11-05, 13:47
- Location: Oldenburg, Germany
- Contact:
Re: DcmTLSSCU negotiateAssociation fails
Hi,
as the author of DcmTLSSCU I must warn you that TLS support might not be well tested. So it is possible that a call like m_tLayer->addTrustedCertificateFile() is missing. Could you try inserting it, if that is the case? In tools like storescu you should be able to see how TLS configuration works in general.
You could also try out your certificates using storescu (and storescp for example as the server) first.
Best,
Michael
as the author of DcmTLSSCU I must warn you that TLS support might not be well tested. So it is possible that a call like m_tLayer->addTrustedCertificateFile() is missing. Could you try inserting it, if that is the case? In tools like storescu you should be able to see how TLS configuration works in general.
You could also try out your certificates using storescu (and storescp for example as the server) first.
Best,
Michael
-
- Posts: 28
- Joined: Sat, 2013-08-10, 08:46
Re: DcmTLSSCU negotiateAssociation fails
Hi,
I have added m_tLayer->addTrustedCertificateFile() in DcmTLSCU::initNetwork()
I tried the following :
storescp-tls.exe 104 +tls D:\Cert\ServerCA.key D:\Cert\ServerCA.crt +cf D:\Cert\ClientCA.crt +cf D:\Cert\RootCA.crt
storescu-tls.exe +tls D:\Cert\ClientCA.key D:\Cert\ClientCA.crt +cf D:\Cert\ServerCA.crt +cf D:\Cert\RootCA.crt localhost 104 D:\Cert\test.dcm
It worked. I was able to send the dicom file.
But when I try to do the same using DcmTLSSCU and storescp-tls, it fails and displays the following error message :
E: TLS client handshake failed
D: Association Request Failed: 0006:031b Failed to establish association
D: 0006:0317 Peer aborted Association (or never connected)
D: 0006:031e DUL secure transport layer: certificate verify failed
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed
Following is my code.
int main(int argc, char *argv[])
{
OFList<OFString> ts;
ts.push_back(UID_LittleEndianExplicitTransferSyntax);
ts.push_back(UID_BigEndianExplicitTransferSyntax);
ts.push_back(UID_LittleEndianImplicitTransferSyntax);
DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);
varDcmScu.addTrustedCertFile("D:\\Cert\\ServerCA.crt");
varDcmScu.addTrustedCertFile("D:\\Cert\\RootCA.crt");
varDcmScu.enableAuthentication("D:\\Cert\\ClientCA.key", "D:\\Cert\\ClientCA.crt", "", 1, 1);
varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);
varDcmScu.setPeerCertVerification(DCV_checkCertificate);
OFCondition cond = varDcmScu.initNetwork();
if (cond.good())
{
DCMNET_INFO("Connection initiated");
}
cond = varDcmScu.negotiateAssociation();
if (cond.bad())
{
DCMNET_ERROR("Unable to negotiate association: " << cond.text());
return 1;
}
}
Regards,
Yogi.
I have added m_tLayer->addTrustedCertificateFile() in DcmTLSCU::initNetwork()
I tried the following :
storescp-tls.exe 104 +tls D:\Cert\ServerCA.key D:\Cert\ServerCA.crt +cf D:\Cert\ClientCA.crt +cf D:\Cert\RootCA.crt
storescu-tls.exe +tls D:\Cert\ClientCA.key D:\Cert\ClientCA.crt +cf D:\Cert\ServerCA.crt +cf D:\Cert\RootCA.crt localhost 104 D:\Cert\test.dcm
It worked. I was able to send the dicom file.
But when I try to do the same using DcmTLSSCU and storescp-tls, it fails and displays the following error message :
E: TLS client handshake failed
D: Association Request Failed: 0006:031b Failed to establish association
D: 0006:0317 Peer aborted Association (or never connected)
D: 0006:031e DUL secure transport layer: certificate verify failed
E: Unable to negotiate association: Failed to establish association
E: 0006:0317 Peer aborted Association (or never connected)
E: 0006:031e DUL secure transport layer: certificate verify failed
Following is my code.
int main(int argc, char *argv[])
{
OFList<OFString> ts;
ts.push_back(UID_LittleEndianExplicitTransferSyntax);
ts.push_back(UID_BigEndianExplicitTransferSyntax);
ts.push_back(UID_LittleEndianImplicitTransferSyntax);
DcmTLSSCU varDcmScu;
varDcmScu.setAETitle(APPLICATIONTITLE);
varDcmScu.setPeerAETitle(PEERAPPLICATIONTITLE);
varDcmScu.setPeerHostName(PEERHOSTNAME);
varDcmScu.setPeerPort(PEERPORT);
varDcmScu.addTrustedCertFile("D:\\Cert\\ServerCA.crt");
varDcmScu.addTrustedCertFile("D:\\Cert\\RootCA.crt");
varDcmScu.enableAuthentication("D:\\Cert\\ClientCA.key", "D:\\Cert\\ClientCA.crt", "", 1, 1);
varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);
varDcmScu.setPeerCertVerification(DCV_checkCertificate);
OFCondition cond = varDcmScu.initNetwork();
if (cond.good())
{
DCMNET_INFO("Connection initiated");
}
cond = varDcmScu.negotiateAssociation();
if (cond.bad())
{
DCMNET_ERROR("Unable to negotiate association: " << cond.text());
return 1;
}
}
Regards,
Yogi.
-
- DCMTK Developer
- Posts: 2506
- Joined: Tue, 2011-05-03, 14:38
- Location: Oldenburg, Germany
- Contact:
Re: DcmTLSSCU negotiateAssociation fails
Since "I: Connection initiated" is not shown, I guess that the call to initNetwork() failed. Unfortunately, this method seems to return EC_IllegalCall in most error cases, which is not very helpful
-
- Posts: 61
- Joined: Wed, 2010-05-19, 09:27
- Location: Taipei, Taiwan
Re: DcmTLSSCU negotiateAssociation fails
you have to add the SOPClassUID from the "D:\Cert\test.dcm" likeacharyayogesh wrote: varDcmScu.addPresentationContext(UID_VerificationSOPClass, ts);
Code: Select all
varDcmScu.addPresentationContext(Input's StorageSOPClass, ts);
Who is online
Users browsing this forum: Ahrefs [Bot], Semrush [Bot] and 1 guest