Encrypted communication between storescu and storescp

All other questions regarding DCMTK

Moderator: Moderator Team

Post Reply
Message
Author
allers
Posts: 3
Joined: Tue, 2014-07-01, 13:56

Encrypted communication between storescu and storescp

#1 Post by allers » Thu, 2015-12-17, 09:57

I tried to send images between storescu and storescp over an encrypted communication channel (SSL).
In general this works, if I use the same certificate or different certificate signed from the same CA.
Now I want to use two certificates signed from different CAs, but make both CAs known to each of the communication partners.
For this I use the cmdline option "--add-cert-dir". Unfortunately this does not work, but from my understanding this should work?

The storescp process is started as follows:

storescp-tls.exe -v 2762 +tls ../cert/scpkey_ownca ../cert/scpcert_ownca --add-cert-dir ../cert/allcert/

The directory "allcert" contains both CA certificates, one CA for storescu and one CA for storescp as pem files.
The file scpkey_ownca is the private key for the scp certificate in scpcert_ownca.

The storescu process is started as follows:

storescu-tls.exe -v localhost 2762 +tls cert/scukey_ownca cert/scucert_ownca --add-cert-dir cert/allcert/ images/1_2_PP

The directory "allcert" is the same as for the storescp process; it contains the pem files of both CAs.
The file scukey_ownca is the private key for the scu certificate in scucert_ownca.

used version: $dcmtk: storescu v3.6.0 2011-01-06 $

Any ideas? What am I doing wrong? All the CAs and certificates were created with dcmtk_ca.pl perl script (no errors) with following cmdlines:

perl /cygdrive/d/sw/dicom/dcmtk/dcmtk-3.6.1_20150629/dcmtls/tests/dcmtk_ca.pl newca scuca
perl /cygdrive/d/sw/dicom/dcmtk/dcmtk-3.6.1_20150629/dcmtls/tests/dcmtk_ca.pl mkcert -des no scuca scucert_ownca scukey_ownca

perl /cygdrive/d/sw/dicom/dcmtk/dcmtk-3.6.1_20150629/dcmtls/tests/dcmtk_ca.pl newca scpca
perl /cygdrive/d/sw/dicom/dcmtk/dcmtk-3.6.1_20150629/dcmtls/tests/dcmtk_ca.pl mkcert -des no scpca scpcert_ownca scpkey_ownca

Marco Eichelberg
OFFIS DICOM Team
OFFIS DICOM Team
Posts: 1225
Joined: Tue, 2004-11-02, 17:22
Location: Oldenburg, Germany
Contact:

Re: Encrypted communication between storescu and storescp

#2 Post by Marco Eichelberg » Fri, 2016-01-08, 08:54

The names of the certificate files in the cert directory need to have a certain file name, because OpenSSL uses a hash key on the Distinguished Name to try and look up a corresponding certificate for the CA.
You can do this with the openssl command line tool. If your CA cert file is called "test.pem", run

Code: Select all

openssl x509 -hash -noout -in test.pem
and it will print an 8-character hash that should be the filename, plus ".0" as a file name extension (or ".1", if another CA cert with the same hash already exists).
On the Linux/Unix command line:

Code: Select all

mv test.pem `openssl x509 -hash -noout -in test.pem`.0

allers
Posts: 3
Joined: Tue, 2014-07-01, 13:56

Re: Encrypted communication between storescu and storescp

#3 Post by allers » Fri, 2016-01-08, 15:45

Hi Marco,

I'm really getting crazy about these certificates. :x :?

However with your hints I could finally make it run... :D

Encrypted storescp and storescu communication with different CAs and certificates...

Now trying to communicate encrypted to 3rd party devices... :twisted:

Thanks a lot and Best regards,
Stefan

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 1 guest