Secure Connections with DCMTK
Moderator: Moderator Team
Secure Connections with DCMTK
Hi All,
I'm new to this API. I'm investigating how I might use a secure connection between a product and a PACS or modality (device).
I noticed ASC_setTransportLayerType and ASC_receiveAssociation provide ways to request a secure connection. However,
these parameters aren't really honored because when DcmTransportLayer::createConnection is called, it returns null if useSecureLayer is true.
Are there other well accepted ways to secure a connection?
Thank you.
I'm new to this API. I'm investigating how I might use a secure connection between a product and a PACS or modality (device).
I noticed ASC_setTransportLayerType and ASC_receiveAssociation provide ways to request a secure connection. However,
these parameters aren't really honored because when DcmTransportLayer::createConnection is called, it returns null if useSecureLayer is true.
Are there other well accepted ways to secure a connection?
Thank you.
-
- OFFIS DICOM Team
- Posts: 1506
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: Secure Connections with DCMTK
I would suggest that you look at how dcmnet/apps/findscu.cc does this, since this is one of the DCMTK command line tools that support secure TLS connections. dcmnet/apps/storescp.cc would be an example of a server application with TLS support.
Re: Secure Connections with DCMTK
Thanks Marco.
I was looking at the apps provided by DCMTK to see how they support TLS/secure connections.
I have some additional questions.
1. Once I build the toolkit using WITH_OPENSSL, I should be able to do secure and unsecure connections (I think the answer is yes)?
2. Is the only way to create, and use secure, connections with TLS to always create a DcmTLSTransportLayer and pass it to ASC_setTransportLayer?
I'd love to see documentation of the minimal steps to use TLS and then additional options with recommendations.
For example, should I use
tLayer->addTrustedCertificateFile,
tLayer->addTrustedCertificateDir,
tLayer->setPrivateKeyPasswd,
tLayer->setCipherSuites,
tLayer->setCertificateVerification
3. (For the DCMTK team) Would it be possible in a future release to encapsulate TLS support without the need to call ASC_setTransportLayer directly?
Perhaps I've missed some documentation regarding the use of TLS with DCMTK.
Thanks.
I was looking at the apps provided by DCMTK to see how they support TLS/secure connections.
I have some additional questions.
1. Once I build the toolkit using WITH_OPENSSL, I should be able to do secure and unsecure connections (I think the answer is yes)?
2. Is the only way to create, and use secure, connections with TLS to always create a DcmTLSTransportLayer and pass it to ASC_setTransportLayer?
I'd love to see documentation of the minimal steps to use TLS and then additional options with recommendations.
For example, should I use
tLayer->addTrustedCertificateFile,
tLayer->addTrustedCertificateDir,
tLayer->setPrivateKeyPasswd,
tLayer->setCipherSuites,
tLayer->setCertificateVerification
3. (For the DCMTK team) Would it be possible in a future release to encapsulate TLS support without the need to call ASC_setTransportLayer directly?
Perhaps I've missed some documentation regarding the use of TLS with DCMTK.
Thanks.
-
- OFFIS DICOM Team
- Posts: 1506
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: Secure Connections with DCMTK
Correct.1. Once I build the toolkit using WITH_OPENSSL, I should be able to do secure and unsecure connections (I think the answer is yes)?
Yes, this is how the TLS code (which is a separate module and library) is "injected" into the network layer code at runtime. If ASC_setTransportLayer() does not get called, the network will use a transport layer object that uses unencrypted TCP/IP. This function asks the network layer to use TLS instead.2. Is the only way to create, and use secure, connections with TLS to always create a DcmTLSTransportLayer and pass it to ASC_setTransportLayer?
Look at the implementation of DcmTLSOptions::createTransportLayer(). This function initializes the TLS transport layer object and supports all options for client and server operation. This is what most command line tools use internally.I'd love to see documentation of the minimal steps to use TLS and then additional options with recommendations.
What is the problem with calling ASC_setTransportLayer()?3. (For the DCMTK team) Would it be possible in a future release to encapsulate TLS support without the need to call ASC_setTransportLayer directly?
Re: Secure Connections with DCMTK
It would be nice if we just turned on TLS with a preprocessing value set to true and then have the code inject the TLS layerWhat is the problem with calling ASC_setTransportLayer()?
instead of having to do it ourselves.
Re: Secure Connections with DCMTK
Thanks for your replies!
-
- OFFIS DICOM Team
- Posts: 1506
- Joined: Tue, 2004-11-02, 17:22
- Location: Oldenburg, Germany
- Contact:
Re: Secure Connections with DCMTK
It is certainly possible to make the code nicer. The TLS support was developed as an add-on years after the network module, which in part explains the ugly API.It would be nice if we just turned on TLS with a preprocessing value set to true and then have the code inject the TLS layer
instead of having to do it ourselves.
However, one important use case we wanted to support was that the application can individually decide for each network connection whether it should be with or without TLS.
ASC_setTransportLayer()
makes that possible.Re: Secure Connections with DCMTK
Thanks for providing the rationale.
Who is online
Users browsing this forum: Bing [Bot] and 1 guest