Mercurial > hg > orthanc-book
annotate Sphinx/source/faq/dicom-tls.rst @ 692:549824ebdf5a
improved text
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Thu, 03 Jun 2021 21:22:20 +0200 |
| parents | 25e44dba9dba |
| children | 2ea133e0fa8e |
| rev | line source |
|---|---|
|
609
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
1 .. _dicom-tls: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
2 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
3 Configuring DICOM TLS |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
4 ===================== |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
5 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
6 .. contents:: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
7 :depth: 3 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
8 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
9 Starting with release 1.9.0, Orthanc supports the encryption of the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
10 DICOM protocol using `DICOM TLS |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
11 <https://www.dicomstandard.org/using/security/>`__. This allows the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
12 secure exchange of medical images between different sites, even if |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
13 using the DICOM protocol. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
14 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
15 Configuration |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
16 ------------- |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
17 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
18 .. highlight:: bash |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
19 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
20 To enable DICOM TLS, each DICOM modality must have been assigned with |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
21 a `X.509 certificate |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
22 <https://en.wikipedia.org/wiki/X.509>`__. Obtaining such a certificate |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
23 from a `recognized certification authority |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
24 <https://en.wikipedia.org/wiki/Certificate_authority>`__ is obviously |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
25 out of the scope of the Orthanc project. Here is a simple command-line |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
26 to generate a self-signed certificate using the `OpenSSL |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
27 <https://www.openssl.org/>`__ command-line tools:: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
28 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
29 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
30 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost" |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
31 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
32 Obviously, you have adapt the arguments to your setup (notably the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
33 ``subj`` argument that generates a certificate for Belgium for the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
34 server whose DNS address is ``localhost``). This command line will |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
35 generate two files using the `PEM file format |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
36 <https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail>`__: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
37 ``orthanc.crt`` is the newly-generated certificate, and |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
38 ``orthanc.key`` contains the private key that protects the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
39 certificate. The ``orthanc.crt`` can be openly distributed, but |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
40 ``orthanc.key`` must be kept secret (it should only be placed on the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
41 modality using the corresponding certificate). |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
42 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
43 Once ``orthanc.crt`` and ``orthanc.key`` have been generated, all the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
44 modalities that will be in touch with Orthanc (either as SCP or as |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
45 SCU) through DICOM TLS must be identified, and their public |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
46 certificates must be collected. All those certificates must be |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
47 concatenated into a single file in order to tell Orthanc which |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
48 modalities can be trusted. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
49 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
50 Concretely, if one has collected ``a.crt``, ``b.crt`` and ``c.crt`` as |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
51 the certificates (in the PEM format) for trusted remote DICOM |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
52 modalities, a ``trusted.crt`` file can be generated as follows:: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
53 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
54 $ cat a.crt b.crt c.crt > trusted.crt |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
55 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
56 Once the three files ``orthanc.crt``, ``orthanc.key`` and |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
57 ``trusted.crt`` are available, setting the following |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
58 :ref:`configuration options <configuration>` will enable DICOM TLS in |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
59 **Orthanc SCP**: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
60 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
61 * ``DicomTlsEnabled`` must be set to ``true``. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
62 * ``DicomTlsCertificate`` must be set to ``orthanc.crt``. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
63 * ``DicomTlsPrivateKey`` must be set to ``orthanc.key`` (note that |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
64 this private key must not be password-protected). |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
65 * ``DicomTlsTrustedCertificates`` must be set to ``trusted.crt``. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
66 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
67 If Orthanc acts as a **DICOM SCU** against one remote DICOM modality, |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
68 and if this remote modality is protected by DICOM TLS, the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
69 ``UseDicomTls`` field must be set to ``true`` in the definition of the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
70 modality in the configuration file of Orthanc (cf. the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
71 ``DicomModalities`` option). The file indicated by |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
72 ``DicomTlsCertificate`` will be used to authentify Orthanc by the |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
73 remote modality: This modality must thus include ``orthanc.crt`` in |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
74 its list of trusted certificates. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
75 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
76 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
77 **Remark 1:** Pay attention not to confuse the configuration options |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
78 related to HTTPS encryption, with the options related to DICOM TLS. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
79 In Orthanc, HTTPS and DICOM TLS are not obliged to use the same |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
80 encryption certificates. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
81 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
82 **Remark 2:** Orthanc SCU and Orthanc SCP share the same set of |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
83 trusted certificates. |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
84 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
85 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
86 Example using DCMTK |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
87 ------------------- |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
88 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
89 .. highlight:: bash |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
90 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
91 Let us generate one certificate for Orthanc, and one certificate for |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
92 DCMTK:: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
93 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
94 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
95 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost" |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
96 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
97 -keyout dcmtk.key -out dcmtk.crt -subj "/C=BE/CN=localhost" |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
98 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
99 .. highlight:: json |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
100 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
101 Let us start Orthanc using the following minimal configuration file:: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
102 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
103 { |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
104 "DicomTlsEnabled" : true, |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
105 "DicomTlsCertificate" : "orthanc.crt", |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
106 "DicomTlsPrivateKey" : "orthanc.key", |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
107 "DicomTlsTrustedCertificates" : "dcmtk.crt", |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
108 "DicomModalities" : { |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
109 "dmctk" : { |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
110 "Host" : "localhost", |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
111 "Port" : 4242, |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
112 "AET" : "DCMTK", |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
113 "UseDicomTls" : true |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
114 } |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
115 } |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
116 } |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
117 |
|
677
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
118 .. highlight:: text |
|
609
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
119 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
120 It is then possible to trigger a secure C-GET SCU request from DCMTK |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
121 to Orthanc as follows:: |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
122 |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
123 $ echoscu -v -aet DCMTK localhost 4242 +tls dcmtk.key dcmtk.crt +cf orthanc.crt |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
124 I: Requesting Association |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
125 I: Association Accepted (Max Send PDV: 16372) |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
126 I: Sending Echo Request (MsgID 1) |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
127 I: Received Echo Response (Success) |
|
0dde82745e0d
documentation of DICOM TLS
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff
changeset
|
128 I: Releasing Association |
|
677
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
129 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
130 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
131 Secure TLS connections without certificate |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
132 ------------------------------------------ |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
133 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
134 In Orthanc <= 1.9.2, the remote DICOM modalities are required to |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
135 provide a valide DICOM TLS certificate (which corresponds to the |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
136 default ``--require-peer-cert`` option of the DCMTK command-line |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
137 tools). |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
138 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
139 Starting from Orthanc 1.9.3, it is possible to allow connections |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
140 to/from remote DICOM modalities that do not provide a DICOM TLS |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
141 certificate (which corresponds to the ``--verify-peer-cert`` option of |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
142 DCMTK). This requires setting the :ref:`configuration option |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
143 <configuration>` ``DicomTlsRemoteCertificateRequired`` of Orthanc to |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
144 ``false``. |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
145 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
146 .. highlight:: bash |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
147 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
148 As an example, let us generate one single certificate that is |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
149 dedicated to Orthanc:: |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
150 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
151 $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
152 -keyout orthanc.key -out orthanc.crt -subj "/C=BE/CN=localhost" |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
153 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
154 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
155 .. highlight:: json |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
156 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
157 Let us start Orthanc using the following minimal configuration file:: |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
158 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
159 { |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
160 "DicomTlsEnabled" : true, |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
161 "DicomTlsCertificate" : "orthanc.crt", |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
162 "DicomTlsPrivateKey" : "orthanc.key", |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
163 "DicomTlsTrustedCertificates" : "orthanc.crt", |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
164 "DicomTlsRemoteCertificateRequired" : false |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
165 } |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
166 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
167 .. highlight:: text |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
168 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
169 Note that the ``DicomTlsTrustedCertificates`` is set to a dummy value, |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
170 because this option must always be present. It is then possible to |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
171 connect to Orthanc without SCU certificate as follows:: |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
172 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
173 $ echoscu -v localhost 4242 --anonymous-tls +cf /tmp/k/orthanc.crt |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
174 I: Requesting Association |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
175 I: Association Accepted (Max Send PDV: 16372) |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
176 I: Sending Echo Request (MsgID 1) |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
177 I: Received Echo Response (Success) |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
178 I: Releasing Association |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
179 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
180 |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
181 **Remark:** Importantly, if the remote DICOM modality provides an |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
182 invalid DICOM TLS certificate, Orthanc will never accept the |
|
25e44dba9dba
Secure TLS connections without certificate
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
609
diff
changeset
|
183 connection. |