Mercurial > hg > orthanc-book
comparison Sphinx/source/faq/dicom-tls.rst @ 1069:a714c5fdc4cf
DicomTlsRemoteCertificateRequired=false is now equivalent to --ignore-peer-cert DCMTK option instead of --verify-peer-cert
author | Alain Mazy <am@orthanc.team> |
---|---|
date | Tue, 21 May 2024 12:34:32 +0200 |
parents | 94f5fc38b927 |
children |
comparison
equal
deleted
inserted
replaced
1068:7ae36fd42cbe | 1069:a714c5fdc4cf |
---|---|
183 default ``--require-peer-cert`` option of the DCMTK command-line | 183 default ``--require-peer-cert`` option of the DCMTK command-line |
184 tools). | 184 tools). |
185 | 185 |
186 Starting from Orthanc 1.9.3, it is possible to allow connections | 186 Starting from Orthanc 1.9.3, it is possible to allow connections |
187 to/from remote DICOM modalities that do not provide a DICOM TLS | 187 to/from remote DICOM modalities that do not provide a DICOM TLS |
188 certificate (which corresponds to the ``--verify-peer-cert`` option of | 188 certificate (which corresponds to the ``--ignore-peer-cert`` option of |
189 DCMTK). This requires setting the :ref:`configuration option | 189 DCMTK). This requires setting the :ref:`configuration option |
190 <configuration>` ``DicomTlsRemoteCertificateRequired`` of Orthanc to | 190 <configuration>` ``DicomTlsRemoteCertificateRequired`` of Orthanc to |
191 ``false``. | 191 ``false``. Note: between Orthanc 1.9.3 and Orthanc 1.12.3 included, |
192 this option was actually equivalent to ``--verify-peer-cert``. | |
192 | 193 |
193 .. highlight:: bash | 194 .. highlight:: bash |
194 | 195 |
195 As an example, let us generate one single certificate that is | 196 As an example, let us generate one single certificate that is |
196 dedicated to Orthanc:: | 197 dedicated to Orthanc:: |
205 | 206 |
206 { | 207 { |
207 "DicomTlsEnabled" : true, | 208 "DicomTlsEnabled" : true, |
208 "DicomTlsCertificate" : "orthanc.crt", | 209 "DicomTlsCertificate" : "orthanc.crt", |
209 "DicomTlsPrivateKey" : "orthanc.key", | 210 "DicomTlsPrivateKey" : "orthanc.key", |
210 "DicomTlsTrustedCertificates" : "orthanc.crt", | |
211 "DicomTlsRemoteCertificateRequired" : false | 211 "DicomTlsRemoteCertificateRequired" : false |
212 } | 212 } |
213 | 213 |
214 .. highlight:: text | 214 .. highlight:: text |
215 | 215 |
216 Note that the ``DicomTlsTrustedCertificates`` is set to a dummy value, | 216 It is then possible to |
217 because this option must always be present. It is then possible to | |
218 connect to Orthanc without SCU certificate as follows:: | 217 connect to Orthanc without SCU certificate as follows:: |
219 | 218 |
220 $ echoscu -v localhost 4242 --anonymous-tls +cf /tmp/k/orthanc.crt | 219 $ echoscu -v localhost 4242 --anonymous-tls +cf /tmp/k/orthanc.crt |
221 I: Requesting Association | 220 I: Requesting Association |
222 I: Association Accepted (Max Send PDV: 16372) | 221 I: Association Accepted (Max Send PDV: 16372) |
223 I: Sending Echo Request (MsgID 1) | 222 I: Sending Echo Request (MsgID 1) |
224 I: Received Echo Response (Success) | 223 I: Received Echo Response (Success) |
225 I: Releasing Association | 224 I: Releasing Association |
226 | |
227 | |
228 **Remark:** Importantly, if the remote DICOM modality provides an | |
229 invalid DICOM TLS certificate, Orthanc will never accept the | |
230 connection. |