Mercurial > hg > orthanc-book
comparison Sphinx/source/faq/dicom-tls.rst @ 1069:a714c5fdc4cf
DicomTlsRemoteCertificateRequired=false is now equivalent to --ignore-peer-cert DCMTK option instead of --verify-peer-cert
| author | Alain Mazy <am@orthanc.team> |
|---|---|
| date | Tue, 21 May 2024 12:34:32 +0200 |
| parents | 94f5fc38b927 |
| children |
comparison
equal
deleted
inserted
replaced
| 1068:7ae36fd42cbe | 1069:a714c5fdc4cf |
|---|---|
| 183 default ``--require-peer-cert`` option of the DCMTK command-line | 183 default ``--require-peer-cert`` option of the DCMTK command-line |
| 184 tools). | 184 tools). |
| 185 | 185 |
| 186 Starting from Orthanc 1.9.3, it is possible to allow connections | 186 Starting from Orthanc 1.9.3, it is possible to allow connections |
| 187 to/from remote DICOM modalities that do not provide a DICOM TLS | 187 to/from remote DICOM modalities that do not provide a DICOM TLS |
| 188 certificate (which corresponds to the ``--verify-peer-cert`` option of | 188 certificate (which corresponds to the ``--ignore-peer-cert`` option of |
| 189 DCMTK). This requires setting the :ref:`configuration option | 189 DCMTK). This requires setting the :ref:`configuration option |
| 190 <configuration>` ``DicomTlsRemoteCertificateRequired`` of Orthanc to | 190 <configuration>` ``DicomTlsRemoteCertificateRequired`` of Orthanc to |
| 191 ``false``. | 191 ``false``. Note: between Orthanc 1.9.3 and Orthanc 1.12.3 included, |
| 192 this option was actually equivalent to ``--verify-peer-cert``. | |
| 192 | 193 |
| 193 .. highlight:: bash | 194 .. highlight:: bash |
| 194 | 195 |
| 195 As an example, let us generate one single certificate that is | 196 As an example, let us generate one single certificate that is |
| 196 dedicated to Orthanc:: | 197 dedicated to Orthanc:: |
| 205 | 206 |
| 206 { | 207 { |
| 207 "DicomTlsEnabled" : true, | 208 "DicomTlsEnabled" : true, |
| 208 "DicomTlsCertificate" : "orthanc.crt", | 209 "DicomTlsCertificate" : "orthanc.crt", |
| 209 "DicomTlsPrivateKey" : "orthanc.key", | 210 "DicomTlsPrivateKey" : "orthanc.key", |
| 210 "DicomTlsTrustedCertificates" : "orthanc.crt", | |
| 211 "DicomTlsRemoteCertificateRequired" : false | 211 "DicomTlsRemoteCertificateRequired" : false |
| 212 } | 212 } |
| 213 | 213 |
| 214 .. highlight:: text | 214 .. highlight:: text |
| 215 | 215 |
| 216 Note that the ``DicomTlsTrustedCertificates`` is set to a dummy value, | 216 It is then possible to |
| 217 because this option must always be present. It is then possible to | |
| 218 connect to Orthanc without SCU certificate as follows:: | 217 connect to Orthanc without SCU certificate as follows:: |
| 219 | 218 |
| 220 $ echoscu -v localhost 4242 --anonymous-tls +cf /tmp/k/orthanc.crt | 219 $ echoscu -v localhost 4242 --anonymous-tls +cf /tmp/k/orthanc.crt |
| 221 I: Requesting Association | 220 I: Requesting Association |
| 222 I: Association Accepted (Max Send PDV: 16372) | 221 I: Association Accepted (Max Send PDV: 16372) |
| 223 I: Sending Echo Request (MsgID 1) | 222 I: Sending Echo Request (MsgID 1) |
| 224 I: Received Echo Response (Success) | 223 I: Received Echo Response (Success) |
| 225 I: Releasing Association | 224 I: Releasing Association |
| 226 | |
| 227 | |
| 228 **Remark:** Importantly, if the remote DICOM modality provides an | |
| 229 invalid DICOM TLS certificate, Orthanc will never accept the | |
| 230 connection. |