# HG changeset patch # User Sebastien Jodogne # Date 1624566574 -7200 # Node ID 2ea133e0fa8e3c78735207a7fb9590c9b6b943f7 # Parent e5a78783383f52aafcfbb47b4f5e9e45f156f34d dicom tls and dcm4che diff -r e5a78783383f -r 2ea133e0fa8e Sphinx/source/faq/dicom-tls.rst --- a/Sphinx/source/faq/dicom-tls.rst Thu Jun 24 15:07:00 2021 +0200 +++ b/Sphinx/source/faq/dicom-tls.rst Thu Jun 24 22:29:34 2021 +0200 @@ -83,8 +83,11 @@ trusted certificates. -Example using DCMTK -------------------- +Examples +-------- + +Using DCMTK +^^^^^^^^^^^ .. highlight:: bash @@ -117,7 +120,7 @@ .. highlight:: text -It is then possible to trigger a secure C-GET SCU request from DCMTK +It is then possible to trigger a secure C-ECHO SCU request from DCMTK to Orthanc as follows:: $ echoscu -v -aet DCMTK localhost 4242 +tls dcmtk.key dcmtk.crt +cf orthanc.crt @@ -128,6 +131,38 @@ I: Releasing Association +Using dcm4che +^^^^^^^^^^^^^ + +.. highlight:: bash + +To use the dcm4che command-line tools instead of DCMTK, the two +certificates must first be converted from `X.509 +`__ to `PKCS #12 +`__:: + + $ openssl pkcs12 -export -out orthanc.p12 -in orthanc.crt -inkey orthanc.key + $ openssl pkcs12 -export -out dcm4che.p12 -in dcmtk.crt -inkey dcmtk.key + +For this example, you can let the ``Export Password`` as an empty +string in the two calls above. Then, here is how to trigger a secure +C-STORE SCU request to send the ``sample.dcm`` file from dcm4che to +Orthanc:: + + $ ~/Downloads/dcm4che-5.23.3/bin/storescu -c ORTHANC@localhost:4242 --tls \ + --trust-store ./orthanc.p12 --key-store ./dcm4che.p12 --trust-store-pass "" --key-store-pass "" sample.dcm + +**Remarks:** + +* The empty strings provided to the ``--trust-store-pass`` and + ``--key-store-pass`` options correspond to the empty strings + provided to ``Export Password``. + +* Disclaimer: In this setup, ``orthanc.p12`` contains the private key + of the Orthanc server. It is unclear how to remove this private key + that should be unknown to the DICOM client for security reasons. + + Secure TLS connections without certificate ------------------------------------------