Mercurial > hg > orthanc

annotate OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp @ 5623:56e1e7d0f92a tls-ignore-unexpected-tls

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
TLS test code
author Alain Mazy <am@orthanc.team>
date Tue, 14 May 2024 09:44:01 +0200
parents 335e2079de1f
children d9824edad40a
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
1 /**
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
2 * Orthanc - A Lightweight, RESTful DICOM Store
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
3 * Copyright (C) 2012-2016 Sebastien Jodogne, Medical Physics
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
4 * Department, University Hospital of Liege, Belgium
5485
48b8dae6dc77 upgrade to year 2024
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5185
diff changeset
5 * Copyright (C) 2017-2024 Osimis S.A., Belgium
48b8dae6dc77 upgrade to year 2024
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5185
diff changeset
6 * Copyright (C) 2021-2024 Sebastien Jodogne, ICTEAM UCLouvain, Belgium
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
7 *
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
8 * This program is free software: you can redistribute it and/or
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
9 * modify it under the terms of the GNU Lesser General Public License
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
10 * as published by the Free Software Foundation, either version 3 of
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
11 * the License, or (at your option) any later version.
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
12 *
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
13 * This program is distributed in the hope that it will be useful, but
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
16 * Lesser General Public License for more details.
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
17 *
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
18 * You should have received a copy of the GNU Lesser General Public
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
19 * License along with this program. If not, see
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
20 * <http://www.gnu.org/licenses/>.
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
21 **/
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
22
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
23
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
24 #include "../../PrecompiledHeaders.h"
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
25 #include "DicomTls.h"
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
26
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
27 #include "../../Logging.h"
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
28 #include "../../OrthancException.h"
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
29 #include "../../SystemToolbox.h"
5622
335e2079de1f testing OpenSSL ignore_unexpected_eof option
Alain Mazy <am@orthanc.team>
parents: 5598
diff changeset
30 #include <openssl/ssl.h>
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
31
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
32 #if DCMTK_VERSION_NUMBER < 364
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
33 # define DCF_Filetype_PEM SSL_FILETYPE_PEM
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
34 # if OPENSSL_VERSION_NUMBER >= 0x0090700fL
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
35 // This seems to correspond to TSP_Profile_AES: https://support.dcmtk.org/docs/tlsciphr_8h.html
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
36 static std::string opt_ciphersuites(TLS1_TXT_RSA_WITH_AES_128_SHA ":" SSL3_TXT_RSA_DES_192_CBC3_SHA);
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
37 # else
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
38 // This seems to correspond to TSP_Profile_Basic in DCMTK >= 3.6.4: https://support.dcmtk.org/docs/tlsciphr_8h.html
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
39 static std::string opt_ciphersuites(SSL3_TXT_RSA_DES_192_CBC3_SHA);
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
40 # endif
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
41 #endif
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
42
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
43
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
44 namespace Orthanc
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
45 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
46 namespace Internals
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
47 {
4997
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
48 #if DCMTK_VERSION_NUMBER >= 367
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
49 static bool IsFailure(OFCondition cond)
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
50 {
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
51 return !cond.good();
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
52 }
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
53 #else
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
54 static bool IsFailure(DcmTransportLayerStatus status)
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
55 {
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
56 return (status != TCS_ok);
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
57 }
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
58 #endif
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
59
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
60
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
61 DcmTLSTransportLayer* InitializeDicomTls(T_ASC_Network *network,
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
62 T_ASC_NetworkRole role,
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
63 const std::string& ownPrivateKeyPath,
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
64 const std::string& ownCertificatePath,
4656
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
65 const std::string& trustedCertificatesPath,
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
66 bool requireRemoteCertificate)
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
67 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
68 if (network == NULL)
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
69 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
70 throw OrthancException(ErrorCode_NullPointer);
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
71 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
72
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
73 if (role != NET_ACCEPTOR &&
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
74 role != NET_REQUESTOR)
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
75 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
76 throw OrthancException(ErrorCode_ParameterOutOfRange, "Unknown role");
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
77 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
78
5598
317850cd46bc fix DicomTlsTrustedCertificates configuration that should not be mandatory if DicomTlsRemoteCertificateRequired is false
Alain Mazy <am@orthanc.team>
parents: 5487
diff changeset
79 if (requireRemoteCertificate && !SystemToolbox::IsRegularFile(trustedCertificatesPath))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
80 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
81 throw OrthancException(ErrorCode_InexistentFile, "Cannot read file with trusted certificates for DICOM TLS: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
82 trustedCertificatesPath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
83 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
84
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
85 if (!SystemToolbox::IsRegularFile(ownPrivateKeyPath))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
86 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
87 throw OrthancException(ErrorCode_InexistentFile, "Cannot read file with own private key for DICOM TLS: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
88 ownPrivateKeyPath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
89 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
90
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
91 if (!SystemToolbox::IsRegularFile(ownCertificatePath))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
92 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
93 throw OrthancException(ErrorCode_InexistentFile, "Cannot read file with own certificate for DICOM TLS: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
94 ownCertificatePath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
95 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
96
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
97 CLOG(INFO, DICOM) << "Initializing DICOM TLS for Orthanc "
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
98 << (role == NET_ACCEPTOR ? "SCP" : "SCU");
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
99
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
100 #if DCMTK_VERSION_NUMBER >= 364
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
101 const T_ASC_NetworkRole tmpRole = role;
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
102 #else
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
103 int tmpRole;
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
104 switch (role)
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
105 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
106 case NET_ACCEPTOR:
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
107 tmpRole = DICOM_APPLICATION_ACCEPTOR;
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
108 break;
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
109
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
110 case NET_REQUESTOR:
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
111 tmpRole = DICOM_APPLICATION_REQUESTOR;
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
112 break;
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
113
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
114 default:
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
115 throw OrthancException(ErrorCode_ParameterOutOfRange);
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
116 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
117 #endif
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
118
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
119 std::unique_ptr<DcmTLSTransportLayer> tls(
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
120 new DcmTLSTransportLayer(tmpRole /*opt_networkRole*/, NULL /*opt_readSeedFile*/,
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
121 OFFalse /*initializeOpenSSL, done by Orthanc::Toolbox::InitializeOpenSsl()*/));
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
122
5598
317850cd46bc fix DicomTlsTrustedCertificates configuration that should not be mandatory if DicomTlsRemoteCertificateRequired is false
Alain Mazy <am@orthanc.team>
parents: 5487
diff changeset
123 if (requireRemoteCertificate && IsFailure(tls->addTrustedCertificateFile(trustedCertificatesPath.c_str(), DCF_Filetype_PEM /*opt_keyFileFormat*/)))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
124 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
125 throw OrthancException(ErrorCode_BadFileFormat, "Cannot parse PEM file with trusted certificates for DICOM TLS: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
126 trustedCertificatesPath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
127 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
128
4997
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
129 if (IsFailure(tls->setPrivateKeyFile(ownPrivateKeyPath.c_str(), DCF_Filetype_PEM /*opt_keyFileFormat*/)))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
130 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
131 throw OrthancException(ErrorCode_BadFileFormat, "Cannot parse PEM file with private key for DICOM TLS: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
132 ownPrivateKeyPath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
133 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
134
5487
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
135 if (IsFailure(tls->setCertificateFile(
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
136 ownCertificatePath.c_str(), DCF_Filetype_PEM /*opt_keyFileFormat*/
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
137 #if DCMTK_VERSION_NUMBER >= 368
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
138 /**
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
139 * DICOM BCP 195 RFC 8996 TLS Profile, based on RFC 8996 and RFC 9325.
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
140 * This profile only negotiates TLS 1.2 or newer, and will not fall back to
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
141 * previous TLS versions. It provides the higher security level offered by the
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
142 * 2021 revised edition of BCP 195.
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
143 **/
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
144 , TSP_Profile_BCP_195_RFC_8996
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
145 #endif
33f8e180edcf upgraded static build to dcmtk 3.6.8
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 5485
diff changeset
146 )))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
147 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
148 throw OrthancException(ErrorCode_BadFileFormat, "Cannot parse PEM file with own certificate for DICOM TLS: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
149 ownCertificatePath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
150 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
151
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
152 if (!tls->checkPrivateKeyMatchesCertificate())
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
153 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
154 throw OrthancException(ErrorCode_BadFileFormat, "The private key doesn't match the own certificate: " +
4438
4a4e33c9082d configuration options for DICOM TLS in Orthanc SCU
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4437
diff changeset
155 ownPrivateKeyPath + " vs. " + ownCertificatePath);
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
156 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
157
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
158 #if DCMTK_VERSION_NUMBER >= 364
5623
56e1e7d0f92a TLS test code
Alain Mazy <am@orthanc.team>
parents: 5622
diff changeset
159 // TODO: add parameters to select TSP_Profile ?
56e1e7d0f92a TLS test code
Alain Mazy <am@orthanc.team>
parents: 5622
diff changeset
160 if (IsFailure(tls->setTLSProfile(TSP_Profile_AES /*opt_tlsProfile*/)))
56e1e7d0f92a TLS test code
Alain Mazy <am@orthanc.team>
parents: 5622
diff changeset
161 //if (IsFailure(tls->setTLSProfile(TSP_Profile_BCP195 /*opt_tlsProfile*/)))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
162 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
163 throw OrthancException(ErrorCode_InternalError, "Cannot set the DICOM TLS profile");
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
164 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
165
4997
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
166 if (IsFailure(tls->activateCipherSuites()))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
167 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
168 throw OrthancException(ErrorCode_InternalError, "Cannot activate the cipher suites for DICOM TLS");
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
169 }
5622
335e2079de1f testing OpenSSL ignore_unexpected_eof option
Alain Mazy <am@orthanc.team>
parents: 5598
diff changeset
170
5623
56e1e7d0f92a TLS test code
Alain Mazy <am@orthanc.team>
parents: 5622
diff changeset
171 // TODO: add parameters to enable/disable IGNORE_UNEXPECTED_EOF ?
5622
335e2079de1f testing OpenSSL ignore_unexpected_eof option
Alain Mazy <am@orthanc.team>
parents: 5598
diff changeset
172 DcmTLSTransportLayer::native_handle_type sslNativeHandle = tls->getNativeHandle();
335e2079de1f testing OpenSSL ignore_unexpected_eof option
Alain Mazy <am@orthanc.team>
parents: 5598
diff changeset
173 SSL_CTX_set_options(sslNativeHandle, SSL_OP_IGNORE_UNEXPECTED_EOF);
5623
56e1e7d0f92a TLS test code
Alain Mazy <am@orthanc.team>
parents: 5622
diff changeset
174
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
175 #else
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
176 CLOG(INFO, DICOM) << "Using the following cipher suites for DICOM TLS: " << opt_ciphersuites;
4997
1f93dc290628 fix compatibility with dcmtk 3.6.7
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4870
diff changeset
177 if (IsFailure(tls->setCipherSuites(opt_ciphersuites.c_str())))
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
178 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
179 throw OrthancException(ErrorCode_InternalError, "Unable to set cipher suites to: " + opt_ciphersuites);
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
180 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
181 #endif
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
182
4656
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
183 if (requireRemoteCertificate)
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
184 {
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
185 // Check remote certificate, fail if no certificate is present
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
186 tls->setCertificateVerification(DCV_requireCertificate /*opt_certVerification*/);
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
187 }
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
188 else
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
189 {
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
190 // Check remote certificate if present, succeed if no certificate is present
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
191 tls->setCertificateVerification(DCV_checkCertificate /*opt_certVerification*/);
82a314325351 New configuration option: "DicomTlsRemoteCertificateRequired"
Sebastien Jodogne <s.jodogne@gmail.com>
parents: 4438
diff changeset
192 }
4432
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
193
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
194 if (ASC_setTransportLayer(network, tls.get(), 0).bad())
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
195 {
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
196 throw OrthancException(ErrorCode_InternalError, "Cannot enable DICOM TLS in the Orthanc " +
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
197 std::string(role == NET_ACCEPTOR ? "SCP" : "SCU"));
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
198 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
199
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
200 return tls.release();
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
201 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
202 }
fcbac3e8ac1c dicom tls for scu
Sebastien Jodogne <s.jodogne@gmail.com>
parents:
diff changeset
203 }