# HG changeset patch # User Sebastien Jodogne # Date 1600183823 -7200 # Node ID 30ebe460e77ad2603512e98b20d97458e333379d # Parent 7ecaada8fbcc1803378ac614354ab472de3824dc# Parent 9ce5c89328f520501668de125a4f4a3c885d9ec8 merge diff -r 7ecaada8fbcc -r 30ebe460e77a NEWS --- a/NEWS Tue Sep 15 17:29:40 2020 +0200 +++ b/NEWS Tue Sep 15 17:30:23 2020 +0200 @@ -1,6 +1,15 @@ Pending changes in the mainline =============================== +General +------- + +* New configuration options to enable HTTP peers identification through certificates: + "SslVerifyPeers" & "SslTrustedClientCertificates" +* New configuration option "SyncStorageArea" to commit the files on disk "inside" the DB + transaction and avoid DB - File system discrepencies in case of hard shutdown + of the machine running Orthanc. This comes with a cost: DICOM file ingestion is slower. + Maintenance ----------- @@ -10,7 +19,7 @@ * When checking DICOM allowed methods, if there are multiple modalities with the same AET, differentiate them from the calling IP * Enable the access to raw frames in Philips ELSCINT1 proprietary compression -* New configuration option "SyncStorageArea" + Version 1.7.3 (2020-08-24) diff -r 7ecaada8fbcc -r 30ebe460e77a OrthancFramework/Sources/HttpServer/HttpServer.cpp --- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp Tue Sep 15 17:29:40 2020 +0200 +++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp Tue Sep 15 17:30:23 2020 +0200 @@ -1060,6 +1060,7 @@ remoteAllowed_ = false; authentication_ = false; ssl_ = false; + sslVerifyPeers_ = false; port_ = 8000; filter_ = NULL; keepAlive_ = false; @@ -1150,6 +1151,11 @@ // Set the timeout for the HTTP server "request_timeout_ms", requestTimeoutMilliseconds.c_str(), + // Set the client authentication + "ssl_verify_peer", (sslVerifyPeers_ ? "yes" : "no"), + // Set the trusted client certificates (for X509 mutual authentication) + sslVerifyPeers_ ? "ssl_ca_file" : NULL, trustedClientCertificates_.c_str(), + // Set the SSL certificate, if any. This must be the last option. ssl_ ? "ssl_certificate" : NULL, certificate_.c_str(), @@ -1257,6 +1263,23 @@ #endif } + void HttpServer::SetSslVerifyPeers(bool enabled) + { + Stop(); + +#if ORTHANC_ENABLE_SSL == 0 + if (enabled) + { + throw OrthancException(ErrorCode_SslDisabled); + } + else + { + sslVerifyPeers_ = false; + } +#else + sslVerifyPeers_ = enabled; +#endif + } void HttpServer::SetKeepAliveEnabled(bool enabled) { @@ -1285,6 +1308,12 @@ certificate_ = path; } + void HttpServer::SetSslTrustedClientCertificates(const char* path) + { + Stop(); + trustedClientCertificates_ = path; + } + void HttpServer::SetRemoteAccessAllowed(bool allowed) { Stop(); diff -r 7ecaada8fbcc -r 30ebe460e77a OrthancFramework/Sources/HttpServer/HttpServer.h --- a/OrthancFramework/Sources/HttpServer/HttpServer.h Tue Sep 15 17:29:40 2020 +0200 +++ b/OrthancFramework/Sources/HttpServer/HttpServer.h Tue Sep 15 17:30:23 2020 +0200 @@ -80,6 +80,8 @@ bool remoteAllowed_; bool authentication_; + bool sslVerifyPeers_; + std::string trustedClientCertificates_; bool ssl_; std::string certificate_; uint16_t port_; @@ -129,6 +131,10 @@ void SetSslEnabled(bool enabled); + void SetSslVerifyPeers(bool enabled); + + void SetSslTrustedClientCertificates(const char* path); + bool IsKeepAliveEnabled() const { return keepAlive_; diff -r 7ecaada8fbcc -r 30ebe460e77a OrthancServer/Resources/Configuration.json --- a/OrthancServer/Resources/Configuration.json Tue Sep 15 17:29:40 2020 +0200 +++ b/OrthancServer/Resources/Configuration.json Tue Sep 15 17:30:23 2020 +0200 @@ -147,10 +147,22 @@ // Whether or not SSL is enabled "SslEnabled" : false, - // Path to the SSL certificate in the PEM format (meaningful only if - // SSL is enabled) + // Path to the SSL certificate used by the HTTP server. + // Certifcate must be stored in the PEM format. + // meaningful only if SslEnabled is true. + // The file must contain both the certificate and the private key. "SslCertificate" : "certificate.pem", + // Whether or not peer client certificates shall be checked. + // meaningfull only if SslEnabled is true + "SslVerifyPeers" : false, + + // Path to the SSL certificate(s) that are trusted to verify + // peers identify. + // Certifcate(s) must be stored in the PEM format. + // meaningfull only if SslVerifyPeers is true + "SslTrustedClientCertificates" : "trustedClientCertificates.pem", + // Whether or not the password protection is enabled (using HTTP // basic access authentication). Starting with Orthanc 1.5.8, if // "AuthenticationEnabled" is not explicitly set, authentication is diff -r 7ecaada8fbcc -r 30ebe460e77a OrthancServer/Sources/main.cpp --- a/OrthancServer/Sources/main.cpp Tue Sep 15 17:29:40 2020 +0200 +++ b/OrthancServer/Sources/main.cpp Tue Sep 15 17:30:23 2020 +0200 @@ -1017,6 +1017,18 @@ httpServer.SetSslEnabled(false); } + if (lock.GetConfiguration().GetBooleanParameter("SslVerifyPeers", false)) + { + std::string trustedClientCertificates = lock.GetConfiguration().InterpretStringParameterAsPath( + lock.GetConfiguration().GetStringParameter("SslTrustedClientCertificates", "trustedCertificates.pem")); + httpServer.SetSslVerifyPeers(true); + httpServer.SetSslTrustedClientCertificates(trustedClientCertificates.c_str()); + } + else + { + httpServer.SetSslVerifyPeers(false); + } + if (lock.GetConfiguration().GetBooleanParameter("ExecuteLuaEnabled", false)) { context.SetExecuteLuaEnabled(true);