# HG changeset patch # User Sebastien Jodogne # Date 1600255801 -7200 # Node ID b1d528687e255aa5df6cbba2f6bd7dfc0e7eae0c # Parent 37310bb1cd306ec026c8a247689463f5386bb569# Parent db38b2ad4c4a12549d54673b63f4e9ae0ced9094 merge diff -r 37310bb1cd30 -r b1d528687e25 NEWS --- a/NEWS Wed Sep 16 13:22:30 2020 +0200 +++ b/NEWS Wed Sep 16 13:30:01 2020 +0200 @@ -5,10 +5,10 @@ ------- * New configuration options to enable HTTP peers identification through certificates: - "SslVerifyPeers" & "SslTrustedClientCertificates" -* New configuration option "SyncStorageArea" to commit the files on disk "inside" the DB - transaction and avoid DB - File system discrepencies in case of hard shutdown - of the machine running Orthanc. This comes with a cost: DICOM file ingestion is slower. + "SslVerifyPeers" and "SslTrustedClientCertificates" +* New configuration option "SyncStorageArea" to immediately commit the files onto the disk + (through fsync()), so as to avoid discrepencies between DB and filesystem in case of hard + shutdown of the machine running Orthanc. This slows down adding new files into Orthanc. Maintenance ----------- @@ -19,6 +19,7 @@ * When checking DICOM allowed methods, if there are multiple modalities with the same AET, differentiate them from the calling IP * Enable the access to raw frames in Philips ELSCINT1 proprietary compression +* Support empty key passwords when using HTTP client certificates * Fix handling of "ModalitiesInStudy" (0008,0061) in C-FIND and "/tools/find" diff -r 37310bb1cd30 -r b1d528687e25 OrthancFramework/Sources/HttpClient.cpp --- a/OrthancFramework/Sources/HttpClient.cpp Wed Sep 16 13:22:30 2020 +0200 +++ b/OrthancFramework/Sources/HttpClient.cpp Wed Sep 16 13:30:01 2020 +0200 @@ -788,11 +788,7 @@ #if ORTHANC_ENABLE_SSL == 1 CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSLCERTTYPE, "PEM")); CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_SSLCERT, clientCertificateFile_.c_str())); - - if (!clientCertificateKeyPassword_.empty()) - { - CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_KEYPASSWD, clientCertificateKeyPassword_.c_str())); - } + CheckCode(curl_easy_setopt(pimpl_->curl_, CURLOPT_KEYPASSWD, clientCertificateKeyPassword_.c_str())); // NB: If no "clientKeyFile_" is provided, the key must be // prepended to the certificate file diff -r 37310bb1cd30 -r b1d528687e25 OrthancServer/Resources/Configuration.json --- a/OrthancServer/Resources/Configuration.json Wed Sep 16 13:22:30 2020 +0200 +++ b/OrthancServer/Resources/Configuration.json Wed Sep 16 13:30:01 2020 +0200 @@ -147,20 +147,21 @@ // Whether or not SSL is enabled "SslEnabled" : false, - // Path to the SSL certificate used by the HTTP server. - // Certifcate must be stored in the PEM format. - // meaningful only if SslEnabled is true. - // The file must contain both the certificate and the private key. + // Path to the SSL certificate used by the HTTP server. The file + // must be stored in the PEM format, and must contain both the + // certificate and the private key. This option is only meaningful + // if "SslEnabled" is true. "SslCertificate" : "certificate.pem", - // Whether or not peer client certificates shall be checked. - // meaningfull only if SslEnabled is true + // Whether or not peer client certificates shall be checked. This + // option is only meaningfull if "SslEnabled" is true. "SslVerifyPeers" : false, - // Path to the SSL certificate(s) that are trusted to verify - // peers identify. - // Certifcate(s) must be stored in the PEM format. - // meaningfull only if SslVerifyPeers is true + // Path to a file containing the concatenation of the client SSL + // certificate(s) that are trusted to verify the identify of remote + // HTTP clients. The individual certificate(s) must be stored in the + // PEM format. This option is only meaningfull if "SslVerifyPeers" + // is true. "SslTrustedClientCertificates" : "trustedClientCertificates.pem", // Whether or not the password protection is enabled (using HTTP