# HG changeset patch # User Alain Mazy # Date 1716287227 -7200 # Node ID cfb67c7ccb4d367644a7cf4c3e76b179c46a0dbe # Parent 72dcf3a8d7d526e95c8f290801a0b675a0533590 DicomTlsRemoteCertificateRequired=false is now equivalent to --ignore-peer-cert DCMTK option instead of --verify-peer-cert diff -r 72dcf3a8d7d5 -r cfb67c7ccb4d NEWS --- a/NEWS Thu May 16 15:31:31 2024 +0200 +++ b/NEWS Tue May 21 12:27:07 2024 +0200 @@ -42,8 +42,15 @@ creating a zip file. * Monitoring of stable resources now also takes into consideration the resource type, not only the resource identifier identifier. -* When working with "DicomTlsEnabled": true and "DicomTlsRemoteCertificateRequired": false, - Orthanc was refusing to start if no "DicomTlsTrustedCertificates" was provided. +* DICOM TLS: + * In prior versions, when "DicomTlsRemoteCertificateRequired" was set to false, Orthanc + was still sending a client certificate request during the TLS handshake but was not triggering + and error if the client certificate was not trusted (equivalent to the --verify-peer-cert DCMTK option) + From this version, if this option is set to false, Orthanc will not send a + client certificate request during the TLS handshake anymore (equivalent to the --ignore-peer-cert + DCMTK option). + * When working with "DicomTlsEnabled": true and "DicomTlsRemoteCertificateRequired": false, + Orthanc was refusing to start if no "DicomTlsTrustedCertificates" was provided. Version 1.12.3 (2024-01-31) diff -r 72dcf3a8d7d5 -r cfb67c7ccb4d OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp --- a/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp Thu May 16 15:31:31 2024 +0200 +++ b/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp Tue May 21 12:27:07 2024 +0200 @@ -28,7 +28,6 @@ #include "../../OrthancException.h" #include "../../SystemToolbox.h" - #if DCMTK_VERSION_NUMBER < 364 # define DCF_Filetype_PEM SSL_FILETYPE_PEM # if OPENSSL_VERSION_NUMBER >= 0x0090700fL @@ -180,8 +179,8 @@ } else { - // Check remote certificate if present, succeed if no certificate is present - tls->setCertificateVerification(DCV_checkCertificate /*opt_certVerification*/); + // From 1.12.4, do not even request remote certificate (prior to 1.12.4, we were requesting a certificates, checking it if present and succeeding if not present) + tls->setCertificateVerification(DCV_ignoreCertificate /*opt_certVerification*/); } if (ASC_setTransportLayer(network, tls.get(), 0).bad())