# HG changeset patch # User Alain Mazy # Date 1715865843 -7200 # Node ID d9824edad40af193af1fb289558ba04095a25a97 # Parent 56e1e7d0f92adffbfa801135b178568aa82157a5 back to BSP195 TLS profile + don't request client certificate if we are not checking it diff -r 56e1e7d0f92a -r d9824edad40a OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp --- a/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp Tue May 14 09:44:01 2024 +0200 +++ b/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp Thu May 16 15:24:03 2024 +0200 @@ -156,9 +156,7 @@ } #if DCMTK_VERSION_NUMBER >= 364 - // TODO: add parameters to select TSP_Profile ? - if (IsFailure(tls->setTLSProfile(TSP_Profile_AES /*opt_tlsProfile*/))) - //if (IsFailure(tls->setTLSProfile(TSP_Profile_BCP195 /*opt_tlsProfile*/))) + if (IsFailure(tls->setTLSProfile(TSP_Profile_BCP195 /*opt_tlsProfile*/))) { throw OrthancException(ErrorCode_InternalError, "Cannot set the DICOM TLS profile"); } @@ -187,8 +185,8 @@ } else { - // Check remote certificate if present, succeed if no certificate is present - tls->setCertificateVerification(DCV_checkCertificate /*opt_certVerification*/); + // From 1.12.4, do not even request remote certificate (prior to 1.12.4, we were requesting a certificates, checking it if present and succeeding if not present) + tls->setCertificateVerification(DCV_ignoreCertificate /*opt_certVerification*/); } if (ASC_setTransportLayer(network, tls.get(), 0).bad())