Mercurial > hg > orthanc

changeset 5633:5db4ed395d81

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge
author Alain Mazy <am@orthanc.team>
date Tue, 21 May 2024 12:28:21 +0200
parents cfb67c7ccb4d (diff) 3b7fb32ecbb0 (current diff)
children 0e16e677fe64
files NEWS
diffstat 2 files changed, 11 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Fri May 17 13:23:58 2024 +0200
+++ b/NEWS	Tue May 21 12:28:21 2024 +0200
@@ -42,8 +42,15 @@
   creating a ZIP archive.
 * Monitoring of stable resources now also takes into consideration the
   resource type, not only the resource identifier identifier.
-* When working with "DicomTlsEnabled": true and "DicomTlsRemoteCertificateRequired": false,
-  Orthanc was refusing to start if no "DicomTlsTrustedCertificates" was provided.
+* DICOM TLS:
+  * In prior versions, when "DicomTlsRemoteCertificateRequired" was set to false, Orthanc
+    was still sending a client certificate request during the TLS handshake but was not triggering
+    and error if the client certificate was not trusted (equivalent to the --verify-peer-cert DCMTK option)
+    From this version, if this option is set to false, Orthanc will not send a 
+    client certificate request during the TLS handshake anymore (equivalent to the --ignore-peer-cert 
+    DCMTK option).
+  * When working with "DicomTlsEnabled": true and "DicomTlsRemoteCertificateRequired": false,
+    Orthanc was refusing to start if no "DicomTlsTrustedCertificates" was provided.
 * Upgraded dependencies for static builds:
   - boost 1.85.0
 
--- a/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp	Fri May 17 13:23:58 2024 +0200
+++ b/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp	Tue May 21 12:28:21 2024 +0200
@@ -28,7 +28,6 @@
 #include "../../OrthancException.h"
 #include "../../SystemToolbox.h"
 
-
 #if DCMTK_VERSION_NUMBER < 364
 #  define DCF_Filetype_PEM  SSL_FILETYPE_PEM
 #  if OPENSSL_VERSION_NUMBER >= 0x0090700fL
@@ -180,8 +179,8 @@
       }
       else
       {
-        // Check remote certificate if present, succeed if no certificate is present
-        tls->setCertificateVerification(DCV_checkCertificate /*opt_certVerification*/);
+        // From 1.12.4, do not even request remote certificate (prior to 1.12.4, we were requesting a certificates, checking it if present and succeeding if not present)
+        tls->setCertificateVerification(DCV_ignoreCertificate /*opt_certVerification*/);
       }
       
       if (ASC_setTransportLayer(network, tls.get(), 0).bad())