Mercurial > hg > orthanc

changeset 5632:cfb67c7ccb4d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
DicomTlsRemoteCertificateRequired=false is now equivalent to --ignore-peer-cert DCMTK option instead of --verify-peer-cert
author Alain Mazy <am@orthanc.team>
date Tue, 21 May 2024 12:27:07 +0200
parents 72dcf3a8d7d5
children 5db4ed395d81
files NEWS OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp
diffstat 2 files changed, 11 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Thu May 16 15:31:31 2024 +0200
+++ b/NEWS	Tue May 21 12:27:07 2024 +0200
@@ -42,8 +42,15 @@
   creating a zip file.
 * Monitoring of stable resources now also takes into consideration the
   resource type, not only the resource identifier identifier.
-* When working with "DicomTlsEnabled": true and "DicomTlsRemoteCertificateRequired": false,
-  Orthanc was refusing to start if no "DicomTlsTrustedCertificates" was provided.
+* DICOM TLS:
+  * In prior versions, when "DicomTlsRemoteCertificateRequired" was set to false, Orthanc
+    was still sending a client certificate request during the TLS handshake but was not triggering
+    and error if the client certificate was not trusted (equivalent to the --verify-peer-cert DCMTK option)
+    From this version, if this option is set to false, Orthanc will not send a 
+    client certificate request during the TLS handshake anymore (equivalent to the --ignore-peer-cert 
+    DCMTK option).
+  * When working with "DicomTlsEnabled": true and "DicomTlsRemoteCertificateRequired": false,
+    Orthanc was refusing to start if no "DicomTlsTrustedCertificates" was provided.
 
 
 Version 1.12.3 (2024-01-31)
--- a/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp	Thu May 16 15:31:31 2024 +0200
+++ b/OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp	Tue May 21 12:27:07 2024 +0200
@@ -28,7 +28,6 @@
 #include "../../OrthancException.h"
 #include "../../SystemToolbox.h"
 
-
 #if DCMTK_VERSION_NUMBER < 364
 #  define DCF_Filetype_PEM  SSL_FILETYPE_PEM
 #  if OPENSSL_VERSION_NUMBER >= 0x0090700fL
@@ -180,8 +179,8 @@
       }
       else
       {
-        // Check remote certificate if present, succeed if no certificate is present
-        tls->setCertificateVerification(DCV_checkCertificate /*opt_certVerification*/);
+        // From 1.12.4, do not even request remote certificate (prior to 1.12.4, we were requesting a certificates, checking it if present and succeeding if not present)
+        tls->setCertificateVerification(DCV_ignoreCertificate /*opt_certVerification*/);
       }
       
       if (ASC_setTransportLayer(network, tls.get(), 0).bad())