I am trying to create a secure communication between Orthanc(client on my local (Mac)) and pynetDicom(server on my EC2). For this I obtained X.509 certificate from Lets Encrypt. I have added the certs to pynetDicom like this in the pythons ssl context
# Set up TLS
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE, password=None)
# If a certificate chain file is needed
context.load_verify_locations(cafile=CHAIN_FILE)
ae.tls_server_context = context
assoc = ae.start_server(
(NODE_IP, NODE_PORT),
ae_title=AE_TITLE,
evt_handlers=handlers,
ssl_context=ae.tls_server_context # Enable TLS
)
I tried testing the TLS connection with openssl and it works with -partialChain
tag, with an error at the end: openssl s_client -connect pacs.avendahealth.com:443 -CAfile /Users/sumitjanawlekar/pynetDicom_cert/fullchain.pem -partial_chain with
Start Time: 1695710162
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Without the partialChain tag it fails with error
Start Time: 1695710953
Timeout : 7200 (sec)
Verify return code: 2 (unable to get issuer certificate)
Extended master secret: no
---
80208DF401000000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
When I try sending Dicom data from Orthanc, it fails with this reason.
ErrorCode: 9
ErrorDescription: Error in the network protocol
ErrorDetails: DicomAssociation - connecting to AET "MY_AET": TLS error: OpenSSL error
I am new to this, how can I make this work?
PSA: the connection works fine as I turn off TLS. Also the request flows like this DICOM Client → aws network load balancer (NLB) → Ec2(pynetDicom running here). I even tried terminating TLS at the NLB level, still same error
I have tried TLS termination, encryption at pynetDicom level, I even tried local setup (client and server both as Orthanc running on local), testing with tools like openssl etc. All did not work.