How to configure TLS Dicom Associations in Orthanc?

Hi,

I would like to connect to a PACS that only allows DICOM associations using the BCP 195 TLS Profile. As Orthanc uses DCMTK underneath, which supports this, how do I configure this in Orthanc?
I couldn’t get C-Echo to work using storescp:

`
storescp --enable-tls key.pem cert.pem 2000

`

Orthanc 1.5.4 will tell me

`
E0215 13:39:41.201692 OrthancException.h:85] Error in the network protocol: DicomUserConnection to AET “STORESCP”: Peer aborted Association (or never connected)

`

and storescp will say

`
E: Receiving Association failed: 0006:031e DUL secure transport layer: wrong version number

`

which indicates Orthanc is talking in plaintext to storescp or maybe the certificate is rejected.

I don’t see a configuration option on how to configure peer certificates in Orthanc (only security related options are related to HTTP server). How can I facilitate TLS DICOM communication in Orthanc?

Thanks,
Georg

Orthanc currently does not support DICOM via TLS. They have a peer function which can provide secure communication between two Orthanc systems over HTTPS. I believe the current options are peering between or a VPN.

Okay, thanks for clarifying.
Is support for DICOM via TLS on the roadmap? I think this is a pretty big showstopper for using Orthanc in clinical environments, as a lot of hospitals feel compelled to encrypt data in transit even within the same site.

Georg

Yes, it has been pending on our roadmap for several years:
https://bitbucket.org/sjodogne/orthanc/src/default/TODO

We are looking for industrial sponsor before we can implement this feature that is, as you noticed, targeted at a corporate audience.

Sébastien-

I see, good to hear this feature is on the roadmap.
How much effort do you reckon this is, given that dcmtls looks like a pretty much ready to go implementation of the Dicom security enhancements? I’m potentially looking to contribute in the not-too-distant future as I might not be able to use Orthanc in my work otherwise.

Have a good weekend!
Georg

Nice to know! For discussing such contributions, please get in touch with Osimis:
https://www.lify.io/contact-sales

Regards,
Sébastien-

Keep me in the loop on this. This might become a requirement, especially now that we are utilizing cloud and over the public network DICOM a lot.

Our preliminary tests to and from any combo of dcm4che and dcmtk have all worked well. It should be just a matter of adding certificate configurations and then passing that onto the services.

Either WinguMD ZenSnapMD (me) will do this OR we will find an appropriate sponsor when we do need it.

Note that Orthanc supports their own proprietary peering mechanism which works great. I’ve deployed it in a cross-country tele radiology solution and it is quite reliable. Orthanc also support WADO/QIDO/STORE-RS, all with many levels of security.

Note that Orthanc supports their own proprietary peering mechanism which works great. I’ve deployed it in a cross-country tele radiology solution and it is quite reliable. Orthanc also support WADO/QIDO/STORE-RS, all with many levels of security.

Bryan: Thanks for the feedback! You might also be interested in checking the “transfers accelerator” plugin that better optimizes the network bandwidth than the peering mechanism:
https://book.orthanc-server.com/plugins/transfers.html