The DICOM TLS capability introduced in 1.9.0 hard-codes the option to require peer certificate validation in the underlying DCMTK implementation. This causes the connection to fail when modalities that have not been issued client certificates attempt a TLS connection to Orthanc server when DicomTlsEnabled has been set to true.
Would either setting the DCMTK peer verification option to optional, as shown in the patch below, or making this a configurable option, be accepted as an enhancement?
The error received when this occurs is:
CommandDispatcher.cpp:283] Receiving Association failed: DUL secure transport layer: peer did not return a certificate
The proposed patch (based on 1.9.2) is:
— OrthancFramework/Sources/DicomNetworking/Internals/DicomTls.cpp 2021-04-22 05:33:28.000000000 -0400
+++ patch/DicomTls.cpp 2021-04-29 08:43:58.000000000 -0400
@@ -147,7 +147,7 @@
}
#endif
- tls->setCertificateVerification(DCV_requireCertificate /opt_certVerification/);
- tls->setCertificateVerification(DCV_checkCertificate /opt_certVerification/);
if (ASC_setTransportLayer(network, tls.get(), 0).bad())
{
Thank you,
Mark