Added the option to configure the minimum SSL protocol version and accepted cipher suites through the Orthanc configuration file. This allows Orthace to be used by healthcare systems such as the US Veterans Affairs and the Military Health System which require FIPS 140-2 compliance and avoid security risks from using TLS1.0 and TLS1.1
The default configurations are documented in the Configuration.json. By default the minimum accepted protocol is TLS1.2 and the FIPS 140-2 cipher suite is allowed.
These SSL restrictions can be tested by using the OpenSSL client tool, openssl s_client. Some examples of Orthanc rejecting unacceptable connections are shown below.
Attempting to connect using TLS1.1 when the minimum accepted protocol is configured as TLS1.2:
openssl s_client -connect localhost:8042 -tls1_1
CONNECTED(00000003)
140328540349760:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 70
I have notably removed some C++11 constructions (as the Orthanc core does not impose this standard), added some information into the logs, and replaced the types of the “SslMinimumProtocolVersion” and the “SslCiphersAccepted” configuration options (respectively to a plain integer and to a list of strings).
Your certificate needs to be generated based on the external domain that it will work on, for example:
example “.domain.com”
It is important that the .pem file is global “_*domain.com” and that it is registered on your server in the root folder of certificates from trusted sources.
Furthermore, in certain cases, there is no need to point the “.crt” file, simply pointing the .pem and .key files correctly, respecting their respective operating system (For Linux left slashes . For Windows, two forward slashes right)
It is also important that the mysql and postgress plugins are compatible with the version of Orthanc installed.