Orthanc running HTTPS on FIPS 140-2 OpenSSL

I’m trying to run a minimal configured Orthanc under Ubuntu 18’s compliant FIPS 140-2 kernel and am having what I can only imagine is a rather basic issue and wondered if this has been tested internally before or not?

On a (standard kernel) U18 system, I can generate an X509 certificate and then configure Orthanc to use this to start up in HTTPS mode without issue (the docker log shows that HTTPS encryption is enabled).

However, when I try the exact same script on the FIPS kernel system, I get this issue when starting Orthanc:
E0120 01:36:55.769800 HttpServer.cpp:1751] OpenSSL error: error:10080002:lib(32)::reason(524290)
E0120 01:36:55.770566 HttpServer.cpp:1751] OpenSSL error: error:0A080002:lib(20)::reason(524290)

Even though FIPS is mentioned in the full configuration (when referring to the encryption algorithms) I would like to know if anyone has tested this side of Orthanc’s capability?

Regards

BNOEAFK

Actually, I’m getting this on a non-FIPS system too now. Can anyone direct me as to why this OpenSSL error is being thrown in the HTTP server?

I’m generating the certificate using:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj “/CN=localhost” -keyout ./certs/private-key.pem -out ./certs/public.crt

and then merging the two using:
cat ./certs/private-key.pem ./certs/public.crt > ./certs/combined.pem

And when running within docker, within my docker-compose.json file:

volumes:

  • ./certs:/etc/orthanc/certs

and within orthanc.json
{


“AuthenticationEnabled” : true,
“SslEnabled” : true,
“SslCertificate” : “/etc/orthanc/certs/combined.pem”

}

I know my orthanc.json is being read because when I start up Orthanc’s container, I get

W0120 03:01:15.822930 main.cpp:2005] Orthanc version: 1.10.1
W0120 03:01:15.835419 OrthancConfiguration.cpp:106] Scanning folder “/run/secrets/” for configuration files
W0120 03:01:15.836610 OrthancConfiguration.cpp:55] Reading the configuration from: “/run/secrets/orthanc.json”
W0120 03:01:16.167612 OrthancInitialization.cpp:347] SQLite index directory: “/home/ubuntu/db”
W0120 03:01:16.184501 OrthancInitialization.cpp:446] Storage directory: “/home/ubuntu/db”
W0120 03:01:16.197362 HttpClient.cpp:1177] HTTPS will use the CA certificates from this file: /run/secrets/
W0120 03:01:16.217138 LuaContext.cpp:94] Lua says: Lua toolbox installed
W0120 03:01:16.218527 LuaContext.cpp:94] Lua says: Lua toolbox installed
W0120 03:01:16.219668 ServerContext.cpp:476] Disk compression is disabled
W0120 03:01:16.220403 ServerIndex.cpp:380] No limit on the number of stored patients
W0120 03:01:16.221222 ServerIndex.cpp:400] No limit on the size of the storage area
W0120 03:01:16.230353 JobsEngine.cpp:272] The jobs engine has started with 2 threads
W0120 03:01:16.231571 main.cpp:1228] The DICOM server is disabled
W0120 03:01:16.231649 HttpServer.cpp:1998] HTTP compression is enabled
W0120 03:01:16.231684 main.cpp:1169] Remote LUA script execution is disabled
E0120 03:01:16.242682 HttpServer.cpp:1751] OpenSSL error: error:10080002:lib(32)::reason(524290)
E0120 03:01:16.243639 HttpServer.cpp:1751] OpenSSL error: error:0A080002:lib(20)::reason(524290)

It looks like there’s two errors, the lib(32) and lib(20) error, but I’m not sure what that could be? Could it be permissions perhaps? The combined.pem file has 0664 at the moment…

Hello,

Couldn’t this be directly linked to your previous question, which can be solved by installing the “libssl-dev” package?
https://groups.google.com/g/orthanc-users/c/5N1K9iniBoA/m/EXiYrKt3BQAJ

If not, please provide a minimal working example so that other people can investigate.

Regards,
Sébastien-

Sebastien,
It’s already installed (on both FIPS and non-FIPS kernels)…

$ sudo apt install libssl-dev
Reading package lists… Done
Building dependency tree
Reading state information… Done
libssl-dev is already the newest version (1.1.1-1ubuntu2.1~18.04.20).

I wondered if it was a self-signed certificate issue, but I’ve just tested using a GoDaddy wildcard and I’m getting the same issue. I’ve also tried using the v1.11.0 image.

For transparency:
layout:
$ lsb_release -a && uname -r && tree
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic
4.15.0-2085-aws-fips
.
├── docker-compose.yml
├── install_orthanc
├── orthanc
│ ├── certs
│ │ ├── ss-certificate.crt
│ │ ├── ss-dicomServerCombined.pem
│ │ └── ss-private.key
│ ├── db
│ └── orthanc.json
└── utilities

docker-compose.yml:
version: ‘3.8’
services:
orthanc:
image: jodogne/orthanc-plugins:1.10.1
container_name: orthanc
command: /run/secrets/
ports:

  • 443:8042
    volumes:
  • /home/ubuntu/orthanc/db:/var/lib/orthanc/db
  • /home/ubuntu/orthanc/certs:/etc/orthanc/certs
    secrets:
  • orthanc.json
    networks:
  • orthanc-net

secrets:
orthanc.json:
file: /home/ubuntu/orthanc/orthanc.json
networks:
orthanc-net:
name: orthanc-net
driver: bridge

orthanc.json:
{
“Name” : “ORTHANC-DICOMSRVR”,
“StorageDirectory”: “/home/ubuntu/orthanc/db”,
“RemoteAccessAllowed” : true,
“AuthenticationEnabled” : true,
“RegisteredUsers”: {
“orthanc” : “orthanc”
},
“DicomServerEnabled” : false,
“SslEnabled” : true,
“SslCertificate” : “/home/ubuntu/orthanc/certs/ss-dicomServerCombined.pem”
}

error:
$ docker-compose up
Starting orthanc … done
Attaching to orthanc
orthanc | W0120 17:16:43.261273 main.cpp:2005] Orthanc version: 1.10.1
orthanc | W0120 17:16:43.267122 OrthancConfiguration.cpp:106] Scanning folder “/run/secrets/” for configuration files
orthanc | W0120 17:16:43.267401 OrthancConfiguration.cpp:55] Reading the configuration from: “/run/secrets/orthanc.json”
orthanc | W0120 17:16:43.578441 OrthancInitialization.cpp:347] SQLite index directory: “/home/ubuntu/orthanc/db”
orthanc | W0120 17:16:43.583229 OrthancInitialization.cpp:446] Storage directory: “/home/ubuntu/orthanc/db”
orthanc | W0120 17:16:43.585799 HttpClient.cpp:1177] HTTPS will use the CA certificates from this file: /run/secrets/
orthanc | W0120 17:16:43.587073 LuaContext.cpp:94] Lua says: Lua toolbox installed
orthanc | W0120 17:16:43.588166 LuaContext.cpp:94] Lua says: Lua toolbox installed
orthanc | W0120 17:16:43.589180 ServerContext.cpp:476] Disk compression is disabled
orthanc | W0120 17:16:43.589847 ServerIndex.cpp:380] No limit on the number of stored patients
orthanc | W0120 17:16:43.589887 ServerIndex.cpp:400] No limit on the size of the storage area
orthanc | W0120 17:16:43.590264 ServerContext.cpp:218] Reloading the jobs from the last execution of Orthanc
orthanc | W0120 17:16:43.590361 JobsEngine.cpp:272] The jobs engine has started with 2 threads
orthanc | W0120 17:16:43.590402 main.cpp:1228] The DICOM server is disabled
orthanc | W0120 17:16:43.590415 HttpServer.cpp:1998] HTTP compression is enabled
orthanc | W0120 17:16:43.590435 main.cpp:1169] Remote LUA script execution is disabled
orthanc | E0120 17:16:43.592814 HttpServer.cpp:1751] OpenSSL error: error:10080002:lib(32)::reason(524290)
orthanc | E0120 17:16:43.592830 HttpServer.cpp:1751] OpenSSL error: error:0A080002:lib(20)::reason(524290)
orthanc | E0120 17:16:43.601065 ServerContext.cpp:429] INTERNAL ERROR: ServerContext::Stop() should be invoked manually to avoid mess in the destruction order!
orthanc | W0120 17:16:43.794363 JobsEngine.cpp:313] The jobs engine has stopped
orthanc | E0120 17:16:44.107429 main.cpp:2062] Uncaught exception, stopping now: [Cannot initialize SSL encryption, check out your certificates] (code 39)
orthanc | W0120 17:16:44.108958 main.cpp:2093] Orthanc has stopped
orthanc exited with code 255

Oh my goodness, I’m such a numpty … having the correct locations in the orthanc.json file, considering the volumes I’m defining within docker-compose.yml would really help…

The correct orthanc.json file should read:

orthanc.json:
{
“Name” : “ORTHANC-DICOMSRVR”,
“StorageDirectory”: “/var/lib/orthanc/db”,
“RemoteAccessAllowed” : true,
“AuthenticationEnabled” : true,
“RegisteredUsers”: {
“orthanc” : “orthanc”
},
“DicomServerEnabled” : false,
“SslEnabled” : true,
“SslCertificate” : “/etc/orthanc/certs/ss-dicomServerCombined.pem
}