Sending images to DICOM TLS Server: TLS error: bad extention

Hi, I’am trying to send a Dicom image/pasient from my Orthanc server to a DicomServer with TLS. The error message i get is: “Details”: “DicomAssociation - connecting to AET “MY_AET”: TLS error: bad extention”. what can be the cause of this error message?

My Modalities:

  "DicomModalities": {
    "REMOTE_SERVER": {
      "AET": "DESKTOP-AET",
      "Host": "192.168.1.102",
      "Port": 2762,
      "Manufacturer": "Generic",
      "AllowEcho": true,
      "AllowMove": true,
      "AllowStore": true,
      "UseDicomTls": true
      "SslTrustedClientCertificates": "etc/orthanc/tls/trusted.pem"
    },
  },

this is my curl command to send the images to the dicom server:

curl -u USN:Bachelor -X POST "http://localhost:8042/modalities/REMOTE_SERVER/store" \
  -H "Content-Type: application/json" \
  -d '{
        "Resources": [
          "4194913d-2c32139f-a22e1105-e8cfca10-cea734bc"
        ]
      }'

Hi,

First of all SslTrustedClientCertificates is a top level configuration not a “per modality” configuration and, BTW, for DICOM, the equivalent is DicomTlsTrustedCertificates.

For the extension error, this is a generic TLS error, not specific to Orthanc. You may try to play with the DicomTlsMinimumProtocolVersion configuration or other related configurations.

HTH,

Alain.

// Path to a file containing all the TLS certificates that Orthanc
// can trust, both for its SCP (incoming DICOM connections) and SCU
// (outgoing DICOM connections). This file must contain a sequence
// of PEM certificates. (new in Orthanc 1.9.0)
/**
   "DicomTlsTrustedCertificates" : "trusted.crt",
**/

// Whether Orthanc rejects DICOM TLS connections to/from remote
// modalities that do not provide a certificate. Setting this option
// to "true" (resp. "false") corresponds to "--require-peer-cert"
// (resp. "--ignore-peer-cert") in the DCMTK command-line
// tools. (new in Orthanc 1.9.3)
// Once you set this configuration to true, you must provide a list of
// trusted certificates in DicomTlsTrustedCertificates.
"DicomTlsRemoteCertificateRequired" : true,

// Sets the minimum accepted TLS protocol version for the DICOM server
// By default, require TLS 1.2 or 1.3. This option is only meaningful 
// if "DicomTlsEnabled" is true (new in Orthanc 1.12.4).
// Note that, internally, Orthanc is configured to use the BCP195 profile
// by default.  As soon as you switch to another protocol version, you
// must also provide the list of supported cipher suites.
// This configuration applies to Orthanc acting both as SCU and SCP.
// Value => Protocols
//   0      use default BCP 195 profile and default cipher suites
//   1      SSL3+TLS1.0+TLS1.1+TLS1.2+TLS1.3
//   2      TLS1.0+TLS1.1+TLS1.2+TLS1.3
//   3      TLS1.1+TLS1.2+TLS1.3
//   4      TLS1.2+TLS1.3
//   5      TLS1.3
"DicomTlsMinimumProtocolVersion" : 0,

// Set the accepted ciphers for TLS connections for the DICOM server. 
// The ciphers must be provided as a list of strings. If not set, 
// this will default to BCP195 ciphers if DicomTlsMinimumProtocolVersion is 0
// or to an empty list for other values. This option is only 
// meaningful if "DicomTlsEnabled" is true. (new in Orthanc 1.12.4).
// This configuration must be provided if DicomTlsMinimumProtocolVersion != 0.
// The list of valid cipher names are available in 
// https://www.openssl.org/docs/man3.3/man1/openssl-ciphers.html
// The OpenSSL names are used.
/**
   "DicomTlsCiphersAccepted" : []
**/