Hi, I’am trying to send a Dicom image/pasient from my Orthanc server to a DicomServer with TLS. The error message i get is: “Details”: “DicomAssociation - connecting to AET “MY_AET”: TLS error: bad extention”. what can be the cause of this error message?
My Modalities:
"DicomModalities": {
"REMOTE_SERVER": {
"AET": "DESKTOP-AET",
"Host": "192.168.1.102",
"Port": 2762,
"Manufacturer": "Generic",
"AllowEcho": true,
"AllowMove": true,
"AllowStore": true,
"UseDicomTls": true
"SslTrustedClientCertificates": "etc/orthanc/tls/trusted.pem"
},
},
this is my curl command to send the images to the dicom server:
curl -u USN:Bachelor -X POST "http://localhost:8042/modalities/REMOTE_SERVER/store" \
-H "Content-Type: application/json" \
-d '{
"Resources": [
"4194913d-2c32139f-a22e1105-e8cfca10-cea734bc"
]
}'
Hi,
First of all SslTrustedClientCertificates is a top level configuration not a “per modality” configuration and, BTW, for DICOM, the equivalent is DicomTlsTrustedCertificates.
For the extension error, this is a generic TLS error, not specific to Orthanc. You may try to play with the DicomTlsMinimumProtocolVersion configuration or other related configurations.
HTH,
Alain.
// Path to a file containing all the TLS certificates that Orthanc
// can trust, both for its SCP (incoming DICOM connections) and SCU
// (outgoing DICOM connections). This file must contain a sequence
// of PEM certificates. (new in Orthanc 1.9.0)
/**
"DicomTlsTrustedCertificates" : "trusted.crt",
**/
// Whether Orthanc rejects DICOM TLS connections to/from remote
// modalities that do not provide a certificate. Setting this option
// to "true" (resp. "false") corresponds to "--require-peer-cert"
// (resp. "--ignore-peer-cert") in the DCMTK command-line
// tools. (new in Orthanc 1.9.3)
// Once you set this configuration to true, you must provide a list of
// trusted certificates in DicomTlsTrustedCertificates.
"DicomTlsRemoteCertificateRequired" : true,
// Sets the minimum accepted TLS protocol version for the DICOM server
// By default, require TLS 1.2 or 1.3. This option is only meaningful
// if "DicomTlsEnabled" is true (new in Orthanc 1.12.4).
// Note that, internally, Orthanc is configured to use the BCP195 profile
// by default. As soon as you switch to another protocol version, you
// must also provide the list of supported cipher suites.
// This configuration applies to Orthanc acting both as SCU and SCP.
// Value => Protocols
// 0 use default BCP 195 profile and default cipher suites
// 1 SSL3+TLS1.0+TLS1.1+TLS1.2+TLS1.3
// 2 TLS1.0+TLS1.1+TLS1.2+TLS1.3
// 3 TLS1.1+TLS1.2+TLS1.3
// 4 TLS1.2+TLS1.3
// 5 TLS1.3
"DicomTlsMinimumProtocolVersion" : 0,
// Set the accepted ciphers for TLS connections for the DICOM server.
// The ciphers must be provided as a list of strings. If not set,
// this will default to BCP195 ciphers if DicomTlsMinimumProtocolVersion is 0
// or to an empty list for other values. This option is only
// meaningful if "DicomTlsEnabled" is true. (new in Orthanc 1.12.4).
// This configuration must be provided if DicomTlsMinimumProtocolVersion != 0.
// The list of valid cipher names are available in
// https://www.openssl.org/docs/man3.3/man1/openssl-ciphers.html
// The OpenSSL names are used.
/**
"DicomTlsCiphersAccepted" : []
**/