Ssl configuration from windows installer, use --ca-native instead of --cacert

Hello,
If I read the config file of Orthanc correctly, the option “HttpsCACertificate” is basically what will be given as the --cacert option in the curl command. I’d like to use the native windows store instead, which would be the command option --ca-native of curl, is there anyway to configure Orthanc to do so ?

I was also wondering if you could give me more details on the difference between HttpsVerifyPeers and SslVerifyPeers ? The way I understood it is that HttpsVerifyPeers will check that the server certificate of the peer is valid (meaning the CA that issued it is known by Orthanc, thanks to HttpsCACertificates) only when Orthanc contacts it; whereas SslVerifyPeers checks that a second certificate sent by the peer should be checked when the peer tries to contact Orthanc, and such certificate has to be known by Orthanc thanks to SslTrustedClientCertificates

Thanks !

PS: here are the parameters of Orthanc I mentioned, taken from orthanc: 816416425f2b OrthancServer/Resources/Configuration.json

// Path to the CA (certification authority) certificates to validate
// peers in HTTPS requests. From curl documentation (“–cacert”
// option): “Tells curl to use the specified certificate file to
// verify the peers. The file may contain multiple CA
// certificates. The certificate(s) must be in PEM format.” On
// Debian-based systems, this option can be set to
// “/etc/ssl/certs/ca-certificates.crt”
“HttpsCACertificates” : “”,

// Enable the verification of the peers during HTTPS requests. This
// option must be set to “false” if using self-signed certificates.
// Pay attention that setting this option to “false” results in
// security risks!
// Reference: curl - SSL CA Certificates
“HttpsVerifyPeers” : true,

// Whether or not peer client certificates shall be checked. This
// option is only meaningful if “SslEnabled” is true.
“SslVerifyPeers” : false,

// Path to a file containing the concatenation of the client SSL
// certificate(s) that are trusted to verify the identity of remote
// HTTP clients. The individual certificate(s) or root CAs must be
// stored in the PEM format. This option is only meaningful
// if “SslVerifyPeers” is true.
“SslTrustedClientCertificates” : “trustedClientCertificates.pem”,

Hi Thomas,

I have just implemented support for --ca-native. You can enable it by leaving HttpsCACertificates empty.

Here’s the updated documentation:

// Path to the CA (certification authority) certificates to validate
// peers in HTTPS requests. From curl documentation ("--cacert"
// option): "Tells curl to use the specified certificate file to
// verify the peers. The file may contain multiple CA
// certificates. The certificate(s) must be in PEM format." On
// Debian-based systems, this option can be set to
// "/etc/ssl/certs/ca-certificates.crt".
// Starting with Orthanc 1.12.6 and provided that Orthanc has been
// built with libcurl > 8.2.0, when this option is empty,
// Orthanc uses the operating system native CA store ("--ca-native"
// option)
"HttpsCACertificates" : "",

It seems to work with the mainline Windows build but I’ll let you test on your side too.

Your understanding is correct !

Best regards,

Alain.

1 Like

Hi Alain,

Perfect, thanks ! I tested the Orthanc.exe by replacing the previous one installed and it seems to work. Do you already have a planned official release date for 1.12.6, and the associated docker images and windows installers ?

Best regards,

Thomas

Not yet but, hopefully, that should happen in january.