Hello,
If I read the config file of Orthanc correctly, the option “HttpsCACertificate” is basically what will be given as the --cacert option in the curl command. I’d like to use the native windows store instead, which would be the command option --ca-native of curl, is there anyway to configure Orthanc to do so ?
I was also wondering if you could give me more details on the difference between HttpsVerifyPeers and SslVerifyPeers ? The way I understood it is that HttpsVerifyPeers will check that the server certificate of the peer is valid (meaning the CA that issued it is known by Orthanc, thanks to HttpsCACertificates) only when Orthanc contacts it; whereas SslVerifyPeers checks that a second certificate sent by the peer should be checked when the peer tries to contact Orthanc, and such certificate has to be known by Orthanc thanks to SslTrustedClientCertificates
Thanks !
PS: here are the parameters of Orthanc I mentioned, taken from orthanc: 816416425f2b OrthancServer/Resources/Configuration.json
// Path to the CA (certification authority) certificates to validate
// peers in HTTPS requests. From curl documentation (“–cacert”
// option): “Tells curl to use the specified certificate file to
// verify the peers. The file may contain multiple CA
// certificates. The certificate(s) must be in PEM format.” On
// Debian-based systems, this option can be set to
// “/etc/ssl/certs/ca-certificates.crt”
“HttpsCACertificates” : “”,
// Enable the verification of the peers during HTTPS requests. This
// option must be set to “false” if using self-signed certificates.
// Pay attention that setting this option to “false” results in
// security risks!
// Reference: curl - SSL CA Certificates
“HttpsVerifyPeers” : true,
// Whether or not peer client certificates shall be checked. This
// option is only meaningful if “SslEnabled” is true.
“SslVerifyPeers” : false,
// Path to a file containing the concatenation of the client SSL
// certificate(s) that are trusted to verify the identity of remote
// HTTP clients. The individual certificate(s) or root CAs must be
// stored in the PEM format. This option is only meaningful
// if “SslVerifyPeers” is true.
“SslTrustedClientCertificates” : “trustedClientCertificates.pem”,