OK, I have finally found the culprit. The problem was that ECDSA support was not activated in the OpenSSL library, that is called by the “libcurl” library, that is in turn used by Orthanc.
For reference, I was able to detect this issue thanks to the “sslscan” command-line tool (https://github.com/rbsec/sslscan). Here is an excerpt of this command:
$ ./sslscan mockbin.org
[…]
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384 Curve P-256 DHE 256
Preferred TLSv1.1 128 bits ECDHE-ECDSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits ECDHE-ECDSA-AES256-SHA Curve P-256 DHE 256
Preferred TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA Curve P-256 DHE 256
SSL Certificate:
Signature Algorithm: ecdsa-with-SHA256
The fix is implemented by the following changeset:
https://bitbucket.org/sjodogne/orthanc/commits/2a4ac74da1ed2f9d5682300894554cd70087bf1f
Pay attention to the fact that this fix is only available if OpenSSL is statically linked.
The fix is pending in the mainline and will be part of forthcoming Orthanc 1.4.2. Updated mainline Docker images and LSB binaries (Linux Standard Base) will be available today, as soon as our continuous integration server finishes its built.
Regards,
Sébastien-