DCMTK Version 3.6.8
OFFIS DICOM Toolkit
Classes | Enumerations
tlsciphr.h File Reference

type definitions and classes for TLS ciphersuites More...

Classes

class  DcmTLSCiphersuiteHandler
 This helper class manages the list of TLS ciphersuites supported by DCMTK, translates DcmTLSSecurityProfile enums into the corresponding sets of ciphersuites, and permits translation between the official TLS ciphersuite names (as used in DCMTK) and the corresponding internal OpenSSL name. More...
 

Enumerations

enum  DcmTLSSecurityProfile {
  TSP_Profile_None , TSP_Profile_Basic , TSP_Profile_AES , TSP_Profile_BCP195 ,
  TSP_Profile_BCP195_ND , TSP_Profile_BCP195_Extended , TSP_Profile_BCP_195_RFC_8996 , TSP_Profile_BCP_195_RFC_8996_Modified ,
  TSP_Profile_IHE_ATNA_Unencrypted
}
 This enum describes DICOM TLS Security Profiles, which are the basis for the selection of supported ciphersuites when using DICOM over TLS. More...
 
enum  DcmTLSCipherProtocolVersion { TPV_SSLv3 , TPV_TLSv12 , TPV_TLSv13 }
 This enum describes the minimum SSL/TLS protocol version required for a certain ciphersuite. More...
 
enum  DcmTLSCipherKeyExchange {
  TKE_RSA , TKE_ECDH , TKE_ECDH_ECDSA , TKE_ECDH_RSA ,
  TKE_DH , TKE_TLSv13
}
 This enum describes the key exchange protocol used in a certain TLS ciphersuite. More...
 
enum  DcmTLSCipherAuthentication {
  TCA_DSS , TCA_ECDH , TCA_ECDSA , TCA_RSA ,
  TCA_TLSv13
}
 This enum describes the authentication mechanism used in a certain TLS ciphersuite. More...
 
enum  DcmTLSCipherEncryption {
  TCE_None , TCE_3DES , TCE_AES , TCE_AESGCM ,
  TCE_Camellia , TCE_ChaCha20
}
 This enum describes the symmetric encryption algorithm (bulk cipher) used in a certain TLS ciphersuite. More...
 
enum  DcmTLSCipherMAC {
  TCM_SHA1 , TCM_SHA256 , TCM_SHA384 , TCM_AEAD ,
  TCM_CBC_MAC
}
 This enum describes the message authentication code (MAC) used in a certain TLS ciphersuite. More...
 
enum  DcmTLSCipherMode { TKM_NA , TKM_CBC , TKM_GCM , TKM_CCM }
 This enum describes the block cipher mode of operation used in a certain TLS ciphersuite. More...
 
enum  DcmTLSCRLVerification { TCR_noCRL , TCR_checkLeafCRL , TCR_checkAllCRL }
 This enum describes the verification approach for certificate revocation lists (CRL) More...
 

Detailed Description

type definitions and classes for TLS ciphersuites

Enumeration Type Documentation

◆ DcmTLSCipherAuthentication

This enum describes the authentication mechanism used in a certain TLS ciphersuite.

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TCA_DSS 

Digital Signature Standard.

TCA_ECDH 

Elliptic Curve Diffie-Hellman.

TCA_ECDSA 

Elliptic Curve Digital Signature Algorithm.

TCA_RSA 

RSA.

TCA_TLSv13 

TLS 1.3 authentication, supports ECDH and RSA.

◆ DcmTLSCipherEncryption

This enum describes the symmetric encryption algorithm (bulk cipher) used in a certain TLS ciphersuite.

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TCE_None 

No encryption.

TCE_3DES 

Triple DES in Cipher Block Chaining (CBC) mode.

TCE_AES 

Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode.

TCE_AESGCM 

Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)

TCE_Camellia 

Camellia (RFC 3713) in Cipher Block Chaining (CBC) mode.

TCE_ChaCha20 

ChaCha20-Poly1305 in Galois/Counter Mode (GCM)

◆ DcmTLSCipherKeyExchange

This enum describes the key exchange protocol used in a certain TLS ciphersuite.

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TKE_RSA 

Static RSA key exchange.

TKE_ECDH 

Elliptic Curve Diffie-Hellman.

TKE_ECDH_ECDSA 

Fixed ECDH with ECDSA-signed certificates.

TKE_ECDH_RSA 

Fixed ECDH with RSA signatures.

TKE_DH 

Diffie-Hellman key exchange.

TKE_TLSv13 

TLS 1.3 key exchange (always based on Diffie-Hellman)

◆ DcmTLSCipherMAC

This enum describes the message authentication code (MAC) used in a certain TLS ciphersuite.

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TCM_SHA1 

Secure Hash Algorithm SHA-1.

TCM_SHA256 

Secure Hash Algorithm SHA-2 in 256 bit mode.

TCM_SHA384 

Secure Hash Algorithm SHA-2 in 384 bit mode.

TCM_AEAD 

Authenticated Encryption with Associated Data (AEAD)

TCM_CBC_MAC 

Cipher Block Chaining Message Authentication Code (CBC-MAC)

◆ DcmTLSCipherMode

This enum describes the block cipher mode of operation used in a certain TLS ciphersuite.

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TKM_NA 

Not applicable, e.g. stream cipher.

TKM_CBC 

Cipher block chaining mode.

TKM_GCM 

Galois/Counter mode.

TKM_CCM 

Counter and CBC-MAC Mode.

◆ DcmTLSCipherProtocolVersion

This enum describes the minimum SSL/TLS protocol version required for a certain ciphersuite.

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TPV_SSLv3 

Secure Socket Layer (SSL) version 3 or newer.

TPV_TLSv12 

Transport Layer Security (TLS) version 1.2 or newer.

TPV_TLSv13 

Transport Layer Security (TLS) version 1.3.

◆ DcmTLSCRLVerification

This enum describes the verification approach for certificate revocation lists (CRL)

Remarks
this enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TCR_noCRL 

Certificates are not checked against a CRL.

TCR_checkLeafCRL 

Check chain leaf certificate against its CRL.

An error occurs if a suitable CRL cannot be found.

TCR_checkAllCRL 

Check the entire certificate chain against their CRLs.

An error occurs if any required CRL cannot be found.

◆ DcmTLSSecurityProfile

This enum describes DICOM TLS Security Profiles, which are the basis for the selection of supported ciphersuites when using DICOM over TLS.

Remarks
This enum is only available if DCMTK is compiled with OpenSSL support enabled.
Enumerator
TSP_Profile_None 

No security profile, start with an empty list of ciphersuites.

TSP_Profile_Basic 

DICOM Basic TLS Secure Transport Connection Profile (retired), using the ciphersuite TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS 1.0 or newer.

This profile is retired.

TSP_Profile_AES 

DICOM AES TLS Secure Transport Connection Profile (retired), using the ciphersuites TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA, and TLS 1.0 or newer.

This profile is retired.

TSP_Profile_BCP195 

DICOM BCP 195 TLS Profile, based on RFC 7525.

This profile tries to negotiate TLS 1.2 or newer, but may fall back to previous protocol versions up to TLS 1.0. It supports four TLS 1.2 specific ciphersuites (TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) but also the ciphersuites of the AES and Basic Profile, thus providing backward compatibility with older implementations while offering much better security when used with implementations also supporting one of the BCP 195 profiles. This profile is retired.

TSP_Profile_BCP195_ND 

DICOM Non-downgrading BCP 195 TLS Profile, based on RFC 7525.

This profile only negotiates TLS 1.2 or newer, and will not fall back to previous TLS versions. It supports four ciphersuites: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. It does not provide backwards compatibility with the older Basic and AES profiles, and thus guarantees the higher security level of BCP 195. This profile is retired.

TSP_Profile_BCP195_Extended 

DICOM Extended BCP 195 TLS Profile, based on RFC 7525.

This profile only negotiates TLS 1.2, and will not fall back to previous TLS versions. It does NOT support TLS 1.3. It supports the same set of ciphersuites as TSP_Profile_BCP195_ND, plus TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. The other ciphersuites suggested by the profile (see DICOM Part 15, section B.11) are not supported in OpenSSL 1.0.1 to 1.1.0. This profile requires DHE keys of at least 2048 bits and ECDHE keys of at least 256 bits. It does not provide backwards compatibility with the older Basic and AES profiles, and thus guarantees the higher security level of BCP 195. This profile is retired.

TSP_Profile_BCP_195_RFC_8996 

DICOM BCP 195 RFC 8996 TLS Profile, based on RFC 8996 and RFC 9325.

This profile only negotiates TLS 1.2 or newer, and will not fall back to previous TLS versions. It provides the higher security level offered by the 2021 revised edition of BCP 195.

TSP_Profile_BCP_195_RFC_8996_Modified 

DICOM Modified BCP 195 RFC 8996 TLS Profile, based on RFC 8996 and RFC 9325.

This profile only negotiates TLS 1.2 or newer, and will not fall back to previous TLS versions. It provides the higher security level offered by the 2021 revised edition of BCP 195 and implements various additional restrictions defined in the DICOM Standard.

TSP_Profile_IHE_ATNA_Unencrypted 

IHE ATNA Profile for Unencrypted In-house Communication (retired).

This profile uses the ciphersuite SSL_RSA_WITH_NULL_SHA and TLS 1.0 or newer. This ciphersuite offers peer authentication and integrity of communication, but no encryption (i.e. no confidentiality), and is thus only suitable for use over a secure infrastructure. This was used in older versions of the IHE Audit Trail and Node Authentication (ATNA) integration profile, but has been retired.


Generated on Tue Dec 19 2023 for DCMTK Version 3.6.8 by Doxygen 1.9.4