Project

General

Profile

Actions
Copy link

Feature #790

closed

DCMTK 3.6.2 does not accept network connections with TLS 1.2 when compiled with OpenSSL < 1.1.0

Added by Marco Eichelberg almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library
Target version:
3.6.3
Start date:
2017-09-20
Due date:
% Done:

100%

Estimated time:
Module:
dcmtls
Operating System:
Compiler:

Description

DCMTK 3.6.2 does not accept network connections with TLS 1.2 when compiled with OpenSSL < 1.1.0
The reason is that for older versions of OpenSSL, the following methods are called, which explicitly only support TLS 1.0:

  • TLSv1_server_method(), TLSv1_client_method(), TLSv1_method()

So neither TLS 1.1 nor TLS 1.2 can be negotiated in this case. For older OpenSSL versions, preferrably the following methods should be used:

  • SSLv23_server_method(), SSLv23_client_method(), SSLv23_method()

In order to avoid the insecure SSLv2 and SSLv3 protocols, only TLS cipher suites should be enabled using setCipherSuites().
Additionally, SSL_CTX_set_min_proto_version() should be called to set the minimum protocol to TLS1_VERSION.

Files

dcmtk-3.6.1_20170228-SSL.patch (1021 Bytes) dcmtk-3.6.1_20170228-SSL.patch Suggested patch, by Peter Klotz Marco Eichelberg, 2017-09-20 17:02
Actions
Copy link
 #1

Updated by Marco Eichelberg almost 8 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

SSL_CTX_set_min_proto_version() is not available on older OpenSSL versions.
We use SSL_CTX_set_options() instead to disable SSLv2 and SSLv3.

The modified code has been successfully tested for compatibility with
DCMTK 3.5.4, 3.6.0 and 3.6.2 Release.

Closed by commit e099196.

Actions
Copy link

Also available in: Atom PDF