Feature #790: DCMTK 3.6.2 does not accept network connections with TLS 1.2 when compiled with OpenSSL < 1.1.0 - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Feature #790

closed

DCMTK 3.6.2 does not accept network connections with TLS 1.2 when compiled with OpenSSL < 1.1.0

Added by Marco Eichelberg almost 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library

Target version:

3.6.3

Start date:

2017-09-20

Due date:

% Done:

100%

Estimated time:

Module:

dcmtls

Operating System:

Compiler:

Description

DCMTK 3.6.2 does not accept network connections with TLS 1.2 when compiled with OpenSSL < 1.1.0
The reason is that for older versions of OpenSSL, the following methods are called, which explicitly only support TLS 1.0:

TLSv1_server_method(), TLSv1_client_method(), TLSv1_method()

So neither TLS 1.1 nor TLS 1.2 can be negotiated in this case. For older OpenSSL versions, preferrably the following methods should be used:

SSLv23_server_method(), SSLv23_client_method(), SSLv23_method()

In order to avoid the insecure SSLv2 and SSLv3 protocols, only TLS cipher suites should be enabled using setCipherSuites().
Additionally, SSL_CTX_set_min_proto_version() should be called to set the minimum protocol to TLS1_VERSION.

Files

dcmtk-3.6.1_20170228-SSL.patch (1021 Bytes) dcmtk-3.6.1_20170228-SSL.patch

Suggested patch, by Peter Klotz

Marco Eichelberg, 2017-09-20 17:02

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Feature #790

DCMTK 3.6.2 does not accept network connections with TLS 1.2 when compiled with OpenSSL < 1.1.0

Updated by Marco Eichelberg almost 8 years ago