DCMTK

Currently, the TLS implementation in dcmtls always accepts all certificates issued by a CA that is configured as trustworthy.
In practical settings, it might be useful to further restrict this. For example, a modality only needs to communicate with the RIS and the PACS, but never with any other TLS-enabled system.
It would be nice if an explicit list of client certificates could be defined as the only ones that are to be trusted. This can be implemented in
DcmTLSTransportLayer_certificateValidationCallback() in dcmtls/libsrc/tlslayer.cc, which is a callback function that OpenSSL calls after each
certification verification operation. This function can do additional checks and revise the result of the certificate verification.
The function could, for example, look up the client certificate in a hashed directory of "acceptable" client certificates and return "false"
if the certificate is not found there.

Note: One implementation strategy to be considered is whether in this case the result of the callback should completely replace OpenSSL's test results (which would mean that client certificates could be placed in the "acceptable" list even if their root CA certificate is not available, but might also cause expired certificates to be accepted) or only amend it (by setting the test result from true to false if the certificate is not found in the explicit list, but not vice versa).