Announcement

Collapse
No announcement yet.

TLS client handshake failed

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TLS client handshake failed

    I’m working on an iPad app, using dcmtk for the DICOM communication. I’m now tasked with implementing TLS for the communication layer, but somehow have not been able to get this to work correctly. I’ve installed Mirth Connect to verify the TLS communication but it doesn’t seem to be working for me. When I set the communication to “No TLS”, the association is successful and I’m able to transfer pictures from iPad to the server. I may be doing something wrong or missing something, and need some help.

    I’m posting this since I did not find anything related to my problem in the forums. I'm new to Mirth and I have been testing TLS functionality in Mirth 3.6.0. I've been struggling with this error and I can't seem to figure out why various messages throw this error as there doesn't seem to be anything wrong with the message itself. Below is the error message and I'd appreciate any help that you guys can give. If more information is needed then I can export the channel. Thank you in advance!


    Please refer attachment for configuration in Mirth Connect

    This is how I try to create an association on the iPad app using the dcmtk library (you may refer to code below for details)

    OFCondition cond = ASC_requestAssociation(net, params, &assoc);

    iOS Code:

    #define ServerCert "certificate.crt"
    #define ServerPrivateKey "privateKey.key"
    #define PrivatePEMKey "certificate.pem"
    #define ClientCert "certificate.crt"
    #define Password "1234"
    #define isToSupportTLS 1


    #define WITH_OPENSSL 1

    #import "Echo.h"
    #import "Constants.h"

    #include "dcmtk/dcmnet/scu.h"
    #include "dcmtk/config/osconfig.h"
    #include "dcmtk/dcmnet/diutil.h"
    #include "dcmtk/oflog/fileap.h"
    #include "dcmtk/dcmtls/tlslayer.h"
    #include "err.h"


    @implementation Echo

    -(void) PACSConnectionServerConfigurationModule *)configureInfo successvoid(^)(NSString *result))success failurevoid(^)(NSError *error))failure
    {
    @autoreleasepool
    {

    NSString *callingAE = configureInfo.callingAE;
    NSString *calledAE = configureInfo.calledAE;
    NSString *callingIP = configureInfo.callingIP;
    NSString *IP = configureInfo.serverIP;

    const char* callingAppTittle = [callingAE UTF8String];
    const char* calledAppTittle = [calledAE UTF8String];
    const char* callingPresentationAddress = [callingIP UTF8String];
    const char* calledPresentationAddress = [IP UTF8String];

    T_ASC_Network *net; // network struct, contains DICOM upper layer FSM etc.
    dcmConnectionTimeout.set(10);
    ASC_initializeNetwork(NET_REQUESTOR, 0, 10 /* timeout */, &net);

    T_ASC_Parameters *params; // parameters of association request
    ASC_createAssociationParameters(&params, ASC_MAXIMUMPDUSIZE);

    // set calling and called AE titles
    ASC_setAPTitles(params, callingAppTittle, calledAppTittle, NULL);

    // the DICOM server accepts connections at server.nowhere.com port 104
    ASC_setPresentationAddresses(params, callingPresentationAddress, calledPresentationAddress);

    if (isToSupportTLS) {
    // create TLS object that initializes the random generator through a file
    // "random.dat" containing random data (1 kByte is sufficient).

    DcmTLSTransportLayer *tLayer = new DcmTLSTransportLayer(DICOM_APPLICATION_REQUESTOR, "random.dat");

    NSString *ClientCertpath=[[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:@ClientCert];
    NSString *ServerPrivateKeypath=[[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:@ServerPrivateKey];

    const char* ClientCertpathconstchar = [ClientCertpath UTF8String];
    const char* ServerPrivateKeypathconstchar = [ServerPrivateKeypath UTF8String];
    if (TCS_ok != tLayer->setCertificateFile(ClientCertpathconstchar, SSL_FILETYPE_PEM))
    {
    DCMNET_INFO("unable to load certificate");
    unsigned long n = ERR_peek_error();
    DCMNET_INFO(ERR_reason_error_string(n));

    ERR_reason_error_string(n);
    }
    if (TCS_ok != tLayer->setPrivateKeyFile(ServerPrivateKeypathconstchar , SSL_FILETYPE_PEM))
    {
    DCMNET_INFO("unable to load private key");
    unsigned long n = ERR_peek_error();
    DCMNET_INFO(ERR_reason_error_string(n));
    return;
    }

    tLayer->setCipherSuites(SSL3_TXT_RSA_DES_192_CBC3_SHA);

    tLayer->setCertificateVerification(DCV_requireCertificate );//DCV_ignoreCertificate);//DCV_checkCertificate
    // register and activate TLS layer
    ASC_setTransportLayer(net, tLayer, 1);
    ASC_setTransportLayerType(params, 1);

    }

    // list of transfer syntaxes, only a single entry here
    const char* ts[] = { UID_LittleEndianImplicitTransferSyntax };

    // add presentation context to association request
    ASC_addPresentationContext(params, 1, UID_VerificationSOPClass, ts, 1);

    // request DICOM association
    T_ASC_Association *assoc;
    OFCondition cond = ASC_requestAssociation(net, params, &assoc);

    if (cond.good())
    {
    // Successful, do something good here later
    }
    else
    {
    // Get the exact reason for failure
    if (cond.bad())
    {
    if (cond == DUL_WRONGDATATYPE)
    {
    DCMNET_INFO("DUL_WRONGDATATYPE");
    }
    if (cond == DUL_UNSUPPORTEDPEERPROTOCOL)
    {
    DCMNET_INFO("DUL_UNSUPPORTEDPEERPROTOCOL");
    }
    if (cond == DUL_UNEXPECTEDPDU)
    {
    DCMNET_INFO("DUL_UNEXPECTEDPDU");
    }
    if (cond == DUL_REQUESTASSOCIATIONFAILED)
    {
    DCMNET_INFO("DUL_REQUESTASSOCIATIONFAILED");
    }
    if (cond == DUL_READTIMEOUT)
    {
    DCMNET_INFO("DUL_READTIMEOUT");
    }
    if (cond == DUL_PEERREQUESTEDRELEASE)
    {
    DCMNET_INFO("DUL_PEERREQUESTEDRELEASE");
    }
    if (cond == DUL_PEERABORTEDASSOCIATION)
    {
    DCMNET_INFO("DUL_PEERABORTEDASSOCIATION");
    }
    if (cond == DUL_PDATAPDUARRIVED)
    {
    DCMNET_INFO("DUL_PDATAPDUARRIVED");
    }
    if (cond == DUL_PCTRANSLATIONFAILURE)
    {
    DCMNET_INFO("DUL_PCTRANSLATIONFAILURE");
    }
    if (cond == DUL_NULLKEY)
    {
    DCMNET_INFO("DUL_NULLKEY");
    }
    if (cond == DUL_NOPDVS)
    {
    DCMNET_INFO("DUL_NOPDVS");
    }
    if (cond == DUL_NOPDVS)
    {
    DCMNET_INFO("DUL_NOPDVS");
    }
    if (cond == DUL_NETWORKCLOSED)
    {
    DCMNET_INFO("DUL_NETWORKCLOSED");
    }
    if (cond == DUL_LISTERROR)
    {
    DCMNET_INFO("DUL_LISTERROR");
    }
    if (cond == DUL_INSUFFICIENTBUFFERLENGTH)
    {
    DCMNET_INFO("DUL_INSUFFICIENTBUFFERLENGTH");
    }
    if (cond == DUL_INCORRECTBUFFERLENGTH)
    {
    DCMNET_INFO("DUL_INCORRECTBUFFERLENGTH");
    }
    if (cond == DUL_ILLEGALREQUEST)
    {
    DCMNET_INFO("DUL_ILLEGALREQUEST");
    }
    if (cond == DUL_ILLEGALPDULENGTH)
    {
    DCMNET_INFO("DUL_ILLEGALPDULENGTH");
    }
    if (cond == DUL_ILLEGALPDU)
    {
    DCMNET_INFO("DUL_ILLEGALPDU");
    }
    if (cond == DUL_ILLEGALKEY)
    {
    DCMNET_INFO("DUL_ILLEGALKEY");
    }
    if (cond == DUL_ILLEGALPDULENGTH)
    {
    DCMNET_INFO("DUL_ILLEGALPDULENGTH");
    }
    if (cond == DUL_ILLEGALACCEPT)
    {
    DCMNET_INFO("DUL_ILLEGALACCEPT");
    }
    }


    DCMNET_INFO("Echo Failed :: " << cond.text());
    DCMNET_INFO("Echo Failed Connection Details :: " << configureInfo);
    return;
    }
    }
    }

    Error Message (Stack Trace):
    E: TLS client handshake failed
    I: Echo Failed :: Failed to establish association
    I: 0006:0317 Peer aborted Association (or never connected)
    I: 0006:031e DUL secure transport layer: wrong version number
    Attached Files
Working...
X