L_SSL_CTX_CREATE

typedef struct tagSSL_CTX_CREATE
{
   L_UINT  uStructSize; 
   L_UINT32  uFlags; 
   L_INT  nMethodTypeSSL; 
   L_CHAR *  pszCAfile; 
   L_UINT  uVerifyMode; 
   L_INT  nVerifyDepth; 
   L_INT  nOptions; 
   L_INT  nSuccess; 
   L_INT  nReserved1; 
   L_INT  nReserved2; 

} L_SSL_CTX_CREATE, L_FAR * pL_SSL_CTX_CREATE;

The L_SSL_CTX_CREATE structure provides security information for the LDicomNet::LDicomNet(pszPath,nMode,bReserved) constructor.

Member

Description

uStructSize

Size of this structure in bytes, for versioning. Use the sizeof() macro to calculate this value.

uFlags

Flags that identify the valid fields of the L_SSL_CTX_CREATE structure. Flags may be combined using a bitwise OR (|). Possible values are:

 

Value

Meaning

 

FLAG_SSL_CTX_CREATE_METHOD_TYPE

[0x001] The nMethodTypeSSL member is valid.

 

FLAG_SSL_CTX_CREATE_VERIFY_DEPTH

[0x002] The nVerifyDepth member is valid

 

FLAG_SSL_CTX_CREATE_VERIFY_MODE

[0x004] The uVerifyMode member is valid

 

FLAG_SSL_CTX_CREATE_CAFILE

[0x008] The pszCAfile member is valid

 

FLAG_SSL_CTX_CREATE_OPTIONS

[0x010] The nOptions member is valid

 

FLAG_SSL_CTX_CREATE_ALL

[0x01F] All members are valid

nMethodTypeSSL

Value that identifies which SSL method type is to be used for security verification. This member must be filled. Only one value can be used. The default value is TYPE_TLSV1_METHOD. Possible values are:

 

Value

Meaning

 

TYPE_SSLV2_METHOD

Use Secure Sockets Layer (SSL) Version 2. Avoid using SSL Version 2 because this version is known to have security flaws.

 

TYPE_SSLV3_METHOD

Use SSL Version 3.

 

TYPE_TLSV1_METHOD

Use Transport Layer Security (TLS) Version 1.

 

TYPE_SSLV23_METHOD

Use a compatible security verification mode. This mode can handle any of the three modes (TYPE_SSLV2_METHOD, TYPE_SSLV3_METHOD, TYPE_TLSV1_METHOD)

pszCAfile

Pointer to the name of a file containing Certification Authorities (CA) certificates in Privacy Enhanced Mail (PEM) format. More than one CA certificate may be present in the file. The default value is no file.

uVerifyMode

Flags that identify the verification mode to be used. Flags may be combined using a bitwise OR (|). The default value is L_SSL_VERIFY_NONE. Possible values are:

 

Value

Meaning

 

L_SSL_VERIFY_NONE

[0x00] Server Mode: no request for a certificate is sent to the client, and the client should not send a certificate.

 

 

Client Mode: If the server sends a certificate, it will be verified, but failure will not terminate communication. This flag should not be used in conjunction with any other flag.

 

L_SSL_VERIFY_PEER

[0x01] Server mode: a request for a certificate is send to the client. The client can ignore the request, but if the client does send a certificate, it will be verified. If verification fails, communication is terminated.

 

 

Client mode: if the server sends a certificate, it is verified. If verification fails, communication is terminated.

 

L_SSL_VERIFY_FAIL_IF_NO_PEER_CERT

[0x02] Server Mode: If the client does not send a certificate, or if a certificate is sent that fails verification, then communication is terminated. This flag must be combined with L_SSL_VERIFY_PEER.

 

 

Client mode: This flag is ignored.

 

L_SSL_VERIFY_CLIENT_ONCE

[0x04] Server Mode: During initial negotiation a certificate is requested from the client. During renegotiation, no certificates are requested. This flag must be used with L_SSL_VERIFY_PEER.

 

 

Client Mode: This flag is ignored.

nVerifyDepth

Sets the maximum depth of the certificate chain to be verified. The default value is 9.

nOptions

Flags that identify additional restrictions to the verification mode (uVerifyMode), used when the uVerifyMode is TYPE_SSLV23_METHOD. The default value is (L_SSL_OP_NO_SSLv3 | L_SSL_OP_NO_SSLv2 | L_SSL_OP_ALL). Flags may be combined using a bitwise OR (|). Possible values are:

 

Value

Meaning

 

L_SSL_OP_NO_SSLv2

[0x01000000L] Ignore SSL Version 2 protocol.

 

L_SSL_OP_NO_SSLv3

[0x02000000L] Ignore the SSL Version 3 protocol.

 

L_SSL_OP_NO_TLSv1

[0x04000000L] Ignore the TLS Version 1 protocol.

 

L_SSL_OP_ALL

[0x000FFFFFL] Implement all known SSL bug workarounds so that communication with peers with such SSL bugs can be established.

nSuccess

After using L_SSL_CTX_CREATE to set security options, this member will return any errors. If all options were set successfully, this will contain DICOM_SUCCESS. For information on errors, refer to Return Codes

nReserved1

Reserved for future use. Pass 0.

nReserved2

Reserved for future use. Pass 0.

Comments

Use this structure with LDicomNet::Initialize to change the security options from the defaults.

This toolkit uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) to implement security. Developed by Netscape, the Secure Socket Layer (SSL) protocol is designed to ensure the security of data being communicated between two points over a network, and uses TCP as the communication layer. SSL provides a way for the client and server to authenticate each other, ensures the integrity of the data during a session, and ensures that the data remains private between the client and the server. The Transport Layer Security (TLS) protocol is based on the SSL protocol.

Please note that a full discussion of SSL and TLS is beyond the scope of this help topic.