typedef struct tagSSL_CTX_CREATE
{
L_UINT uStructSize;
L_UINT32 uFlags;
L_INT nMethodTypeSSL;
L_TCHAR * pszCAfile;
L_UINT uVerifyMode;
L_INT nVerifyDepth;
L_INT nOptions;
L_INT nSuccess;
L_INT nReserved1;
L_INT nReserved2;
} L_SSL_CTX_CREATE, * pL_SSL_CTX_CREATE;
The L_SSL_CTX_CREATE structure provides security information for the LDicomNet::LDicomNet(pszpath,nmode,breserved) constructor.
Member | Description | |
uStructSize | Size of this structure in bytes, for versioning. Use the sizeof() macro to calculate this value. | |
uFlags | Flags that identify the valid fields of the L_SSL_CTX_CREATE structure. Flags may be combined using a bitwise OR (|). Possible values are: | |
Value | Meaning | |
FLAG_SSL_CTX_CREATE_METHOD_TYPE | [0x001] The nMethodTypeSSL member is valid. | |
FLAG_SSL_CTX_CREATE_VERIFY_DEPTH | [0x002] The nVerifyDepth member is valid | |
FLAG_SSL_CTX_CREATE_VERIFY_MODE | [0x004] The uVerifyMode member is valid | |
FLAG_SSL_CTX_CREATE_CAFILE | [0x008] The pszCAfile member is valid | |
FLAG_SSL_CTX_CREATE_OPTIONS | [0x010] The nOptions member is valid | |
FLAG_SSL_CTX_CREATE_ALL | [0x01F] All members are valid | |
nMethodTypeSSL | Value that identifies which SSL method type is to be used for security verification. This member must be filled. Only one value can be used. The default value is TYPE_TLSV1_METHOD. Possible values are: | |
Value | Meaning | |
TYPE_SSLV2_METHOD | Use Secure Sockets Layer (SSL) Version 2. Avoid using SSL Version 2 because this version is known to have security flaws. | |
TYPE_SSLV3_METHOD | Use SSL Version 3. | |
TYPE_TLSV1_METHOD | Use Transport Layer Security (TLS) Version 1. | |
TYPE_SSLV23_METHOD | Use a compatible security verification mode. This mode can handle any of the three modes (TYPE_SSLV2_METHOD, TYPE_SSLV3_METHOD, TYPE_TLSV1_METHOD) | |
pszCAfile | Pointer to the name of a file containing Certification Authorities (CA) certificates in Privacy Enhanced Mail (PEM) format. More than one CA certificate may be present in the file. The default value is no file. | |
uVerifyMode | Flags that identify the verification mode to be used. Flags may be combined using a bitwise OR (|). The default value is L_SSL_VERIFY_NONE. Possible values are: | |
Value | Meaning | |
L_SSL_VERIFY_NONE | [0x00] Server Mode: no request for a certificate is sent to the client, and the client should not send a certificate. | |
Client Mode: If the server sends a certificate, it will be verified, but failure will not terminate communication. This flag should not be used in conjunction with any other flag. | ||
L_SSL_VERIFY_PEER | [0x01] Server mode: a request for a certificate is send to the client. The client can ignore the request, but if the client does send a certificate, it will be verified. If verification fails, communication is terminated. | |
Client mode: if the server sends a certificate, it is verified. If verification fails, communication is terminated. | ||
L_SSL_VERIFY_FAIL_IF_NO_PEER_CERT | [0x02] Server Mode: If the client does not send a certificate, or if a certificate is sent that fails verification, then communication is terminated. This flag must be combined with L_SSL_VERIFY_PEER. | |
Client mode: This flag is ignored. | ||
L_SSL_VERIFY_CLIENT_ONCE | [0x04] Server Mode: During initial negotiation a certificate is requested from the client. During renegotiation, no certificates are requested. This flag must be used with L_SSL_VERIFY_PEER. | |
Client Mode: This flag is ignored. | ||
nVerifyDepth | Sets the maximum depth of the certificate chain to be verified. The default value is 9. | |
nOptions | Flags that identify additional restrictions to the verification mode (uVerifyMode), used when the uVerifyMode is TYPE_SSLV23_METHOD. The default value is (L_SSL_OP_NO_SSLv3 | L_SSL_OP_NO_SSLv2 | L_SSL_OP_ALL). Flags may be combined using a bitwise OR (|). Possible values are: | |
Value | Meaning | |
L_SSL_OP_NO_SSLv2 | [0x01000000L] Ignore SSL Version 2 protocol. | |
L_SSL_OP_NO_SSLv3 | [0x02000000L] Ignore the SSL Version 3 protocol. | |
L_SSL_OP_NO_TLSv1 | [0x04000000L] Ignore the TLS Version 1 protocol. | |
L_SSL_OP_ALL | [0x000FFFFFL] Implement all known SSL bug workarounds so that communication with peers with such SSL bugs can be established. | |
nSuccess | After using L_SSL_CTX_CREATE to set security options, this member will return any errors. If all options were set successfully, this will contain DICOM_SUCCESS. For information on errors, refer to Return Codes | |
nReserved1 | Reserved for future use. Pass 0. | |
nReserved2 | Reserved for future use. Pass 0. |
Use this structure with LDicomNet::Initialize to change the security options from the defaults.
This toolkit uses SSL (Secure Socket Layer) and TLS (Transport Layer Security) to implement security. Developed by Netscape, the Secure Socket Layer (SSL) protocol is designed to ensure the security of data being communicated between two points over a network, and uses TCP as the communication layer. SSL provides a way for the client and server to authenticate each other, ensures the integrity of the data during a session, and ensures that the data remains private between the client and the server. The Transport Layer Security (TLS) protocol is based on the SSL protocol.
Please note that a full discussion of SSL and TLS is beyond the scope of this help topic.