DICOM PS3.15 2020c - Security and System Management Profiles

B.9 BCP 195 TLS Secure Transport Connection Profile

An implementation that supports the [BCP 195] TLS Profile shall utilize the framework and negotiation mechanism specified by the Transport Layer Security protocol. It shall comply with [BCP 195] from the IETF.

Note

  1. [BCP 195] is currently also published as [RFC 7525]. Both provide suggestions for proper use of TLS 1.2 and allow appropriate fallback rules.

  2. Existing implementations that are compliant with the DICOM AES TLS Secure Connection Profile are able to interoperate with this profile. This profile adds significant recommendations by the IETF, but does not make them mandatory. This is the IETF recommendation for upgrading an installed base.

  3. A device may support multiple different TLS profiles. DICOM does not specify how such devices are configured in the field or how different TLS profile-related rules are specified. The site will determine what configuration is appropriate.

  4. The DICOM profiles for TLS describe the capabilities of a product. Product configuration may permit selection of a particular profile and/or additional negotiation rules. The specific ciphersuite used is negotiated by the TLS implementation based on these rules.

TCP ports on which an implementation accepts TLS connections, or the mechanism by which these port numbers are selected or configured, shall be stated in the Conformance Statement. The TCP ports on which an implementation accepts TLS connections for DICOMweb shall be different from those on which an implementation accepts TLS connections for DIMSE. The HTTP/HTTPS connection for DICOMweb can be shared with other HTTP/HTTPS traffic.

Note

It is recommended that systems supporting the BCP 195 TLS Profile use the registered port number "2762 dicom-tls" for the DICOM Upper Layer Protocol on TLS.

The Conformance Statement shall indicate what mechanisms the implementation supports for Key Management. When an integrity check fails, the connection shall be dropped per the TLS protocol, causing both the sender and the receiver to issue an A-P-ABORT indication to the upper layers with an implementation-specific provider reason. The provider reason used shall be documented in the Conformance Statement.

Note

Implementers should take care to manage the risks of downgrading to less secure obsolescent protocols or cleartext protocols. See [BCP 195], Section 5.2 "Opportunistic Security".

DICOM PS3.15 2020c - Security and System Management Profiles