We're here to help.

Stunnel DICOM-TLS Termination Guide


When a medical modality or a DICOM software client connects to a (PACS) server, communication begins between the systems. Typically, this communication is unsecured, meaning any third party could potentially see what data is being exchanged. The Butterfly Cloud DICOM Connector creates a secure, encrypted connection between Butterfly Cloud and your facility’s DICOM endpoints. This enables secure transmission of ultrasound studies captured with Butterfly iQ, via Butterfly Cloud, to a DICOM PACS, VNA or other medical image archive.

The Butterfly Cloud DICOM Connector utilizes DICOM-TLS (Transport Layer Security, v 1.2) to facilitate point-to-point encrypted communication without the drawbacks and setup challenges associated with a VPN tunnel.

Since many PACS solutions do not inherently support the encryption/decryption of DICOM-TLS, we leverage either a network device such as a Citrix ADC (Netscaler), F5 Networks Big-IP, or software like Stunnel to terminate (decrypt/encrypt) the TLS encrypted network traffic.

Stunnel is a proxy designed to add TLS encryption/decryption functionality to existing clients and servers without any changes in the original programs' code.

Stunnel is a free software authored by Michał Trojnara and distributed under GNU GPL version 2 or later with OpenSSL exception. Additionally, commercial technical support for Stunnel or non-GPL licenses are offered for a fee directly from Stunnel.

Figure 1. DICOM-TLS Termination Using Stunnel Software

DICOM-TLS Termination Using Stunnel Software



  1. Ensure that you have access to Butterfly Cloud (cloud.butterflynetwork.com) as an Administrator so that you can configure the PACS connection. The PACS configuration screen will provide you with the digital certificate-key pair that will be used with Stunnel.

  2. Ability to install software on a Microsoft Windows (64 bit) OS - typically Microsoft Windows Server. The system will have to remain in operation continually to run the Stunnel software and proxy the TLS connection form Butterfly Cloud.

  3. Download the latest Stunnel Win-64 installer and copy to the server. Visit https://www.stunnel.org/downloads.html to download the latest version.

  4. On your firewall - NAT or port forward the port that you wish to receive the encrypted DICOM-TLS data from Butterfly Cloud to the server that has Stunnel installed.


Set Up Connection from Butterfly Cloud and Download Digital Certificate

  1. Log in to Butterfly Cloud using your Browser - ensure that your user role in Butterfly Cloud is that of Administrator.

  2. Navigate to the DICOM Configuration menu. Click your username in the upper right of the window and select Organization Settings.

  3. Select the Connectivity tab and click the ‘+ Add’ option next to Connections to create a new TLS end-point that will be used with your DICOM integration.

  4. Proceed to enter all of the necessary DICOM connection parameters.

    1. Name = Friendly name for the Connection.

    2. In the 'Security' section - set TLS to 'Active' and select the 'Generate' option.

    3. Select the PEM download format, and click 'Download'. Ensure that you receive 2 files: Butterfly_SCP_Cert.pem and Butterfly_SCP_key.pem

      1. The 2 files will be used in a later step; during the configuration of your TLS termination.

    4. In the 'SCP' section - Enter the Host information, DNS name or IP of your TLS end-point.

      1. Please note that the IP address must be a public IP that can be accessible from Butterfly Cloud to your network. This will typically be the IP address of your network firewall, router, or TLS termination device. Non-routable/private IP addresses are not valid.

  5. Click Save, then click on the Connectivity tab to create the DICOM Integration.


Configure the DICOM Integration and Associate the TLS Connection

  1. After clicking on the Connectivity tab, click the ‘+ Add’ option next to Integrations and select PACS/VNA.

  2. Give your PACS/VNA a friendly Name, and select to associate it with the TLS Connection created in Setup Connection from Butterfly Cloud and Download Digital Certificate.

  3. Proceed to enter all of the necessary DICOM integration parameters.

    1. SCU - Calling AET = The source AE Title of Butterfly Cloud (typically ‘BUTTERFLY’).

    2. SCP - AET = the AE Title of your DICOM destination.

    3. Enter a Port that you will need to forward from your firewall or router to the computer hosting the Stunnel software.

      1. Port 2761/TCP is typically used for DICOM-TLS.

      2. Port 2762/TCP may be used in addition if DICOM Modality Worklist will be used.

    4. Please note that the port that is entered here is the public-facing port that is exposed by your TLS termination point.

  4. Set the Compression level of the DICOM Images and Cine Loop as required or preferred. The settings above are typical. Select ‘Save Configuration’ to complete the setup.


Install Stunnel

  1. Install the application with default options to path C:\stunnel

  2. Copy both files PEM files from the previous step to the C:\stunnel\config directory.

  3. When complete, you should have the Cert and Key file (Butterfly_SCP_Cert.pem and Butterfly_SCP_Key.pem) in the C:\stunnel\config directory.


Edit the Stunnel Config file

  1. Open the C:\stunnel\config\stunnel.conf  file with a text editor.

  2. Copy the below text into the file, directly below this line:

    ;********************************* Example TLS server mode services
    sslVersion = TLSv1.2
    accept = 2761
    connect =
    cert = Butterfly_SCP_Cert.pem
    key = Butterfly_SCP_Key.pem
  3. The “accept” port will receive the traffic from your firewall. Edit this value as needed.

  4. The “connect” IP/port  will be the destination (PACS) to which the decrypted DICOM data will be forwarded from Stunnel. Edit this value as needed.

  5. The “cert” should reference the name of the Cert file and the “key” should reference the name of the Key file located in the C:\stunnel\config directory.

  6. (OPTIONAL) - If Butterfly will be connecting to a second PACS or a Modality worklist - make a second copy of the above configuration block with a new name (e.g. [DICOM DMWL]) and adjust connection values as needed. You may need to NAT or forward a second port from your firewall as well.


If there is a host-based Firewall (Windows Defender, McAfee, etc.) active on the server, ensure that you make an Inbound exception for the ports that Stunnel is listening on.


Test Stunnel

  1. Run the “stunnel AllUsers” shortcut Stunnel_Logo.png located on the desktop.

  2. There should be no Error messages in the log window. See example below:

    2019.06.07 15:16:10 LOG6[main]: Loading certificate from file: SCP_Cert.pem

    2019.06.07 15:16:10 LOG6[main]: Certificate loaded from file: SCP_Cert.pem

    2019.06.07 15:16:10 LOG6[main]: Loading private key from file: SCP_key.pem

    2019.06.07 15:16:10 LOG6[main]: Private key loaded from file: SCP_key.pem

    2019.06.07 15:16:10 LOG7[main]: Private key check succeeded

    2019.06.07 15:16:10 LOG6[main]: DH initialization not needed

    2019.06.07 15:16:10 LOG7[main]: ECDH initialization

    2019.06.07 15:16:10 LOG7[main]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384

    2019.06.07 15:16:10 LOG5[main]: Configuration successful

    2019.06.07 15:16:10 LOG7[main]: Deallocating section defaults

    2019.06.07 15:16:10 LOG7[main]: Binding service [DICOM 1]

    2019.06.07 15:16:10 LOG7[main]: Listening file descriptor created (FD=900)

    2019.06.07 15:16:10 LOG7[main]: Setting accept socket options (FD=900)

    2019.06.07 15:16:10 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket

    2019.06.07 15:16:10 LOG6[main]: Service [DICOM 1] (FD=900) bound to

  3. Close Stunnel.


Install Stunnel as a Windows Service

  1. From the Windows Start Menu - run the “Stunnel Service Install” shortcut.

  2. This will install Stunnel so that it runs continually as a Windows service.

  3. Start the stunnel service and test the connection from Butterfly Cloud using the steps below.


  • If your PACS/VNA is not operating in promiscuous mode, then you will need to add the Butterfly Cloud AE title as an approved DICOM source.

  • Please be aware that the PACS will see the IP of the server hosting Stunnel as the source of DICOM data from Butterfly Cloud.


Verify the Connection from Butterfly Cloud

  1. Switch back to Butterfly Cloud in the Browser.

  2. Navigate to the integrations menu. Click your username in the upper right of the window and select Organization Settings.

  3. Select the Connectivity tab and click the ‘...’ next to the newly created DICOM integration. Select the Echo option to perform a DICOM C-ECHO from Butterfly Cloud.

  4. Click Echo, then Click on ‘Echo’ again in the upper right of the pop-up menu. This triggers a new  DICOM C-ECHO; please verify the output is similar to below.

  5. Congratulations - you have setup an encrypted DICOM-TLS connection to your DICOM destination.


(Optional) - Automatic Forwarding to DICOM Storage

  1. To automatically send any studies saved to a Butterfly Cloud folder to your DICOM end-point, you can associate it with an Archive.

  2. Select the Archive folder that you would like to associate with the DICOM connection.  Select Archive Settings.

  3. Choose the DICOM Storage location to associate with the Archive folder.

  4. Now any study saved to this folder (using the Butterfly iQ App) will automatically forward to the chosen DICOM destination.

Was this article helpful?
0 out of 1 found this helpful
Thank you for your feedback

We’re sorry this didn’t answer your question. We’re here to help. Contact us