Open jonasar opened 2 years ago
Hello, I encounter the same problem (see logs below) in my project https://github.com/cailloumajor/opcua-proxy. The connection is made to an IBH Link UA OPC-UA server, which is very similar to Siemens SIMATIC NET v8.2 OPC-UA server. I would be happy to help further.
Hello @jonasar, hello @cailloumajor, I would like to fix this issue. Is it still relevant for you? Are you sure that the reason for this error is that security token is not accepted if it's expired but within the 25% duration of the secure channel lifetime?
Hello @jonasar, hello @cailloumajor, I would like to fix this issue. Is it still relevant for you? Are you sure that the reason for this error is that security token is not accepted if it's expired but within the 25% duration of the secure channel lifetime?
Hello @BogdanYarotsky, unfortunately I'm not actively using this library anymore, so I fear I won't be able to help.
Hi @BogdanYarotsky https://github.com/BogdanYarotsky,
I am not actively using this library any more either.
Best regards, Jonas
On Sat, 17 Aug 2024 at 09:00, Arnaud Rocher @.***> wrote:
Hello @jonasar https://github.com/jonasar, hello @cailloumajor https://github.com/cailloumajor, I would like to fix this issue. Is it still relevant for you? Are you sure that the reason for this error is that security token is not accepted if it's expired but within the 25% duration of the secure channel lifetime?
Hello @BogdanYarotsky https://github.com/BogdanYarotsky, unfortunately I'm not actively using this library anymore, so I fear I won't be able to help.
— Reply to this email directly, view it on GitHub https://github.com/locka99/opcua/issues/207#issuecomment-2294800038, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHTTIQYYZR73YW3KGTYDUTTZR4GJZAVCNFSM6AAAAABMUDZYRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJUHAYDAMBTHA . You are receiving this because you were mentioned.Message ID: @.***>
I am running version 0.8.1 of the opcua client. Using security policy Basic256Sha256 and message security mode SignAndEncrypt.
When the secure channel token is renewed, approximately every 3rd time, the opcua client does not accept the response from the server, claiming that the data signature is invalid.
Error "Signature invalid" is logged by function symmetric_verify_signature() in security_policy.rs (crypto/src/security_policy.rs).
This in turn leads to the connection being lost.
I am guessing that the opcua client switches to the new verification key immediately, although the OPC UA standard states that it shall accept messages secured by an expired security token for up to 25 % of the secure channel lifetime. (see https://reference.opcfoundation.org/v104/Core/docs/Part4/5.5.2/)