Open growgreat77 opened 1 year ago
And I can indeed log in anonymously using Softing OPC client without any encryption certificates. https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-demo-client.ht
Encryption and AccessControl are different things. The Encryption setup and the certificates take care of the encryption of the connection, AccessControl controls what the user can do with an established connection (encrypted or unencrypted).
AccessControl is realized as a plug in that you have to set up yourself to reflect the internal user/permission management of your application. Take a look at the examples/access_control
folder to get an idea.
As for the unencrypted connection, you are using UA_ServerConfig_setDefaultWithSecurityPolicies()
which includes the None
security policy which allows connection without encryption. If you want to prevent that, you have to add the desired security policies manually with the UA_ServerConfig_addSecurityPolicy*()
functions instead.
Edit: Note that instead of excluding the None
policy completely, you might want to restrict it for discovery only, by setting config->securityPolicyNoneDiscoveryOnly = true;
.
Encryption and AccessControl are different things. The Encryption setup and the certificates take care of the encryption of the connection, AccessControl controls what the user can do with an established connection (encrypted or unencrypted).
AccessControl is realized as a plug in that you have to set up yourself to reflect the internal user/permission management of your application. Take a look at the
examples/access_control
folder to get an idea.As for the unencrypted connection, you are using
UA_ServerConfig_setDefaultWithSecurityPolicies()
which includes theNone
security policy which allows connection without encryption. If you want to prevent that, you have to add the desired security policies manually with theUA_ServerConfig_addSecurityPolicy*()
functions instead.Edit: Note that instead of excluding the
None
policy completely, you might want to restrict it for discovery only, by settingconfig->securityPolicyNoneDiscoveryOnly = true;
.
Thank you for helping me. My main goal is only to allow connection with encryption, so I modified the code. my updated code is :
UA_StatusCode retval = UA_ServerConfig_addSecurityPolicyBasic256Sha256(config, &certificate, &privateKey);
if(retval != UA_STATUSCODE_GOOD) {
UA_LOG_WARNING(&config->logger, UA_LOGCATEGORY_USERLAND,
"Could not add SecurityPolicy#Basic256Sha256 with error code %s",
UA_StatusCode_name(retval));
}
but the prompts is still no encrypting SecurityPolicy:
Username/Password Authentication configured, but no encrypting SecurityPolicy. This can leak credentials on the network.
Furthermore, I can still connect to this server without any encryption or anonymously useing this client :https://industrial.softing.com/products/opc-ua-and-opc-classic-sdks/opc-ua-demo-client.ht.
Do you still have the UA_ServerConfig_setDefaultWithSecurityPolicies()
call? Because that log line comes from UA_AccessControl_default()
which is called from there and I don't see you doing it explicitly. This would also explain the unencrypted connection.
Do you still have the
UA_ServerConfig_setDefaultWithSecurityPolicies()
call? Because that log line comes fromUA_AccessControl_default()
which is called from there and I don't see you doing it explicitly. This would also explain the unencrypted connection.
I add the desired security policies manually with the UA_ServerConfig_addSecurityPolicy*() functions instead of UA_ServerConfig_setDefaultWithSecurityPolicies()
/* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
* See http://creativecommons.org/publicdomain/zero/1.0/ for more information.
*
* Copyright 2019 (c) Kalycito Infotech Private Limited
* Copyright 2021 (c) Christian von Arnim, ISW University of Stuttgart (for VDW and umati)
*
*/
#include <open62541/client_highlevel.h>
#include <open62541/plugin/log_stdout.h>
#include <open62541/plugin/create_certificate.h>
#include <open62541/plugin/securitypolicy.h>
#include <open62541/server.h>
#include <open62541/server_config_default.h>
#include <signal.h>
#include <stdlib.h>
#include "common.h"
UA_Boolean running = true;
static void stopHandler(int sig) {
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "received ctrl-c");
running = false;
}
int main(int argc, char* argv[]) {
signal(SIGINT, stopHandler);
signal(SIGTERM, stopHandler);
UA_ByteString certificate = UA_BYTESTRING_NULL;
UA_ByteString privateKey = UA_BYTESTRING_NULL;
if(argc >= 3) {
/* Load certificate and private key */
certificate = loadFile(argv[1]);
privateKey = loadFile(argv[2]);
} else {
UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
"Missing arguments. Arguments are "
"<server-certificate.der> <private-key.der> "
"[<trustlist1.crl>, ...]");
#if defined(UA_ENABLE_ENCRYPTION_OPENSSL) || defined(UA_ENABLE_ENCRYPTION_LIBRESSL)
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
"Trying to create a certificate.");
UA_String subject[3] = {UA_STRING_STATIC("C=DE"),
UA_STRING_STATIC("O=SampleOrganization"),
UA_STRING_STATIC("CN=Open62541Server@localhost")};
UA_UInt32 lenSubject = 3;
UA_String subjectAltName[2]= {
UA_STRING_STATIC("DNS:localhost"),
UA_STRING_STATIC("URI:urn:open62541.server.application")
};
UA_UInt32 lenSubjectAltName = 2;
UA_StatusCode statusCertGen =
UA_CreateCertificate(UA_Log_Stdout,
subject, lenSubject,
subjectAltName, lenSubjectAltName,
0, UA_CERTIFICATEFORMAT_DER,
&privateKey, &certificate);
if(statusCertGen != UA_STATUSCODE_GOOD) {
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
"Generating Certificate failed: %s",
UA_StatusCode_name(statusCertGen));
return EXIT_SUCCESS;
}
#else
return EXIT_SUCCESS;
#endif
}
/* Load the trustlist */
size_t trustListSize = 0;
if(argc > 3)
trustListSize = (size_t)argc-3;
UA_STACKARRAY(UA_ByteString, trustList, trustListSize+1);
for(size_t i = 0; i < trustListSize; i++)
trustList[i] = loadFile(argv[i+3]);
/* Loading of an issuer list, not used in this application */
size_t issuerListSize = 0;
UA_ByteString *issuerList = NULL;
/* Loading of a revocation list currently unsupported */
UA_ByteString *revocationList = NULL;
size_t revocationListSize = 0;
UA_Server *server = UA_Server_new();
UA_ServerConfig *config = UA_Server_getConfig(server);
UA_StatusCode retval = UA_ServerConfig_addSecurityPolicyBasic256Sha256(config, &certificate, &privateKey);
if(retval != UA_STATUSCODE_GOOD) {
UA_LOG_WARNING(&config->logger, UA_LOGCATEGORY_USERLAND,
"Could not add SecurityPolicy#Basic256Sha256 with error code %s",
UA_StatusCode_name(retval));
}
// UA_StatusCode retval =
// UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
// &certificate, &privateKey,
// trustList, trustListSize,
// issuerList, issuerListSize,
// revocationList, revocationListSize);
#ifdef UA_ENABLE_WEBSOCKET_SERVER
UA_ServerConfig_addNetworkLayerWS(UA_Server_getConfig(server), 7681, 0, 0, &certificate, &privateKey);
#endif
UA_ByteString_clear(&certificate);
UA_ByteString_clear(&privateKey);
for(size_t i = 0; i < trustListSize; i++)
UA_ByteString_clear(&trustList[i]);
if(retval != UA_STATUSCODE_GOOD)
goto cleanup;
if(!running)
goto cleanup; /* received ctrl-c already */
retval = UA_Server_run(server, &running);
cleanup:
UA_Server_delete(server);
return retval == UA_STATUSCODE_GOOD ? EXIT_SUCCESS : EXIT_FAILURE;
}
Did you recompile? Because that code does not even run on my machine since there is no CertificateVerification set up.
UA_CertificateVerification_Trustlist(&config->certificateVerification, trustList, trustListSize, issuerList, issuerListSize, revocationList, revocationListSize);
Did you recompile? Because that code does not even run on my machine since there is no CertificateVerification set up.
UA_CertificateVerification_Trustlist(&config->certificateVerification, trustList, trustListSize, issuerList, issuerListSize, revocationList, revocationListSize);
Did you put the common.h in directory or generate key? I deleted all the previously compiled files and then made some modifications to the function UA_ServerConfig_addSecurityPolicyBasic256Sha256 you mentioned. Then I went to the build directory, ran "cmake .. && make". Here is my modified CMakeLists.txt code:
cmake_minimum_required(VERSION 3.5)
project(OPCUA1)
set (EXECUTABLE_OUTPUT_PATH ${PROJECT_SOURCE_DIR}/bin)
add_definitions(-std=c99)
include_directories(${PROJECT_SOURCE_DIR}/open62541)
include_directories(${PROJECT_SOURCE_DIR}/src)
find_package(OpenSSL REQUIRED)
add_executable(server ${PROJECT_SOURCE_DIR}/src/server.c ${PROJECT_SOURCE_DIR}/open62541/open62541.c)
target_link_libraries(server ${OPENSSL_LIBRARIES})
add_executable(client ${PROJECT_SOURCE_DIR}/src/client.c ${PROJECT_SOURCE_DIR}/open62541/open62541.c)
target_link_libraries(client ${OPENSSL_LIBRARIES})
Sure I did that and it compiles just fine, but it crashes once I run it. Gdb then shows me that the server->config.certificateVerification
object is full of null pointers which makes sense because it is not set up. I don't see how this could be different for you.
Encryption
everythin is going well in my tutorials, except the Encryption. I get the code with git clone.
Description
Hi, I am using the "server_encryption.c" example, and I have generated "server_cert.der" and "server_key.der" under the "tools" directory. However, when I run the server, the prompt shows that there is no encryption: "AccessControl: Unconfigured AccessControl. Users have all permissions."Below are the detailed information. What could be the reason for this?
This is my file directory.
This is the encryption certificate information of my server.
Background Information / Reproduction Steps
Used CMake options:
This is the code for my server.c
Checklist
Please provide the following information:
UA_LOGLEVEL
set as low as necessary) attached