How to configure the server to work completely without certificates? #25
Labels
help wanted
Extra attention is needed
Comments
andowinger
changed the title
|
Wondering the same. |
|
This is not possible due to OPC UA spec constraints. All OPC UA applications are required to have an application instance certificate except the nano embedded server profile (which is not the case for this server) even if they only support security policy none. |
|
@andowinger @ajithkumars : does @cristipogacean's answer gives you enough clarity. in addition to this what @andowinger what do you mean by "disable TLS"? |
|
@hansgschossmann : I assuming @cristipogacean has a point so I choose to believe it. (And find a work around if required) |
hansgschossmann
pushed a commit
that referenced
this issue
May 28, 2021
* Adding settings for very fast nodes * Added some diagnostics output so that we can see the achieved throughput. * Moved diagnostics * Added integration tests * Simplified code * Added README file for tests * Added integration tests (#2) * Removed timing log code * integration tests for DipData and SpikeData * cleaned up int/double casting * Shut down simulator in test fixture (#4) * Commiting a working fast timer * Integration tests for StepUp (#8) Integration tests for StepUp and AlternatingBoolean * cleaning up * Merged from master - package upgrade issues * package upgrade issues * Added code to generate random values for double and uint node types. * Added argument exception for unsupported range. * removed comment * fix: PR comments * Simulator parameters per test class (#9) * Restored changes in program.cs from oneweek branch, for rate of node value change. * Resolving PR review comments. * Updated UTC Time method. * Fixed autoreset bug and added unit tests for FastTimer * Fixed merge issues * Refactoring some properties * Fixed some scope issues * refactored UpdateNodes somewhat * Added negative range for double sequential value changes, removed comment re single plc instance and updated integration test. * fix: PR comments and failing tests * fix: PR comments and flaky tests * Removed parallelization attribute from these test since that caused intermittent problems in teardown * Added some checks if Stopwatch supports high-resolution * Removed the if statement in the test. Test code that shouldn't have been here * Added integration tests for Boiler * more tests * . * fix naming convention * Inject TimeService (#18) * Update DataRandomizationTests.cs (#20) * Limit number of updates by node (#14) * Update BoilerTests.cs * Adding some more wiggle room since tests fail sporadically on build pipeline. * Test notification for alarm subscription (#23) * Fix CI on Mac (#25) * Fixed test failures by specifying cmdline params explicitly, PLC server is not designed for parallel/sequential runs in the same process. Fixed the integration test for randomization. * Added feature to provide different random number than previous one. * Update PlcSimulatorFixture.cs * fix: spelling error and some formatting * Fixed bug where uint with max range will go in infinite loop and added check for step size. * fixed typo in test. * Added documentation in the readme.md for command line option --vfr * Updated SLN file to dos line endings * Moved BoilerTests.cs to the right place * Moved call to InitLogging to happen after we've set the _logLevel variable Co-authored-by: Alexandre Gattiker <algattik@users.noreply.github.com> Co-authored-by: Hamlet D'Arcy <hamda@microsoft.com> Co-authored-by: Hamlet D'Arcy <hamlet.darcy@microsoft.com> Co-authored-by: Suneet Nangia <suneetnangia@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is for a: (mark with an
x)Minimal steps to reproduce
Set EnableUnsecureTransport to true and remove the block defining the secure ServerSecurityPolicy
Any log messages given by the failure
Any client e(.g. UAExpert) will notify the user about the use of an untrusted certificate. The user will have to manually "trust this certificate" to establish a connection.
Expected/desired behavior
No certificate should be used if "EnableUnsecureTransport" is used.
Of course this will also mean, that TLS won't be working but this is ok, since the flag already points out, that it is an "unsecure transport".
This is also fine from a security perspective, if the setup is running in a private network whose perimeters have been secured.
OS and Version?
Versions
1809
Mention any other details that might be useful
The documentation does not provide information what I have to do to completely disable any certificate / to disable TLS.
This is the log when starting up - as you can see, there is only a "None" Security policy runing, but still a self-signed-certifiacte is created, though I don't want that here ;)
15:09:16 INF] Web server started on port 8080
[15:09:16 INF] opcstacktracemask set to: 0x0
[15:09:16 INF] OPC UA server base address: opc.tcp://287ed39ad887:50000
[15:09:16 INF] Unsecure security policy http://opcfoundation.org/UA/SecurityPolicy#None with mode None added
[15:09:16 WRN] Note: This is a security risk and needs to be disabled for production use
[15:09:16 INF] Trusted Issuer store type is: Directory
[15:09:16 INF] Trusted Issuer Certificate store path is: pki/issuer
[15:09:16 INF] Trusted Peer Certificate store type is: Directory
[15:09:16 INF] Trusted Peer Certificate store path is: pki/trusted
[15:09:16 INF] Rejected certificate store type is: Directory
[15:09:16 INF] Rejected Certificate store path is: pki/rejected
[15:09:16 INF] Rejection of SHA1 signed certificates is disabled
[15:09:16 INF] Minimum certificate key size set to 1024
[15:09:16 INF] Application Certificate store type is: Directory
[15:09:16 INF] Application Certificate store path is: pki/own
[15:09:16 INF] Application Certificate subject name is: OpcPlc
[15:09:16 WRN] WARNING: Automatically accepting certificates. This is a security risk.
[15:09:16 INF] No existing Application certificate found. Create a self-signed Application certificate valid from yesterday for 12 months,
[15:09:16 INF] with a 2048 bit key and 256 bit hash.
[15:09:17 INF] Application certificate with thumbprint 'AEB28F47284A635E2E1BA044243A49B21AD3DC6D' created.
[15:09:17 INF] Application certificate is for ApplicationUri 'urn:OpcPlc:287ed39ad887', ApplicationName 'OpcPlc' and Subject is 'OpcPlc'
[15:09:17 INF] LDS(-ME) registration interval set to 0 ms (0 means no registration)
[15:09:17 INF] Trusted issuer store contains 0 certs
[15:09:17 INF] Trusted issuer store has 0 CRLs.
[15:09:17 INF] Trusted peer store contains 0 certs
[15:09:17 INF] Trusted peer store has 0 CRLs.
[15:09:17 INF] Rejected certificate store contains 0 certs
[15:09:17 INF] Starting server on endpoint opc.tcp://287ed39ad887:50000 ...
[15:09:17 INF] Simulation settings are:
[15:09:17 INF] One simulation phase consists of 50 cycles
[15:09:17 INF] One cycle takes 100 milliseconds
[15:09:17 INF] Spike generation is disabled
[15:09:17 INF] Data generation is disabled
[15:09:17 INF] Anonymous authentication: enabled
[15:09:17 INF] Username/Password authentication: enabled
[15:09:17 INF] Certificate authentication: disabled
[15:09:18 INF] Creating 25 Slow nodes of type: UInt
[15:09:18 INF] Node values will change each 10 sec
[15:09:18 INF] Node values sampling rate is 0 msec
[15:09:18 INF] Creating 5 Fast nodes of type: UInt
[15:09:18 INF] Node values will change each 1 sec
[15:09:18 INF] Node values sampling rate is 0 msec
[15:09:18 INF] OPC UA Server started.
[15:09:18 INF] OPC Publisher configuration file: pn.json
[
{
"EndpointUrl": "opc.tcp://287ed39ad887:50000",
"UseSecurity": false,
"OpcNodes": [
{ "Id": "ns=2;s=SlowUInt1", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt2", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt3", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt4", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt5", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt6", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt7", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt8", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt9", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt10", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt11", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt12", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt13", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt14", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt15", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt16", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt17", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt18", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt19", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt20", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt21", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt22", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt23", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt24", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=SlowUInt25", "OpcPublishingInterval": 10000 },
{ "Id": "ns=2;s=FastUInt1" },
{ "Id": "ns=2;s=FastUInt2" },
{ "Id": "ns=2;s=FastUInt3" },
{ "Id": "ns=2;s=FastUInt4" },
{ "Id": "ns=2;s=FastUInt5" }
]
}
]
The text was updated successfully, but these errors were encountered: