New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trying to connect to a Basic256, SignAndEncrypt endpoint. #57
Comments
Hi when you say X509 token, are you talking about as the user identity or as the certificate of your client? It would be useful if you could set "set RUST_OPCUA_LOG=debug" so I can look at the log and see what errors you are seeing. While I do have support for X509 identity certs in the code it hasn't received a whole lot of testing and it might be caused by a configuration that I wasn't using. Thanks |
Yes I am talking about user identity using certificate. But in fact the code does not go until the creation of the token and its signature because I have the impression that it fails to create the secure channel. It is hard to debug because I do not have access to the server log. I attach the logs where I anonymize the certificates with RUST_OPCUA_LOG=debug. |
Okay that sounds like it's not getting as far as activating the session. Can you check that the server and client are accepting each other's certs? Some OPCUA servers might reject a cert and put it in a rejected folder and it has to be copied out. The server might also have a log where it says why it didn't like the connection. The client side also does a a cert check on the server the sample's client.conf sets trust_server_certs to true so it should automatically trust the server. |
Thank you ! it seems works with another certificate which is also trusted by server. Sorry for inconvenience ! Now I try to simply read a variable from this string path : "ns=2;DA.ABCD.F1.FAN01.P" but I really don't know how to do it and I start with the rust in addition ! Basically I started with the simple-client sample: if let Ok(session) = client.connect_to_endpoint_id(Some("sample_basic256")) {
println!("OK");
let _ = Session::run(session);
} else {
// Loops forever. The publish thread will call the callback with changes on the variables
println!("Errrrr");
} In same file, there is a Thank you very much for this opc ua library. |
If all you want to do is read a variable, you don't need the Session::run(session) that's basically there for clients that subscribe to variables and need to run in a loop Instead you would call something like this:
|
Thank you for the help. When client send the x509 token (server certificate + nonce => sha1 with private_key), it waits response that it seems to receive (with wireshark) but it don't do anything. I have attached logs where we see the response to request 3 which is not processed. |
Hi, But I have two strange behaviors:
Because
I have an other certificate with 2048 key which works for connection step. Could there be a problem with the 1024 keys or is it pure chance ? Thank you. |
Is the user token policy info coming from your server? I looked at the code for EndpointDescription::find_policy and literally all it does is look for a user token within itself with a matching UserTokenType. So it shouldn't matter that the policy id is empty or some weird value. As for certificate length OPCUA expects Basic256 policy should allow certificates between 1024 and 2048 bits but there may be something about the certificate is invalid and it may only be obvious from looking at the logs or by inspecting the certificate itself. It may even be that the server is rejecting the certificate so look at the server's logs to see if it yields any clues. |
Yes this user token policy is a print from client log of what I received from the server. I don't understand everything about protocol, that's why I'm a bit lost ! Actually I will analyze library logs and I will request the server lofs to find out what is going on. Thank you for the time spent helping me ! |
Hello, I received the server log when I try to connect with the certificate that is problematic. The server indicates it cannot verify the signature on the message. Would you have some time to watch them, please ? Out of curiosity, I looked a little at the code for "secure_channel :: asymmetric_sign_and_encrypt" and I can't understand why the padding between the body and the signature is not inserted before the call to security_policy.asymmetric_encrypt. Thank you. |
I can't think of any reason that a certificate would work for one client and not another but I would check the following:
|
Okay, thank for all the advice ! Thank you very much |
Hello, I am also trying to use the secretary and certificate of the client to connect to the server, it seems to use "UserTokenPolicy", I follow what you wrote is all None, the client has generated a trust certificate for the server, and the server also has a trust certificate for the client. I think the problem is with this assignment of "UserTokenPolicy". |
Hello,
From samples/simple_client, I'm trying to connect to a
Basic256,SignAndEncrypt
endpoint with X509 token andclient.connect_to_endpoint_id
returnsI think that certificate is OK because I use it with an other application.
First connection without security policy/mode seems to work because it retrieves endpoint.
Error arrives when it wants to connect to the endpoint and sends a secure channel request.
On wireshark, viewable value in frame seems to be OK and corresponds to a frame sent with an other application.
Do you have any idea what I could look at to try to find the problem ?
Thank you very much for this library.
The text was updated successfully, but these errors were encountered: