Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support UserTokenPolicys with encryption #934

Closed
jpfr opened this issue Jan 18, 2017 · 7 comments

Comments

@jpfr
Copy link
Member

commented Jan 18, 2017

Endpoints for Securechannels with SecurityPolicy#None can still mandate that passwords are transmitted encrypted. This is specified in the list of possible UserTokenPolicys for each endpoint.
This issue is used to track the development of the feature.

Issues where clients cannot connect because of encryption UserTokenPolicys are closed as duplicates.

@Pro

This comment has been minimized.

Copy link
Member

commented Feb 1, 2018

Related: #1539

@patrickjuchli

This comment has been minimized.

Copy link

commented Nov 6, 2018

In the referenced issues I found the suggestion to "switch to encrypted endpoint" for a fix. This is a bit misleading. If the server requires user tokens to be encrypted, connecting to it fails regardless of whether encryption is used for the endpoint or not. This makes sense when you read the following lines:

if(userToken->securityPolicyUri.length > 0 &&
!UA_String_equal(&userToken->securityPolicyUri, &securityNone))
continue;

I can see that this feature is part of the next milestone, thanks for that!

@sureshaei

This comment has been minimized.

Copy link

commented Dec 26, 2018

We are using open62541 (master) client to connect to a PLC and we get the error "No suitable UserTokenPolicy found for the possible endpoints" when using username and password.

Is the support for accessing OPC UA server using username password (encrypted) added to the stack as of now?

We tried using the example clients with encryption enabled (client_basic128rsa15). We created client certificate.crt and private-key.key files using openssl. We converted the files to .der files and provided as arguments to the client. It returns error "mbedTLS returned an error: PK - Invalid key tag or value; Could not create securityContext".

@jpfr

This comment has been minimized.

Copy link
Member Author

commented Dec 27, 2018

Can you try to generate cert/key with the /tools/cert/create_certificate.py script provided with open62541?

@sureshaei

This comment has been minimized.

Copy link

commented Jan 3, 2019

Thanks for the reply.
We tried creating .der files as described above. The client application is able to discover but connect failed.

We tried replacing the UA_client_connect() with UA_client_connect_username() in the same example. We got end up with " error/client No suitable UserTokenPolicy found for the possible endpoints"

May i know whether the support for accessing OPC UA server using username password (encrypted) added to the stack as of now?

@heppth

This comment has been minimized.

Copy link

commented Jan 4, 2019

Hi, I'm monitoring this issue for about 8 months. Is there the change that user / password authentication with encryption will be implemented soon? Most of the PLCs can not be connected with this library. For us, the function is very important.
Thank you

@jpfr

This comment has been minimized.

Copy link
Member Author

commented Feb 10, 2019

Implemented on master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.