OPCUA SSL problem

[Majer Karel via Tech-talk <tech-talk at aps.anl.gov>]

Hello,

 

I am using EPICS OPCUA module built with Open62541 v1.3.10 and OpenSSL, running on Rocky Linux 9. It is mostly used to connect to B&R PLCs which have self-signed server certificate and then it runs without problems.

I need to communicate also with another server which has certificate signed by a certification authority. The authority uses a self-signed certificate. I cannot get this communication working in any setup.

This is the output of EPICS shell:

 

[root@fct-deploy20 iocopcua]# ./st.cmd

#!../../bin/linux-x86_64/opcua

< envPaths

epicsEnvSet("IOC","iocopcua")

epicsEnvSet("TOP","/usr/EPICS/IOCs/opcua")

epicsEnvSet("EPICS_BASE","/usr/EPICS/epics-base")

epicsEnvSet("OPCUA","/usr/EPICS/support/opcua")

cd "/usr/EPICS/IOCs/opcua"

## Register all support components

dbLoadDatabase "dbd/opcua.dbd"

opcua_registerRecordDeviceDriver pdbbase

opcuaSession PLC opc.tcp://192.168.0.250:4840

opcuaOptions PLC debug=1

Session PLC: setting option debug to 1

opcuaSetupPKI /usr/PKI

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/trusted/certs)

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/trusted/crl)

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/issuers/certs)

OPC UA: Warning - a PKI directory is writable, which may compromise security. (/usr/PKI/issuers/crl)

opcuaClientCertificate /usr/openssl/cert.der /usr/openssl/key.pem

opcuaOptions PLC sec-policy=Basic256Sha256

Session PLC: setting option sec-policy to Basic256Sha256

opcuaSubscription RockwellPSI PLC 100

dbLoadRecords("db/FCT-RockwellPSI.db")

cd "/usr/EPICS/IOCs/opcua/iocBoot/iocopcua"

iocInit

Starting iocInit

############################################################################

## EPICS R7.0.8

## Rev. 2024-05-07T19:43+0000

## Rev. Date build date/time:

############################################################################

OPC UA Client Device Support 0.10.0-dev (-); using Open62541 Client API v1.3.10

iocRun: All initialization complete

OPC UA: Autoconnecting sessions

Session PLC already disconnected

Session PLC: (initClientSecurity) loading client certificate /usr/openssl/cert.der

Session PLC: (initClientSecurity) loading client private key /usr/openssl/key.pem

[2024-10-02 12:46:41.325 (UTC+0000)] warn/userland      AcceptAll Certificate Verification. Any remote certificate will be accepted.

[2024-10-02 12:46:41.326 (UTC+0000)] info/securitypolicy        The Basic128Rsa15 security policy with openssl is added.

[2024-10-02 12:46:41.328 (UTC+0000)] info/securitypolicy        The basic256 security policy with openssl is added.

[2024-10-02 12:46:41.329 (UTC+0000)] info/securitypolicy        The basic256sha256 security policy with openssl is added.

[2024-10-02 12:46:41.330 (UTC+0000)] info/securitypolicy        The Aes128Sha256RsaOaep security policy with openssl is added.

Session PLC: (connect) setting up PKI provider

Session PLC: (setupIdentity) setting Anonymous token

Session PLC: (setupSecurity) reading endpoints from opc.tcp://192.168.0.250:4840

[2024-10-02 12:46:41.331 (UTC+0000)] warn/client        The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None

[2024-10-02 12:46:41.335 (UTC+0000)] info/server        Reloading the trust-list

[2024-10-02 12:46:41.336 (UTC+0000)] info/server        Reloading the issuer-list

[2024-10-02 12:46:41.336 (UTC+0000)] info/server        Reloading the revocation-list

[2024-10-02 12:46:41.336 (UTC+0000)] warn/channel       Connection 8 | SecureChannel 0 | Receiving the response failed with StatusCode BadCertificateUntrusted

[2024-10-02 12:46:41.336 (UTC+0000)] info/client        Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadConnectionClosed

Session PLC: (setupSecurity) UaDiscovery::getEndpoints from opc.tcp://192.168.0.250:4840 failed with status BadConnectionClosed

OPC UA session PLC: security discovery and setup failed with status cantConnect

 

We used tcpdump to capture TCP communication, it shows TCP is closed by client after receiving OpenSecureChannelResponse from the server.

We have certificate of both the authority and the server and crl of the authority. This is a list of steps which we tried and still got BadCertificateUntrusted:

·         Putting server certificate into PKI/trusted/certs

·         Putting CA certificate into PKI/trusted/certs and crl into PKI/trusted/crl

·         Putting CA certificate into PKI/issuers/certs and crl into PKI/issuers/crl

·         Combinations of all of the above

·         Adding certificates to the system

·         Running with sec-mode=None and commenting out opcuaSetupPKI command

We also tried running the IOC with strace to see system calls and noticed that PKI/trusted/crl directory was not opened during IOC startup.

We have used openssl verify to check the server certificate against the CA with OK result.

 

And perhaps most importantly, we can connect to the server with UAExpert without any issues when we use the same certificates.

 

Do you have any experience with this behavior and any advice how to fix it or even where to look for the problem?

 

Kind regards,

 

Karel Majer

 

 

Karel Majer | Senior Software Developer
Tel: +420 266 051 514
Email: karel.majer at eli-beams.eu

ELI Beamlines Facility|The Extreme Light Infrastructure ERIC Za Radnicí 835, 252 41 Dolní Břežany, Czech Republic www.eli-laser.eu|www.eli-beams.eu