Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Improve logging of certifiate validation
July 21, 2023
14:09, EEST
Avatar
gerstale
Member
Members
Forum Posts: 12
Member Since:
November 26, 2019
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hello,

In SDK version 4.10.0-58 in case of certificate validation failed(application uri not same), the failed reason is only logged with DEBUG logging level. This should be reported at least for WARN level. Method public StatusCode validateCertificate(ApplicationDescription applicationDescription, Cert cert) in Class DefaultCertificateValidator

Thank you for support
Best regards

Alexej Gerstmaier

July 21, 2023
15:01, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1032
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

The intended way is to add a DefaultCertificateValidatorListener as in the sampleconsoleclient example com.prosysopc.ua.samples.client.MyCertificateValidationListener. Then you can e.g. in this case log (or have e.g. in the client side UI popup to accept the cert) when CertificateCheck.Uri is not part of the EnumSet passedChecks. .

In general I should note that we have observed that the current DefaultCertificateValidator is not good enough for all situations, plus some OPC UA 1.05 clarifications means we’ll have to do changes in SDK 5.x that we are working on right now (might not be in the first 5.0.0 release).

Thanks anyway for the note. It would seem we do have a bit mixed logging levels, some of the more recent checks do log on ERROR or WARN, but some of them also cannot be disabled (e.g. such that the x509 cert is of version 3) and some cannot be reacted to, just be disabled. Most of the “older ones” are in DEBUG.

Though, I would lean more towards fixing this by having them all in DEBUG level, at least once it is possible to observed them via the listener. I’m not like 100% sure on this, but if it is in ERROR or WARN, this might just be something outside of your control as a server developer, plus if a client continously would try to connect with such cert it would just flood the logs, which is also not good. That being said, this is exactly what would happen currently if the x509 version would not be ‘3’).

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
35 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 726

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_gallery

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1