Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Possibility to ignore 'ConnectException' Error due to null server nonce
November 6, 2023
15:39, EET
Avatar
in-fke
Member
Members
Forum Posts: 29
Member Since:
June 8, 2016
sp_UserOfflineSmall Offline

Hi,
we currently try to connect to a OPC-UA Server using ProSys OPC UA Java SDK 4.8.2
It’s an user-based authentication with Security = None.
The problem we are facing is that the target server isn’t sending a server nonce so we get a ConnectException.
[com.prosysopc.ua.client.ConnectException: Received less than 32 byte nonce from the server, was:null: opc.tcp://x.x.x.x:4840
[http://opcfoundation.org/UA/SecurityPolicy#None,None] Diagnostics=Diagnostic Info:
Received less than 32 byte nonce from the server, was:null: opc.tcp://x.x.x.x:4840 [http://opcfoundation.org/UA/SecurityPolicy#None,None]
]

Is there a possibility to ignore the missing/null nonce in the client so it’s still possible to make a successful connection?

November 7, 2023
9:07, EET
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 994
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

No, unless you change the user-mode to be Anonymous (is this an option for you?). Basically there is almost no point in other modes without sending a proper Nonce.

Note that there are multiple different Nonces involved. This one comes from the CreateSession, which has different rules than OpenSecureChannel (for that null/0-length is expected for NONE, we have seen this mistake in the past). Thus, the server should be fixed (or check if there are updates for it). For the CreateSession https://reference.opcfoundation.org/Core/Part4/v104/docs/5.6.2, in the Response parameters: “
serverNonce
ByteString
A random number that should never be used in any other request.
This number shall have a minimum length of 32 bytes.
The Client shall use this value to prove possession of its Application Instance Certificate in the ActivateSession request.
This value may also be used to prove possession of the userIdentityToken it specified in the ActivateSession request.”

SDK will skip (automatically) the security-check if the combination is exactly NONE+Anonymous, but it cannot be skipped for anything else. This is our SDK-specific relaxation of the general rules, which can be done here since the Nonce is not used for anything (basically the point of this is to allow connecting to “tiny” servers that cannot do crypto at all). For any other combination it validates that the Nonce length is at least 32 bytes.

If a server supports anything but the Anonymous user authentication (e.g. it supports username/password), it must always send a certificate/public-key. The client encrypts e.g. the user password using the public key the server gives, then the server can decrypt it (using the private key). Thus the password is still encrypted even though the other communication is not. However, without a Nonce used as additional data for the encrypting operations, the encrypted binary blob would end up being the same each time. Thus, if anyone is able to monitor the network traffic they would get an effective password to the user. It is not the cleartext, but since the blob would be the same each time without the nonce, an attacker could just send that to get in.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
17 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 142

pramanj: 86

Francesco Zambon: 83

rocket science: 82

Ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 704

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1482

Posts: 6316

Newest Members:

samui, TommyDab, wross, Jeremyknock, Pedromon, DonaldEdism, Miguelplese, Scotanine, katesalas95, Petertum

Moderators: Jouni Aro: 1015, Pyry: 1, Petri: 0, Bjarne Boström: 994, Jimmy Ni: 26, Matti Siponen: 330, Lusetti: 0

Administrators: admin: 1