Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
TLS Protocols
July 30, 2021
14:12, EEST
Avatar
pradeep_patel
Member
Members
Forum Posts: 19
Member Since:
July 13, 2021
sp_UserOfflineSmall Offline

Hi Team,

I have java client that uses opc ua java stack 1.4. While connecting to prosys opc ua server I am using opc.tcp protocol with security policy as ‘AES256SHA256RsaPss’ and security mode as ‘sign and encrypt’ and appropriate certificates. while analyzing the network traffic with wire shark I do not see any mention of TLS version being used but just opcua protocol. I am interested to know what version of TLS is being used here. My client does not support opc.https protocol so I am curious to know if TLS is being used by opcua protocol(opc.tcp) or not. and if not then what are the associated security threats. Can somebody explain or guide me about underlying security model in terms of TLS version and opc.tcp vs opc.https ?Confused

August 2, 2021
10:09, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1032
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

Most clients and servers do not support opc.https. Best would be to not enable it if there is an option and also ignore it even exists. Most interop testing is just done using opc.tcp.

The opc.tcp protocol doesn’t use TLS, the security (sign+encryption) is defined within OPC UA Specification (i.e. quite standard PKI crypto): https://reference.opcfoundation.org/Core/docs/Part2/, that Part 2 also addresses security threats and so on. Here the SecurityMode has 3 options: None, Sign, Sign&Encrypt. Both signing and encryption depends on both sides trusting each others ApplicationInstanceCertificate.

The opc.https uses TLS for the encryption part. SecurityMode only controls signing (since the channel is already encrypted), has 2 options: None, Sign. Signing if enabled requires the same ApplicationInstanceCertificate both-side-trusting them as in opc.tcp. Note that HTTPS and ApplicationInstanceCertificate are different (most likely). Also do note, that with SecurityMode None, the situation is that no client-side TLS cert is required for connection (https://reference.opcfoundation.org/Core/docs/Part6/7.4.1/ “A Server shall allow Clients to connect without providing a Certificate during negotiation of the HTTPS connection.”). That might be dangerous (since it differs from opc.tcp semantics that for an encrypted channel connection requires both sides to trust eachothers). Thus I wouldn’t recommend to use the NONE option with opc.https (a different argument could be made that this use-case is the only usefulness of opc.https, but since it differs so much from typical opc.tcp I’m not sure how much sense it would be). Also it should be noted, that this is not “web-https” traffic, but the TLS channel is used for the same binary procotol as opc.tcp.

August 2, 2021
14:09, EEST
Avatar
pradeep_patel
Member
Members
Forum Posts: 19
Member Since:
July 13, 2021
sp_UserOfflineSmall Offline

Thanks Bjarne Boström for quick and perfect reply. It resolves my doubt.
I was concerned about security aspect of our OPC client and wanted to understand if the product is TLS 1.2 compliant or not. Since it is not using opc.https hence there is no point in evaluating it in terms of what TLS version is being used. Smile

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
19 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 727

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1