Log In
Register
Topic RSS
16:00, EEST
June 3, 2025
Offline
I have been playing around with certs and PLC4X.
When I worked with 2048 bit certs (selfsigned) everything worked fine.
When I use asymmetric certs (server 2048, client 4096) it didnt work.
On PLC4X side its saying IlligalBlockSize: over 214 bytes
That could potentially be the fault of PLC4X.
Now to the main Problem, when I use 4096 bit certs for both sides, on Prosys side it’s spitting out the following:
06/05/2025 14:45:49.952 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.transport.tcp.nio.g [] – encodedLocalCertificateThumbprint=[-104, -101, -18, 62, 81, -52, 115, 69, 69, 103, -41, -3, -18, -99, 63, -4, -90, -93, -108, -121]
06/05/2025 14:45:49.952 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.a.b [] – getApplicationInstanceCertificate: expected=[20] 0x989bee3e51cc73454567d7fdee9d3ffca6a39487
06/05/2025 14:45:49.952 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.a.b [] – getApplicationInstanceCertificate: cert[0]=[20] 0x989bee3e51cc73454567d7fdee9d3ffca6a39487
06/05/2025 14:45:49.953 INFO [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Error in handleChunk
com.prosysopc.ua.stack.b.h: Bad_SecurityChecksFailed (code=0x80130000, description=”An error occurred verifying security.”)
at com.prosysopc.ua.stack.transport.tcp.nio.g.k(SourceFile:756) ~[app-5.5.4-384.jar:5.5.4-384]
at com.prosysopc.ua.stack.transport.tcp.nio.g.l(SourceFile:820) ~[app-5.5.4-384.jar:5.5.4-384]
at com.prosysopc.ua.stack.transport.tcp.nio.g$2.a(SourceFile:233) ~[app-5.5.4-384.jar:5.5.4-384]
at com.prosysopc.ua.stack.transport.tcp.nio.g$2.onStateTransition(SourceFile:177) ~[app-5.5.4-384.jar:5.5.4-384]
at com.prosysopc.ua.stack.utils.a.b(SourceFile:330) ~[app-5.5.4-384.jar:5.5.4-384]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
at java.base/java.lang.Thread.run(Thread.java:833) [?:?]
06/05/2025 14:45:49.953 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.transport.tcp.nio.g [] – onStateTransition: Open->Closing
06/05/2025 14:45:49.953 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – close: channel.isRegistered()=true
06/05/2025 14:45:49.953 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – close: channel.isOpen()=true
06/05/2025 14:45:49.953 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – closed
06/05/2025 14:45:49.953 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – close: ownsSelector=false
06/05/2025 14:45:49.954 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – close: channel.isRegistered()=true
06/05/2025 14:45:49.954 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – close: channel.isOpen()=false
06/05/2025 14:45:49.954 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.utils.asyncsocket.h [] – close: ownsSelector=false
06/05/2025 14:45:49.954 DEBUG [OPC-UA-Stack-Blocking-Work-Executor-27] com.prosysopc.ua.stack.transport.tcp.nio.g [] – onStateTransition: Closing->Closed
I am using User/PW as well als Sign and Encrypt
the encription as it should be when using certs over 2048 is Basic256Sha256
I am not sure what I am missing, since the keys do aligne (0x989bee3e51cc73454567d7fdee9d3ffca6a39487)
I can also share more if needed
futhermore this is the conf for the server cert that is selfsigned:
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = digilab_server
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ digilab_server ]
countryName = DE
stateOrProvinceName = Bayern
localityName = Munich
organizationName = MTU
commonName = SimulationServer@Yoshi
[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = “Server Certificate”
subjectAltName = URI:urn:Yoshi.lab.mtu-digilab.io:OPCUA:SimulationServer
this is the config for the client:
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = DigilabClient
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ DigilabClient ]
countryName = DE
stateOrProvinceName = Bayern
localityName = Munich
organizationName = MTU
commonName = client.local
[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
nsComment = “Client 1 Certificate”
subjectAltName = URI:urn:client.local:OPCUA:client.local,IP:127.0.0.1
Thank you in advanced
