encrypted connection to OPC UA server

[pfetrial]

hello
I'm trying to connect a python client with the Prosys OPC UA server. I have started with the sample bellow ( Official sample):

client = Client("opc.tcp://host.docker.internal:53530/OPCUA/SimulationServer")
client.set_security_string("Basic256Sha256,SignAndEncrypt,certificate-example.der,private-key-example.pem")
client.application_uri = "urn:example.org:FreeOpcUa:python-opcua"
client.secure_channel_timeout = 10000
client.session_timeout = 10000
try:
    client.connect()

I can't have a connection because the python have an Exception:

WARNING:opcua.uaprotocol:Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:Bad_SecurityChecksFailed (code=0x80130000, description="An error occurred verifying security."))
CRITICAL:opcua.client.ua_client.Socket:Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:Bad_SecurityChecksFailed (code=0x80130000, description="An error occurred verifying security."))
ERROR:opcua.client.ua_client.Socket:Protocol Error
Traceback (most recent call last):
File "C:\Python38\lib\site-packages\opcua\client\ua_client.py", line 101, in _run
self._receive()
File "C:\Python38\lib\site-packages\opcua\client\ua_client.py", line 121, in _receive
self._call_callback(0, ua.UaStatusCodeError(msg.Error.value))
File "C:\Python38\lib\site-packages\opcua\client\ua_client.py", line 129, in _call_callback
raise ua.UaError(
opcua.ua.uaerrors._base.UaError: No future object found for request: 0, callbacks in list are dict_keys([1])
ERROR:concurrent.futures:exception calling callback for <Future at 0x261bb51d040 state=cancelled>
Traceback (most recent call last):
File "C:\Python38\lib\concurrent\futures_base.py", line 328, in _invoke_callbacks
callback(self)
File "C:\Python38\lib\site-packages\opcua\client\ua_client.py", line 201, in clb
response = struct_from_binary(ua.OpenSecureChannelResponse, future.result())
File "C:\Python38\lib\concurrent\futures_base.py", line 430, in result
raise CancelledError()
concurrent.futures._base.CancelledError
Traceback (most recent call last):
File "C:\pfe\python_security\clientminimal.py", line 19, in
client.connect()
File "C:\Python38\lib\site-packages\opcua\client\client.py", line 275, in connect
self.open_secure_channel()
File "C:\Python38\lib\site-packages\opcua\client\client.py", line 335, in open_secure_channel
result = self.uaclient.open_secure_channel(params)
File "C:\Python38\lib\site-packages\opcua\client\ua_client.py", line 275, in open_secure_channel
return self._uasocket.open_secure_channel(params)
File "C:\Python38\lib\site-packages\opcua\client\ua_client.py", line 209, in open_secure_channel
response = clb.future.result(self.timeout)
File "C:\Python38\lib\concurrent\futures_base.py", line 441, in result
raise TimeoutError()
concurrent.futures._base.TimeoutError

Do you see something I missed ?
Thx you

[AndreasHeine]

Do you see something I missed ?

a valid x509v3 certificate? matching uri and ip in "subjectaltname"!?
which is trusted in prosys server?

its a bad idea to use example certs... they might be expired and or with not matching content...

[pfetrial]

I took the certificate and the pem from the github .. Is there a tool to create some certificate compatible to x509x3? Von: Andreas Heine ***@***.***> Gesendet: Donnerstag, 7. Oktober 2021 15:59 An: FreeOpcUa/python-opcua ***@***.***> Cc: pfetrial ***@***.***>; Author ***@***.***> Betreff: Re: [FreeOpcUa/python-opcua] encrypted connection to OPC UA server (Discussion #1396) Do you see something I missed ? a valid x509v3 certificate? matching uri and ip in "subjectaltname"!? which is trusted in prosys server? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1396 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOAXGTYSQLJGMAI7XDZUMLUFWRRTANCNFSM5FRLHCWQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . <https://github.com/notifications/beacon/AAOAXGUDEKNTQTLJ67R6563UFWRRTA5CNFSM5FRLHCW2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAALAF6Q.gif>

[AndreasHeine]

e.g. openssl there should be something in the example folders with the commands

[pfetrial]

Hello Andreas,
I'am wondering about the security features in the python stack : What are the possible combinations of securitymode/policy/certificates. Par example is it possible to have a security mode and and policy without a certificate ? thx for your reply

[AndreasHeine]

for "signing" and "encryption" you will need a cert and a key... there is no way around!

[pfetrial]

ok I tried to generate a pem and der file with openssl and If use these file to connect to a server , it gives me
Traceback (most recent call last):
File "C:\tests\pythontests\clientencrypted.py", line 23, in
client.set_security_string("Basic256Sha256,SignAndEncrypt,cert.der,cert.pem")
File "C:\Python38\lib\site-packages\opcua\client\client.py", line 191, in set_security_string
return self.set_security(policy_class, parts[2], parts[3],
File "C:\Python38\lib\site-packages\opcua\client\client.py", line 209, in set_security
pk = uacrypto.load_private_key(private_key_path)
File "C:\Python38\lib\site-packages\opcua\crypto\uacrypto.py", line 34, in load_private_key
return serialization.load_pem_private_key(f.read(), password=None, backend=default_backend())
File "C:\Python38\lib\site-packages\cryptography\hazmat\primitives\serialization\base.py", line 20, in load_pem_private_key
return backend.load_pem_private_key(data, password)
File "C:\Python38\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py", line 1217, in load_pem_private_key
return self._load_key(
File "C:\Python38\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py", line 1448, in _load_key
self._handle_key_loading_error()
File "C:\Python38\lib\site-packages\cryptography\hazmat\backends\openssl\backend.py", line 1490, in _handle_key_loading_error
raise ValueError(
ValueError: Could not deserialize key data. The data may be in an incorrect format or it may be encrypted with an unsupported algorithm.

Have you an idea what is wrong ?
Thx

[AndreasHeine]

whats the error message?

[Govinda010]

@AndreasHeine
Traceback (most recent call last):
File "D:\04 Project\P00X Development\01 OpcUAClinet\01 Python\01 Client\main.py", line 27, in
client.set_security_string("Basic256Sha256,SignAndEncrypt,certificate.der,key.pem")
File "C:\Users\Govinda.conda\envs\lengeman\lib\site-packages\opcua\client\client.py", line 191, in set_security_string
return self.set_security(policy_class, parts[2], parts[3],
File "C:\Users\Govinda.conda\envs\lengeman\lib\site-packages\opcua\client\client.py", line 204, in set_security
endpoint = Client.find_endpoint(endpoints, mode, policy.URI)
File "C:\Users\Govinda.conda\envs\lengeman\lib\site-packages\opcua\client\client.py", line 158, in find_endpoint
raise ua.UaError("No matching endpoints: {0}, {1}".format(security_mode, policy_uri))
opcua.ua.uaerrors._base.UaError: No matching endpoints: 3, http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

[AndreasHeine]

that does not say anything about the cert!?

No matching endpoints: 3, http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

refers to that the server does not has a endpoint with "SecurityPolicy Basic256Sha256" does it work with UAExpert? If yes post screenshot of the connection dialogue!

[marco09999]

Hi,

Hoping someone will see this and be kind enough to help a starter in OPCUA with python.

I can't find the ssl.conf file in my openssl files. I have the openssl.cnf but it is missing the req ext and the subject part. Am i not looking at the right place?

I can connect to the server with UA expert without any problems so I can give informations if someone needs it.

I would be very gratefull for some help.

[AndreasHeine]

Hi,

Hoping someone will see this and be kind enough to help a starter in OPCUA with python.

I can't find the ssl.conf file in my openssl files. I have the openssl.cnf but it is missing the req ext and the subject part. Am i not looking at the right place?

I can connect to the server with UA expert without any problems so I can give informations if someone needs it.

I would be very gratefull for some help.

to be clear the ssl.conf is not a conf for openssl in general...
its used in: openssl req -x509 -days 365 -new -out certificate.pem -key key.pem -config ssl.conf to provide all the details the cert needs.
so you need to create the file and reference it in the openssl request!

Generate your own x509v3 Certificate

Step 1: Change ssl.conf (subjectAltname, country, organizationName, ...)

ssl.conf:
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificat"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = URI:urn:opcua:python:server,IP: 127.0.0.1

[ subject ]
countryName = DE
stateOrProvinceName = HE
localityName = HE
organizationName = AndreasHeine
commonName = PythonOpcUaServer

Step 2:

openssl genrsa -out key.pem 2048

Step 3:

openssl req -x509 -days 365 -new -out certificate.pem -key key.pem -config ssl.conf

[marco09999]

Hi Andreas,

Thanks a lot for taking the time to answer me. This makes sense because i always got the error message "ssl.conf does not exist".

Can I put anything in the subject alt name as long as it is the same in the python code?

Will try it right now and let you know how it goes.

Thanks again

[marco09999]

Where do I need to save the ssl.conf file?

I am still getting the error:
C:\Users\maarchambault>openssl req -x509 -days 365 -new -out certificate.pem -key key.pem -config ssl.conf
Can't open "ssl.conf" for reading, No such file or directory
F04B0000:error:80000002:system library:BIO_new_file:No such file or directory:crypto\bio\bss_file.c:67:calling fopen(ssl.conf, r)
F04B0000:error:10000080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:75:

[AndreasHeine]

should be in the folder where youre at in the command line!

C:\Users\maarchambault

[marco09999]

Andreas,

I was able to generate the certificate and the key using the command you told me to use.

Here is the error that i get:

"opcua.ua.uaerrors._auto.BadCertificateUriInvalid: "The URI specified in the ApplicationDescription does not match the URI in the certificate."(BadCertificateUriInvalid)"

Here is the code that I use:
url = "opc.tcp://10.150.0.68:4840"
client = Client(url)
client.application_uri = "URI:urn:opcua:python:server,IP: 10.150.0.68"
client.set_user("")
client.set_password("")
client.set_security_string("Basic256Sha256,SignAndEncrypt,certificate.pem,key.pem")
client.connect()
print("success")
time.sleep(5)
client.disconnect()

here is my ssl.conf file:
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificat"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = URI:urn:opcua:python:server,IP: 10.150.0.68

[ subject ]
countryName = CA
stateOrProvinceName = QC
localityName = WC
organizationName = APN
commonName = PythonOpcUaServer

What did I get wrong?
I can provide Ua expert screenshot if this can help you.
Thanks a lot for your help!

[AndreasHeine]

client.application_uri = "urn:opcua:python:server"

[marco09999]

You are the man Andreas, it all works now. Can i recommend you in some way? I don't know much about Github

[admolina19]

Hi, maybe some solution. I'm trying to create a server and connect to a client, but I can't do it even with UA Expert.
I am generating the certificates with Openssl, I am uploading the cert.der and the key.pem to the server and client but both in the UA Expert and in the py Client and I cannot connect. Thank you very much for taking the time to reply to this message.

Attached generated project files.
https://gist.github.com/admolina19/9cab8bc7bf0d09d70ca769828d571796

Error Server:
Exception raised while parsing message from client, closing
Traceback (most recent call last):
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\server\binary_server_asyncio.py", line 75, in _process_data
ret = self.processor.process(hdr, buf)
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\server\uaprocessor.py", line 86, in process
msg = self._connection.receive_from_header_and_body(header, body)
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\common\connection.py", line 306, in receive_from_header_and_body
self.select_policy(security_header.SecurityPolicyURI, security_header.SenderCertificate)
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\common\connection.py", line 215, in select_policy
self.security_policy = policy.create(peer_certificate)
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\ua\uaprotocol_hand.py", line 265, in create
return self.cls(peer_certificate, self.certificate, self.private_key, self.mode)
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\crypto\security_policies.py", line 570, in init
self.asymmetric_cryptography.Verifier = VerifierSha256(server_cert)
File "C:\Users\PC\AppData\Local\Programs\Python\Python310\lib\site-packages\opcua\crypto\security_policies.py", line 338, in init
self.key_size = self.server_cert.public_key().key_size // 8
AttributeError: 'bytearray' object has no attribute 'public_key'

[marco09999]

UA expert can create its own certificate and key. Usually the easiest part is to connect to the server using UA Expert. For this step, you should look into UA expert forum. You will have a lot more information there. The problem can also be on the server side.

[admolina19]

I can't find how to generate certificates with UA Expert. Maybe you have a link because I really don't know what to do anymore

[dufrtss]

Have you found a solution for the AttributeError: 'bytearray' object has no attribute 'public_key' error?

[wpmccormick]

I'm having trouble with this too after I followed the examples.

I got the SSL Basic256sha256 to work once; by "work" I mean I say the cert show up in the OPCUA Configuration/Trusted Clients to allow me to trust. But trying to repeat this, I mucked something and can't un-muck it.

My ssl.conf:

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificat"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = URI:urn:opcua:python:server

[ subject ]
countryName = US
stateOrProvinceName = TX
localityName = DAL
organizationName = BWDG
commonName = PythonOpcUaServer

Then I run:

openssl genrsa -out bwdg_key.pem 2048
openssl req -x509 -keyout bwdg_key.pem -out bwdg_cert.pem -days 355 -nodes -config ssl.conf
openssl x509 -outform der -in bwdg_cert.pem -out bwdg_cert.der

And python code run:

        ...
        self._client = Client(url=f"opc.tcp://{self._host}:{self._port}")
        self._client.session_timeout = 60000 #keep this set to 60 seconds or we'll get an unwanted message
        
        if ssl:
            self._client.set_security_string("Basic256Sha256,SignAndEncrypt,bwdg_cert.der,bwdg_key.pem")
            self._client.application_uri = "URI:urn:opcua:python:server"

    def connect(self):
        self._client.connect()
        
    def disconnect(self):
        self._client.disconnect()

... and later:

    ...
   client.connect()
   ...
   client.disconnect()

And when I run my app:

ServiceFault from server received  in response to CreateSessionRequest
Topserver Agent Failed: "An error occurred verifying security."(BadSecurityChecksFailed)

My app is called Topserver Agent. The rest is from the caught exception.

Thoughts @AndreasHeine ?

[AndreasHeine]

you could try create a new key and cert!
the servicefault is a little generous...

BadSecurityChecksFailed:
could be something with timedrift between client and server
or
bad signature algorithm
or
serverconfiguration changed
or
...

[wpmccormick]

Yea, I did try creating a new key and cert. Tried again just now for good measure to no avail.

Maybe I'm missing something? When you suggest "serverconfiguration changed", does that mean there's some artifact (e.g. export) from the server that must be used?

[wpmccormick]

Is an IP strictly required for application_uri? If so is the client's IP or the server's?

For set_security_string, do I pass the cert.der or the cert.pem?

If the server is looking for Basic256sha256, are my ssl.conf setting correct?

I don't understand how this worked almost the 1st time I tried it and now I can't get it to work again. I think I've tried everything, so any small thing you notice might help.

[wpmccormick]

So I got it all to work and can answer my own questions. Key to getting it to work was stepping back out of my application code into some test script; getting that to work. Then I was able to find the bug in my application code that made it look like the issue was elsewhere.

Anyway ... the IP seems NOT to be required for application_uri. In fact, is seems that he application URI can be just about anything you want it to be, except maybe it needs to start with urn:? I didn't test that.

For set_security_string, is seems that the der is passed.