Validating server certificate in client |OPC Certification and Interoperability Testing|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Validating server certificate in client
Avatar
Ganesh Gaikwad
Member
Members
Forum Posts: 9
Member Since:
08/14/2019
sp_UserOfflineSmall Offline
1
04/29/2020 - 21:30
sp_Permalink sp_Print

Hi Team,

This is regarding test cases from discovery services related to getEndpoints . Test cases asks for server certificate validation ,In our client we are not validating the server’s certificate . Is it mandatory for certification  to validate ?

The unified automation documentation says “To establish a trust relation between an OPC UA client and server, the self-signed certificates of the communication partner are installed to the trust list. The client certificate is installed to the trust list of the server and the server certificate to the trust list of the client.”

In our client we not have UI like other client’s to trust the certificate . What do you suggest ?

 

Err-014   Lab GetEndpoints Certificate is valid but not trusted by the client. Client is able to identify the un-trusted certificate. Client may elect to trust the certificate based on its configuration or at the request of the end-user.
Err-017   Lab GetEndpoints  Unavailable Certificate is valid but does not support required keyUsage (parameter within the serverCertificate). Client reports that an invalid certificate has been received. Client discards the endpoint record so that it will not be available for use with establishing a session.
Err-018   Lab GetEndpoints  Unavailable Certificate is valid but does not support required ExtendedKeyUsage (parameter within the serverCertificate). Client reports that an invalid certificate has been received. Client discards the endpoint record so that it will not be available for use with establishing a session.
Err-019   Lab GetEndpoints  Unavailable Certificate hostnames list is empty. Client is able to identify the bad certificate. Client refuses the connection unless overruled by the end-user or based on the configuration.
Err-020   Lab GetEndpoints  Unavailable Certificate is invalid, the hash does not compute (certificate has been modified). Client reports that an invalid certificate has been received. Client discards the endpoint record so that it will not be available for use with establishing a session.

 

 

Reagrds,

Ganesh

Avatar
Alexander Allmendinger
Germany
Moderator
Members

Moderators

Moderators-Specifications

Moderators-Companion

Moderators-Implementation

Moderators-Certification

Moderators-ProductsServices
Forum Posts: 67
Member Since:
07/11/2017
sp_UserOfflineSmall Offline
2
05/02/2020 - 04:17
sp_Permalink sp_Print

Ganesh,

not validating the server certificate being returned is an security risk and is not allows for certified products.

There are different options to do the certificate handling in product. When the client does not have an UI which can be utilized for certificate management you can either accomplish it in an intuitive way with a separate certificate management tool or you describe the PKI folder structures in your documentation and let users of you product do the configuration via the Windows Explorer.

In any case certificate validation is required and should only an administrator should be able to overwrite certain checks for a certificate or server.

Regards,
Alexander Allmendinger

Avatar
Ganesh Gaikwad
Member
Members
Forum Posts: 9
Member Since:
08/14/2019
sp_UserOfflineSmall Offline
3
05/06/2020 - 03:54
sp_Permalink sp_Print

Thanks Alexander.

In our client user don’t have choice to select endpoint ,user provide endpoint to connect. We think that validating server certificates for all endpoints  at discoveryEndpoint response not making sense to our client instead should  validate at createSessionReponse 

In createsessionResponse we can do all mandatory field validation as we get certificate for endpoint which user has  provided.

Kindly suggest If we can make validate server certificate at discovery test cases  not applicable .

 

Regards,

Ganesh

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
05/06/2020 - 06:36
sp_Permalink sp_Print

Ganesh,

You have to validate the server certificate during the secure channel establishment. This is not optional.

So the validation always happens before sending the CreateSession request.

Most clients choose to validate the certificate after choosing and Endpoint returned from GetEndpoints.

Avatar
Ganesh Gaikwad
Member
Members
Forum Posts: 9
Member Since:
08/14/2019
sp_UserOfflineSmall Offline
5
05/18/2020 - 22:34
sp_Permalink sp_Print

Hi Team,

We have handled CertificateExpired and CertificateNotyetValid scenario but we could not validate trusted/untrusted scenario. Will it be fine for minimal certification if we just log message saying certificate is not trusted ? As test case says by minimum client should log message .

Regards,

Ganesh

Avatar
Paul Hunkar
Cleveland, Ohio, USA
Moderator
Members

Moderators-Specifications

Moderators-Companion

Moderators-Implementation

Moderators-Certification

Moderators-COM
Forum Posts: 112
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
6
05/19/2020 - 21:36
sp_Permalink sp_Print

Ganesh,

  If a server is not trusted (determined by the Server application instance certificate needed for the provided endpoint), then a client shall not attempt to make a secure connection to it on that endpoint.  It can connect using no security also an Administrator can decided to trust the Server (add it to a trust list, even if just temporarily). If a client tries to connect to a Server via an un-trusted endpoint, the client is provided information to the server about itself , knowing that this information may be use later for an attack against the client.  This is poor security behavior for the client.

The client shall validate that the Server owns the private key associated with the connection.  It shall log any error and problems. 

Paul

Paul Hunkar - DSInteroperability

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 19
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1446
Posts: 4891