Log In
Home
09/03/2024
Offline
OPCUA 1.04 specifies TLS ciphersuites that are considered weak for various reasons.
For a security point of view such ciphersuites shall be avoided and replaced by one that is recommened for state-of-the art products.
Current mandatory ciphersuits:
https://reference.opcfoundatio…..cs/6.6.160
TLS_DHE_RSA with AES_nnn_CBC_SHA256
https://ciphersuite.info/cs/TL…..BC_SHA256/
https://reference.opcfoundatio…..cs/6.6.159
TLS_RSA with AES_256_CBC_SHA256
https://ciphersuite.info/cs/TL…..BC_SHA256/
Here is a list of recommended ciphersuites:
https://ciphersuite.info/cs/?s…..t=sec-desc
Additionally, mbedTLS is dropping support for such weak ciphersuites in future versions:
05/30/2017
Offline
Please create a mantis issue on Part 7:
09/25/2024
Offline
How does the decision by mbedTLS to drop support for weak ciphersuites impact the security and compatibility of applications using OPC UA?
05/30/2017
Offline
The UA WG has added new profiles that are considered secure by mbedTLS.
09/03/2024
Offline
What is your plan to deprecate the weak ciphers? Will there be a phase, where TLSRSA… ciphers are deprecated and the new ones already mandatory? In the end, the weak ciphers shall not be allowed anymore, also to prevent downgrade attacks.
1 Guest(s)
Usage Policy