Get rid of insecure Transport Layer Security (TLS) Ciphersuites|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Get rid of insecure Transport Layer Security (TLS) Ciphersuites
Avatar
Matthias Schulz
Member
Members
Forum Posts: 3
Member Since:
09/03/2024
sp_UserOfflineSmall Offline
1
09/03/2024 - 02:16
sp_Permalink sp_Print sp_EditHistory

OPCUA 1.04 specifies TLS ciphersuites that are considered weak for various reasons.

For a security point of view such ciphersuites shall be avoided and replaced by one that is recommened for state-of-the art products.

Current mandatory ciphersuits:

https://reference.opcfoundatio.....cs/6.6.160 
TLS_DHE_RSA with AES_nnn_CBC_SHA256
https://ciphersuite.info/cs/TL.....BC_SHA256/ 

https://reference.opcfoundatio.....cs/6.6.159 
TLS_RSA with AES_256_CBC_SHA256
https://ciphersuite.info/cs/TL.....BC_SHA256/ 

 

Here is a list of recommended ciphersuites:

https://ciphersuite.info/cs/?s.....t=sec-desc 

 

Additionally, mbedTLS is dropping support for such weak ciphersuites in future versions:

https://github.com/Mbed-TLS/mb.....ssues/8170

Avatar
Randy Armstrong
Admin
Forum Posts: 1559
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
09/03/2024 - 11:41
sp_Permalink sp_Print sp_EditHistory

Please create a mantis issue on Part 7:

https://apps.opcfoundation.org.....default=no

Avatar
Matthias Schulz
Member
Members
Forum Posts: 3
Member Since:
09/03/2024
sp_UserOfflineSmall Offline
Avatar
rodrigueza rodrigueza2
New Member
Members
Forum Posts: 1
Member Since:
09/25/2024
sp_UserOfflineSmall Offline
4
09/25/2024 - 02:07
sp_Permalink sp_Print

How does the decision by mbedTLS to drop support for weak ciphersuites impact the security and compatibility of applications using OPC UA?

Avatar
Randy Armstrong
Admin
Forum Posts: 1559
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
5
09/25/2024 - 22:33
sp_Permalink sp_Print

The UA WG has added new profiles that are considered secure by mbedTLS.

Avatar
Matthias Schulz
Member
Members
Forum Posts: 3
Member Since:
09/03/2024
sp_UserOfflineSmall Offline
6
10/08/2024 - 01:48
sp_Permalink sp_Print

What is your plan to deprecate the weak ciphers? Will there be a phase, where TLSRSA... ciphers are deprecated and the new ones already mandatory? In the end, the weak ciphers shall not be allowed anymore, also to prevent downgrade attacks.

Avatar
Randy Armstrong
Admin
Forum Posts: 1559
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
7
10/08/2024 - 05:29
sp_Permalink sp_Print

The old policies will be deprecated which means they need to be disabled by default.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 35
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1426
Posts: 4836