OPC UA Server C# Hostname Validation Issues|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPC UA Server C# Hostname Validation Issues
Avatar
Lars Ulrich Clément
New Member
Members
Forum Posts: 2
Member Since:
01/27/2023
sp_UserOfflineSmall Offline
1
01/27/2023 - 04:34
sp_Permalink sp_Print

Hello,
first of all I am completely new to OPC UA and I apologize if I am not aware of some paradigms that lead to this problem.

My problem:
I have programmed an OPC UA server locally which works 100% as long as the client is running on the same machine.
Now I have moved the server to the machine on which it should run later and nothing works.
The whole thing was developed in C# and azsgerollt on Linux (Debian 9), the server runs there also if one connects locally a client, only in the network there are problems.
I have left localhost as endpoint, but I see that the URL is changed to opc.tcp://HOSTNAME:Port at startup, in the log I then find

27.01.2023 13:15:37.167 Channel 1: SendResponse 2
27.01.2023 13:15:37.180 TCPSERVERCHANNEL ProcessCloseSecureChannelRequest Socket=TCPSERVERCHANNEL, ChannelId=12036987, TokenId=1
27.01.2023 13:15:37.181 Channel 1 in Closed state.
27.01.2023 13:15:37.182 Channel 1 closed
27.01.2023 13:15:37.197 Channel 2 in Connecting state.
27.01.2023 13:15:37.197 TCPSERVERCHANNEL SOCKET ATTACHED: 02B3B1BE, ChannelId=2
27.01.2023 13:15:37.200 Channel 2 in Opening state.
27.01.2023 13:15:37.202 Security Policy: https://opcfoundation.org/UA/Se.....olicy#None
27.01.2023 13:15:37.202 Sender Certificate: (none)
27.01.2023 13:15:37.202 Token #0 created. CreatedAt = 12:15:37.202 . Lifetime = 3600000
27.01.2023 13:15:37.202 SECURE CHANNEL CREATED [.NetStandard ServerChannel UA-TCP 1.4.365.48] [ID=2] Connected To: opc.tcp://0.0.0.0:26543/BrabenderOPCUAServer
27.01.2023 13:15:37.202 Token #1 activated. CreatedAt = 12:15:37.202 . Lifetime = 300000
27.01.2023 13:15:37.202 Channel 2 in Open state.
27.01.2023 13:15:37.202 Channel 2: SendOpenSecureChannelResponse()
27.01.2023 13:15:37.206 Channel 2: ProcessRequestMessage 2
27.01.2023 13:15:37.225 SERVER - Unexpected Service Fault: Name or service not known
ExtendedSocketException 'Name or service not known'

========================================
Id: Bad
Description: [ExtendedSocketException] Name or service not known
>>> Name or service not known
--- at System.Net.Dns.InternalGetHostByName(String hostName)
--- at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
--- at Opc.Ua.ServerBase.NormalizeHostname(String hostname)
--- at Opc.Ua.ServerBase.FilterByEndpointUrl(Uri endpointUrl, IList`1 baseAddresses)
--- at Opc.Ua.Server.StandardServer.FindServers(RequestHeader requestHeader, String endpointUrl, StringCollection localeIds, StringCollection serverUris, ApplicationDescriptionCollection& servers)
--- at Opc.Ua.SessionEndpoint.FindServers(IServiceRequest incoming)
--- at Opc.Ua.EndpointBase.ServiceDefinition.Invoke(IServiceRequest request)
--- at Opc.Ua.EndpointBase.ProcessRequestAsyncResult.OnProcessRequest(Object state)
========================================

For phase 1, I didn't plan to use certificates, so I simply connected my client to the machine's IP over the network, which caused this error,
Unfortunately, the machine cannot be found on the network by hostname, which made it impossible for me to connect the client with opc.tcp://HOSTNAME:port.

I hope my explanation is sufficient to answer the question.
Is there any form of endpoint that does not perform hostname validation?

Avatar
Randy Armstrong
Admin
Forum Posts: 1445
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
01/27/2023 - 10:46
sp_Permalink sp_Print

You need to use IP addresses everywhere there is a hostname in configuration.

In the Certificate you put the IPAddress in the subjectAltName instead of the dnsName.

Avatar
Lars Ulrich Clément
New Member
Members
Forum Posts: 2
Member Since:
01/27/2023
sp_UserOfflineSmall Offline
3
01/30/2023 - 00:58
sp_Permalink sp_Print

Randy Armstrong said
You need to use IP addresses everywhere there is a hostname in configuration.

In the Certificate you put the IPAddress in the subjectAltName instead of the dnsName.

  

Thank you for your answer, it is agreed with the customer that no certificates will be exchanged, because a renewal in the field is impossible.
Is there another way to bypass this dns/hostname validation?

Since the IP changes, a generic approach with 127.0.0.1 or 0.0.0.0 is most desirable.

Avatar
Randy Armstrong
Admin
Forum Posts: 1445
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
01/30/2023 - 14:31
sp_Permalink sp_Print

HostName validation can be suppressed in configuration.

See https://reference.opcfoundatio.....docs/6.1.3

Host Name

Bad_CertificateHostNameInvalid

AuditCertificateDataMismatchEventType

The HostName in the URL used to connect to the Servershall be the same as one of the HostNames specified in the Certificate.

This check is skipped for CA Certificates.

This check is skipped for Serverside validation.

This error may be suppressed.

You need to look in the client documentation to find out how to do this.

The expiry date check can also be suppressed.

I strongly recommend that you do not turn off security in the field because there are many hacks/exploits that only work if security is disabled.

Accepting an expired certificate is better than no certificate.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 26
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1347
Posts: 4567