We've got an older VB .NET (Visual Studio 2013 Community Edition) piece of code that currently communicates with a PLC over UDP for some very rudimentary data transfer.
We are needing tighter coupling between the PLC and the PC now (the PC must be able to set a bunch of parameters, and a Labview program may want to access the PLC directly), so our PLC vendor (B&R) said OPC UA was the way to go.
This seems similar to the question posed here:
OPC-UA client SDK for C#.NET application development
In an introductory seminar to OPC UA, we got compiled versions of the OPC UA client, and if I fire up a PLC simulator, the client can connect to the PLC simulator. Of course, it asks for a name and a password, but a pop-up does show up that says I try to connect, I get a pop-up window for the UA Sample Client that says "Certificate could not be validated: BadCertificateUntrusted"
OK, I don't have a certificate. You click through, and the client continues onwards, and shows a tree of all the elements that have been exposed to OPC UA by the PLC code. All is well.
Now, if I download the full code from the opcfoundation.org site, I can compile the code, but, when going through this same test sequence, after acknowledging that I don't have a valid certificate, another window pops up that says:
EXCEPTION (ServiceResultException)
BadCertificateHostNameInvalid
SERVICE RESULT (BadCertificateHostNameInvalid)
These are both OPC UA 1.02, BTW.
Does something have to be configured elsewhere? I noticed there are a few XML files (Opc.Ua.SampleClient.Config.xml, and Opc.Ua.SampleClient.Endpoints.xml), and I'm wondering if they have to modified to get rid of this stoppage.
I do recall reading that that something won't be OPC UA compliant if you automatically allow this to be OK (of course), so you can't just make this automagically happen, but that's OK with me.
The drawbacks to using the OPC UA code is that it is a bit deep (as noted by user Brino in the original StackOverflow post), and that it requires your own code to be released under GPL, so Unified-Automation looks pretty enticing, since we may not want to release our source code.
Any thoughts on this particular problem?
The warnings and exceptions you're seeing are not likely to do with your certificate, but with the certificate the server is returning.
The BadCertificateHostNameInvalid StatusCode means that either the server's hostname is not present as a SubjectAltName at all in the certificate, or that it doesn't match the hostname you actually used to connect to the server.
If possible, select SecurityPolicy "None" and see if things work the way you expect. Afterwards you can focus on getting the certificate situation sorted out. You may need to set an appropriate hostname in the server and then have it regenerate a certificate that uses the new hostname. You may also need to make sure your client machine can resolve whatever hostname the server is configured to use so that you can connect using that.
The drawbacks to using the OPC UA code is that it is a bit deep (as noted by user Brino in the original StackOverflow post), and that it requires your own code to be released under GPL, so Unified-Automation looks pretty enticing, since we may not want to release our source code.
This is only true if you're not a member of the OPC foundation. If you're a member you're free to use the code without distribution of your source. See the header files for more info, and consult with actual text of the "RCL" license from the foundation.
Related
I tried posting this on ask.openstack but it has been stuck in the moderator for 5 days now. I thought I'd try here.
I was trying to debug a Nova issue and wanted to decode the SSL / TLS packets being exchanged using Wireshark. Part of the changes I was making was setting Nova up to use SSL / TLS and I wanted to be sure that part of it I had set correctly. I eventually figure out my issues from the various log files but I'm somewhat assuming that being able to watch the network traffic may help in some very difficult cases.
The exchange uses TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 at one point. According to this security stackexchannge question, there is a "pre-master secret" or various other terms. I've wrestled with this before in a previous life doing IPSec. Usually you can set debug in the application and it will spew out the secret into the log file. I tried "debug = true" under Default in nova.conf and got lots of debug but no secret. There was two items that looked interesting that were reported as **** in the log: keystone_authtoken.memcache_secret_key and neutron.metadata_proxy_shared_secret. I wasn't sure if those were the secrets I was looking for or not. In this case, I'm looking at the nova-api traffic going to port 8774.
Also, since all of openstack is Python and uses the same "request" and "certifi" packages, it may be possible to generalize this to all of the openstack components.
nova --version report 9.1.1
First of all let me describe my system.
I have a virtual server (Windows Server 2012 R2 with IIS 8.5) with two running systems.
One is for receiving Informations from Devices and the other one is for presenting and combining the users information with the device information.
The two systems are combined by a reference (via VS2012).
Problem:
If I have a look on my website for the system which gives me the user and device information in get an error, so I try to debug it on my own pc.
While debugging I want to access the service to display me all devices and it gives me:
System.ServiceModel.Security.MessageSecurityException
The HTTP request was forbidden with client authentication scheme 'Anonymous'.
I also have a WCF-Tracelog which shows me:
WCF-Tracelog
I'm now facing that problem for days and I was browsing stackoverflow a lot. I guess that it should be a problem with my certificates. At the moment I got a SSL-certificate (received from my university). I also "registered" it to a specified port and added the right bindings in my IIS (IIS 8.5). I am very new to WCF,IIS,SOAP and certificates but I guess my problem is the understanding of the certificates.
Question:
Which certificates do I have to create for my "Server-Website/Client"-System and which do I have to create for my own "Client" and where do I have to copy them (at the moment I'm familiar with the MMC => Snap-In)? And where do I need to keep my SSL-certificate located?
I hope someone faced the same Problem and can help me to fix this soon. Sorry for my bad english and if you need more information let me know!
EDIT:
I fixed my certificate-problem but now i receive 403.4 (SSL is required)
my problem solved, i have enabled "IP Address and Domain Restriction" and i added an "allow" option to this section, thus another ip got that error
I am using Windows Explorer to test the WebDAV implementation I am adapting to our system. The implementation is using IIS Express and is launched by Visual Studio 2013. I turned off Windows Explorer's requirement for SSL with WebDAV so I can test basic authentication (which works).
The problem I am having is with the Write method of the DavFile implementation. I connect to the web folder, navigate to a sub folder, then attempt to copy a JPG file from a folder on my computer's hard drive, into the WebDAV sub folder (using Windows Explorer).
The attempt to copy up a file (854kb) fails. When I set a break point, I notice that the "segment" stream (one of the input parameters on the "write" method, shows 0 (zero) bytes length.
Any tips on how to debug this problem? What is the most likely cause of 0 byte in the stream?
Here are some ideas about how to understand what is going wrong:
Examine the server log for exceptions. By default it is called WebDAVLog.txt and located in \App_Data\WebDAV\Logs\ folder. Are there any exceptions in it? Check your server log and make sure all requests were successful.
Examine WebDAV requests with a Fiddler tool or any other debugging proxy. While all requests that reached the WebDAV server Engine are logged, if the request failed before hitting the Engine you will not see it in a log. Usually this happens if the request failed during authentication stage.
Note that to capture requests using Fiddler on 'localhost' you must use 'localhost.fiddler' instead of 'localhost' when connecting to server, for example: http://localhost.fiddler:1234.
Exclude any client side issues. Finally there could be issues with client software that you are using, including with Microsoft miniredirector. Try to access server from any other machine. To get the idea if the problem is on the client or server side try also to reproduce the issue on ajaxbrowser.com.
You can post a part of the WebDAVLog.txt or fiddler log here or send it to IT Hit, it may give the idea of what is wrong.
I am trying to monitor https traffic with Fiddler, using current newest version:2.4.4.5
I've successfully set up https, certificates and I can see the full https encrypted traffic for example browsing my bank's web site.
...however...
When I trying to monitor an other server I got this error message in the response window:
"Failed to secure existing connection for 77.87.178.160. A call to SSPI failed, see inner exception. InnerException: System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"
For full Fiddler window see:
The client is not a in this case browser, but a custom client program, which communicates with its own server.
My question: Is this exception misleading and in reality some other error prevents the secure channel to set up?
...or...
We have still chance to monitor this https communication?
Thx in advance
What is the client program?
This error typically indicates that that client application is only offering certain HTTPS ciphers, and those ciphers are not supported by Fiddler.
However, in this case, the specific problem here is almost certainly this: http://blogs.msdn.com/b/ieinternals/archive/2009/12/08/aes-is-not-a-valid-cipher-for-sslv3.aspx
The client is trying to use AES with SSLv3, but that isn't one of the valid ciphers for SSL3. As a consequence, the connection fails.
You might be able to workaround this by clicking Rules > Customize Rules. Scroll down to the Main() function and add the following line within the function:
CONFIG.oAcceptedServerHTTPSProtocols =
System.Security.Authentication.SslProtocols.Ssl3;
Please let me know if this works.
NOTE Current versions of Fiddler offer a UI link for this: Look at the lis of enabled protocols on the HTTPS tab.
Unbelievably this issue is still present some 6 years later.
Just installed the latest version of Fiddle (v5.0.20194.41348), and sure enough on Win7 using Chrome or IE it keeps failing with the dreaded error:
"fiddler.network.https> HTTPS handshake to google.com (for #1) failed. System.ComponentModel.Win32Exception The client and server cannot communicate, because they do not possess a common algorithm"
After some hours of testing, I found a middle ground solution which seems to work with virtually all websites. The aim was to get the highest possible security with no errors in the log. Without needing to add any code, simply changing this line under Tools > Options > HTTPS > Protocols is what worked for me (just copy and paste it):
<client>;ssl3;tls1.1;tls1.2
Basically removed the ssl2 and tls1.0 protocols which leaves us with some pretty decent security and no errors so far. Having spent hours of frustration with this error, hope someone out there might find this useful, and a big thanks to EricLaw who discovered the root of the problem.
Yes I too have seen this error when working outside of fiddler and it was connected with AuthenticateAsServer but only went wrong when using IE10 and not Chrome as the browser.
Odd thing is that it did not break all the time for IE10 using SslProtocols.Tls for the protocol so I will add a bit of code to switch the protocol if one fails
The protocol that can be used also seems to change on if you are using a proxy server like Fiddler or using an invisible server by hijacking the DNS via the hosts file to divert traffic to the server
I've searched through web for couple hours on this issue, and none of the answers I found didn't really fit into my problem, so here's me, asking my first-ever question in SOF.
So, I'm trying to open a web-browser from a java program using the htmlunit library. The web site I need to connect requires SSL connection, and the certificate is stored in a USB key. Its iKey2023 product.
The system used to work(I did not write it), but one of the certificates in the USB key expired, so it automatically moved on to the next one (there were 4 certificates in total), and it suddenly stopped working.
It is giving me javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated error.
I'm back home now and I forgot the exact name of the method, but I remember the following.
Browser instance is created, using IE8
browser.setWebConnection method was called. This method, according to the API, is an internal API.
Make connection to the website by passing the URL as parameter
It's throwing the exception at step 3.
Some more details. The little details might be incorrect but I'm trying to describe a big picture.
At step 2, the method requites WebConnection object as a parameter, and there is a implementation of that interface. Within this implementation, a keystore is created using sun.security.pkcs11.SunPKCS11(configFileInputStream) (did I spell that correctly?)
It was sth like this.
Provider p = new sun.security.pkcs11.SunPKCS11(configFileInputStream);
Security.addProvider(p);
And create a keystore from this provider.
Using this keystore, within the WebConnection implementation, it creates a SSLSocket.
So, after the certificate has been switched to a new one, it's not picking up the certificate correctly.
Here's what I've tried.
I've tried to use different methods in the htmlunit library, something like setSecurityProvider, and I tried to put the Provider object created in above code snippet. I got class cast exception.
I tried to manually set the system properties(trustStore, trustStorePassword, keyStore, etc). In order to do this, I wanted to export the certificate out of the USB key, but it did not let me export the private key out from it, so I could not really create a valid PKCS12 file out of it (openSSL wanted a private key file along with .pem file for conversion, and I did not have that key file).
They did not work, and I'm so stuck right now.
I have a similar issue. In my case, an admin changed the certificate and I began encountering the same SSLPeerUnverifiedException.
I found that I can set the WebClient to use insecureSSL (prior to calling getPage())and I will no longer get the exception.
webClient.setUseInsecureSSL(true);
This however, doesn't resolve the issue as the server basically doesn't authenticate the client.
Its as if the WebClient is storing something that doesn't work with the new certificate.