Connection closed with an untrusted client

[haydee]

Hi,

Why is the server's secure channel deleted when a client flagged as with untrusted certificate attempts to connect to it?

---------scenario---------
a) Sample server only exposes one endpoint which is using Basic256 policy and SignAndEncrypt mode
b) UA Expert (with its certificate on the trusted list) connects to it, and was working okay
c) Another client whose certificate is not on the trusted list attempts to connect to server
d) Result: BadSecureChannelClosed. UA Expert likewise gets affected

----------srvTrace---------
verify error:
num=18:self signed certificate
depth=0
/DC=CPC400-3767/CN=UA Server Test
13:01:23.219Z|4|2594* [uastack] OpcUa_SecureListener_ValidateCertificate: Validation failed with 0x801A0000
13:01:23.220Z|4|2594* [uastack] ProcessOpenSecureChannelRequest: Client Certificate not valid! (0x801A0000)
13:01:23.220Z|4|2594* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: SecureChannel open certificate verification request!
13:01:23.220Z|3|2594* UaServer_EndpointCallback: Unknown Endpoint event!
13:01:23.220Z|4|2594* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: SecureChannel opened!
13:01:23.220Z|1|2594* UaServer_EndpointCallback: SecureChannel 0 open failed! [status=0x801a0000]
13:01:23.220Z|4|2594* [uastack] UaDir::mkpath: Path still exists!
13:01:23.224Z|6|12A8* --> EventManagerBase::fireEvent
13:01:23.224Z|6|12A8* --> EventItem::fireEvent [hEventItem = 1]
13:01:23.224Z|7|12A8* Source=Trace SourceId=NS1|Guid|{1c35cb2b-e5d0-495a-93c9-da095c652230} EventType=NS0|Numeric|2041 EventId=D0 2E C4 83 67 08 AF 41 97 3E C7 D4 FA 83 1E 55 Time=2013-08-05T13:01:23.220Z Severity=300
13:01:23.224Z|7|12A8* Skipped by event filter
13:01:23.224Z|6|12A8* <-- EventItem::fireEvent
13:01:23.224Z|6|12A8* <-- EventManagerBase::fireEvent
13:01:23.224Z|6|12A8* --> EventManagerBase::fireEvent
13:01:23.224Z|6|12A8* --> EventItem::fireEvent [hEventItem = 1]
13:01:23.224Z|7|12A8* Source=Trace SourceId=NS1|Guid|{1c35cb2b-e5d0-495a-93c9-da095c652230} EventType=NS0|Numeric|2041 EventId=C2 BF B5 F7 F3 94 9A 4B AF 40 57 34 F1 0C 55 F8 Time=2013-08-05T13:01:23.220Z Severity=900
13:01:23.224Z|7|12A8* Skipped by event filter
13:01:23.224Z|6|12A8* <-- EventItem::fireEvent
13:01:23.224Z|6|12A8* <-- EventManagerBase::fireEvent
13:01:23.224Z|4|2594* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelByTransportConnection: Searched securechannel found!
13:01:23.224Z|4|2594* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: SecureChannel closed!
13:01:23.224Z|3|2594* UaServer_EndpointCallback: SecureChannel 0 closed! [status=0x801a0000]
13:01:23.224Z|6|2594* --> SessionManager::secureChannelDeleted EndpointIndex = 0, SecureChannelId = 0
13:01:23.224Z|6|2594* <-- SessionManager::secureChannelDeleted - did not find the SecureChannelId


Thanks again.

[Support Team]

Hi haydee,

Which sample server are you using, version?
Which version of the UaExpert is involved?

The expected behavior is that with one endpoint exposed, only that single one can be connected. A second client trying to connect should not influence the communication on the existing connection at all. Of course the second client should not connect (because the cert is not trusted).

From the trace it looks fine as the certificate validation fails (OpcUa_BadCertificateUntrusted), and the SecureChannel is not opened because of that failure.

Best Regards
Support Team

[haydee]

Hi UA Support Team,

I am using the following:
a) UA Demo Server Beta 1.4.
>>However I changed the endpoint to None and Basic256 since it seems UA Expert cannot connect using Basic128* SignAndEncrypt
b) either UaExpert 1.2.1 164 or UA Expert 1.2.2
c) another client that would attempt to connect to either endpoint
d) and once that other client receives BadSecureChannelClosed, UaExpert displays the following on its log window
Server Node Connection status of server changed to ConnectionErrorApiReconnect
Server Node Connection status of server changed to ConnectionWarningWatchdogTimeout
...
...

***OS Windows 7 Enterprise SP1 64b


As an aside, at first, I thought it was because I compiled your code with VS 2012 (64bit)and with OpenSSL 1.0.0e. Yet when I reverted to the original sdk source, the issue is still there.


Thanks,
Haydee

[Support Team]

Hi haydee,

We tried to retest your reported issue, but we can not reproduce it. I just describe you what we have done (using Windows 7 x64 SP1):

1) Start UaDemoServer 1.4 Beta (pre-build version) with just Basic256 enpoint.
2) Connect with UaExpert 1.2.2 build 175 to the server and create a subscription.
3) Start Full Client of .NET SDK (version 2.2.0 build 255 - latest release).
4) Try to connect to the Server and trusted only the servers certificate on the client side.
5) Close connection of UaExpert and connect again (I have done this more than 10 times).

In this scenario all went fine. No errors occured and all clients are able to connect to the server.
But I have a few questions:

a) Do you have changed the libeay32.dll nearby the uaservercpp.exe? Is it possible that this dll is still the delivered 1.0.0e 32Bit version?
b) Dou you have your own build of OpenSSL in 64Bit and 32Bit?
c) Why do you think UaExpert is not able to connect to endpoints using Basic128Rsa15 SignAndEncrypt - UaExpert is able to connect to all kind
of endpoints Unified Automation SDKs provide?!

So please can you provide us more information?


Best Regards
Support Team

[haydee]

Hi UA Support Team,

Thanks for your quick reply. As for your questions:

a-b) I built OpenSSL binaries using their 64 bit makefiles. And UA SDK projects are referencing to them. SDK also got rebuilt.
c) I got "configured policy is not supported" for Basic128Rsa15, thus I changed the Basic128* in the config to Basic256. I did not investigate this further though.

And to leave my newly- built dlls out of the equation, I used your beta 1.4 binaries, but I still saw the issue in there.

Further, just now, I tried a scenario where the other apps are the trusted clients and the UaExpert is the untrusted one. After the latter tries to connect to the server, other apps connections are still okay. So now I'm thinking whether it's a UaExpert issue? Our 3 PCs could consistently repro the prob.

Thanks,
Haydee

[Support Team]

Hi haydee,

Ok, we need to clarify little more to not search in the wrong direction.

The UaExpert is capable to connect to all UA-Binary endpoints, including the tree security modes "none", "Basic128Rsa15" and "Basic256". So if you get "configured policy not supported", this is returned by the Server. The client-side selected and the server-side provided security profile did not match obviously. I assume this to be an error in the server or better said server-side endpoint configuration.

The "ConnectionAPIReconnect" indicates that the UaExpert completely lost the connection and tries to reconnect to the server. Either the server crashed/blocked or the channel got invalidated. Both sound like error in the server, and because it is a Beta version this might actually be true. Just to avoid any misinterpretation, please try with two UaExperts (one trusted and on untrusted) to reproduce the error.

In the trace you have posted we can not see the full storry, please switch on the stack and the app trace (both maximum level) in the xml.config and reproduce the error. As the trace will be to long to post here, please send to support@unifiedautomation.com

Best Regards
Support Team

[haydee]

Thanks again. And done sending the logs.

[Support Team]

I used your beta 1.4 binaries

The version you are using is a very early Beta version. This version had several issues that are already solved. We can not reproduce any error you describe using the actual version. It makes no sense to use this 6 month old Beta. There was already delivered a newer Beta version to you, please use that version and re-test your scenario again.

Best Regards
Support Team

[haydee]

likewise verified as fixed. thanks