Problem with OpenSSL version

crosland · Post by **crosland** » 27 Apr 2018, 11:55

Hi,

I am using uasdkcbundle-bin-EVAL-centos7.0.1406-x86_64-gcc4.8.2-v1.8.1-381 and UaExpert .4.4 275, actually on Centos 7.4

I built the SDK examples and started the server demo uaserverc in buildExamplesRelease/server_c_demo.

I am following the UaExpert help topic Step-by-Step Connect Example help topic to connect to the server, running on the same machine.

I selected the 'Basic256Sha256 - Sign & Encrypt' endpoint, connected to the server and trusted the server certificate.

I then moved UaExpert's certificate from buildExamplesRelease/server_c_demo/pki/rejected to buildExamplesRelease/server_c_demo/pki/trusted/cert so that the server will trust the client’s certs as well.

Then I try to connect again but I see an error in the server log:
09:55:54.997|E|A271F740* Server started at 2018-04-27T08:55:54.996Z
09:56:16.382|E|A271F740* OpcUa_P_CryptoFactory_CreateCryptoProvider: SecurityPolicy Aes256Sha256RsaPss requires OpenSSL 1.0.2 or newer!

I tried restarting the server but the same error occurs.

The output of 'openssl version' is:
~ $ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

Which seems to meet the requirement '1.0.2 or newer'. According to 'yum info openssl', 1.0.2k is the latest version.

How do I proceed from here?

Andrew

Support Team · Post by **Support Team** » 27 Apr 2018, 13:14

Hello Andrew,

the reason for this behaviour can be found in Centos, as they changed the behaviour of OpenSSL's function SSLeay() which we use for detecting the OpenSSL version. On Centos, this function returns the OpenSSL version the application was built against instead of the version of the library that is actually loaded and running.

Using the evaluation version of the SDK, currently your only choice is to disable the Aes256Sha256RsaPss security policy in the server configuration. We will look into the issue and check if we can work around this problem in a future release of the SDK.

Further reading:
https://github.com/openssl/openssl/issues/4454
https://bugzilla.redhat.com/show_bug.cgi?id=1497859
https://access.redhat.com/documentation ... s_security

crosland · Post by **crosland** » 27 Apr 2018, 15:00

HI,

Thanks for your reply. Is it just a case of editing settings.conf or do I need to rebuild the demo?

I tried the edit:
#Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic256Sha256, SecurityPolicy_Aes128
Endpoints/0/SecurityPolicies = SecurityPolicy_None

and when I browse the server in UaExpert I now see only "none".

I also see that UaExpert is trying to connect using policy None, but the server still shows the same OpenSSL error.

Support Team · Post by **Support Team** » 27 Apr 2018, 15:06

Hello Andrew,

using following changes you should be able to connect using the Basic256Sha256 security policy:

Code: Select all

Endpoints/0/SecurityPolicies = SecurityPolicy_None, SecurityPolicy_Basic256Sha256, SecurityPolicy_Aes128
Endpoints/0/UserTokenPolicies = Anonymous, UserName_256Sha256, UserName_Aes128

crosland · Post by **crosland** » 27 Apr 2018, 16:26

I still see the same error from the server after changing settings.conf, no matter which connection policy I choose in UaExpert.

crosland · Post by **crosland** » 30 Apr 2018, 14:14

With the suggested .conf settings, selecting the Basic256Sha256 endpoint in UaExpert and having moved the cert to trusted/certs

Here's the log from the server:
12:58:10.892|W|610BD740* OpcUa_SecureListener_ValidateCertificate: Validation failed with 0x801A0000
12:58:10.892|W|610BD740* UaServer_EndpointEvent_Callback: a certificate was added to the rejected list at 'pki/rejected'
12:58:10.892|W|610BD740* Move the certificate to the trust list to allow the client to connect with security
12:58:10.892|E|610BD740* OpcUa_SecureListener_ProcessRequest: Closing channel due error 0x80130000!
12:58:10.892|W|610BD740* OpcUa_TcpListener_ReadEventHandler: Process Request returned an error (0x80130000)!
12:58:10.892|W|610BD740* OpcUa_TcpListener_ReadEventHandler: Closing socket (0x00000000)!
13:02:50.726|E|610BD740* OpcUa_P_CryptoFactory_CreateCryptoProvider: SecurityPolicy Aes256Sha256RsaPss requires OpenSSL 1.0.2 or newer!

from UaExpert (I have obfuscated the url):
13:02:50.728 | Server Node | UaServerC@xxx.... | Connecting failed with error 'BadSecurityPolicyRejected'
13:02:50.726 | Server Node | UaServerC@xxx.... | Error 'BadSecurityPolicyRejected' was returned during CreateSession
13:02:50.701 | Server Node | UaServerC@xxx.... | Used UserTokenType: Anonymous
13:02:50.701 | Server Node | UaServerC@xxx.... | ApplicationUri: 'urn:xxx:UnifiedAutomation:UaDemoServerAnsiC'
13:02:50.701 | Server Node | UaServerC@xxx.... | Security policy: 'http://opcfoundation.org/UA/SecurityPol ... c256Sha256'
13:02:50.701 | Server Node | UaServerC@xxx.... | Endpoint: 'opc.tcp://xxx:48020'
12:58:10.896 | Server Node | UaServerC@xxx.... | Connecting failed with error 'BadSecurityChecksFailed'
12:58:10.893 | Server Node | UaServerC@xxx.... | Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel
12:56:58.673 | Server Node | UaServerC@xxx.... | Used UserTokenType: Anonymous
12:56:58.673 | Server Node | UaServerC@xxx.... | ApplicationUri: 'urn:xxx:UnifiedAutomation:UaDemoServerAnsiC'
12:56:58.673 | Server Node | UaServerC@xxx.... | Security policy: 'http://opcfoundation.org/UA/SecurityPol ... c256Sha256'
12:56:58.672 | Server Node | UaServerC@xxx.... | Endpoint: 'opc.tcp://xxx:48020'
12:54:29.998 | DiscoveryWidget | | Discarding Url opc.tcp://xxx:48020 because of unsupported security policy URI http://opcfoundation.org/UA/SecurityPol ... 56_RsaOaep
12:54:29.998 | DiscoveryWidget | | Discarding Url opc.tcp://xxx:48020 because of unsupported security policy URI http://opcfoundation.org/UA/SecurityPol ... 56_RsaOaep
12:54:29.998 | DiscoveryWidget | | Adding Url opc.tcp://xxx:48020
12:54:29.997 | DiscoveryWidget | | Adding Url opc.tcp://xxx:48020
12:54:29.997 | DiscoveryWidget | | Adding Url opc.tcp://xxx:48020
12:54:28.807 | DiscoveryWidget | | Adding Server UaServerC@xxx with URL opc.tcp://xxx:48020

crosland · Post by **crosland** » 01 May 2018, 11:28

Is there any way at all to get around this problem with the pre-compiled sdk on CentOS?

Support Team · Post by **Support Team** » 03 May 2018, 15:39

Hello Andrew,

unfortunately, the OpenSSL library that comes with CentOS 7.4 contains two versions of the SSLeay() function, which returns different results, depending on the version of OpenSSL you built against. This leads to the uastack library using a different function than the SDK library, which is statically linked into your application.

The simplest workaround at this moment is to force the SDK library to use the OpenSSL 1.0.1 version of the function:

Code: Select all

Navigate to the sdk/lib folder of the SDK and execute the following two commands:
$ objcopy --redefine-sym SSLeay=SSLeay@OPENSSL_1.0.1 libserverlib.a
$ objcopy --redefine-sym SSLeay=SSLeay@OPENSSL_1.0.1 libserverlibd.a
After that, rebuild the examples using buildExamples.sh

This way, you will be able to start the server and connect with security. The only drawback is that you will not be able to use the Aes256Sha256RsaPss security policy, but only with the evaluation version. If you purchase the source version of the SDK, you will also be able to use the Aes256Sha256RsaPss security policy when building everything against OpenSSL >= 1.0.2.

crosland · Post by **crosland** » 04 May 2018, 09:44

Thank you, that was successful!

Andrew

Unified Automation Forum

Problem with OpenSSL version

Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version

Re: Problem with OpenSSL version