opcua-asyncio icon indicating copy to clipboard operation
opcua-asyncio copied to clipboard

Published 20 hours ago verified publisher icon FreeOpcUa

Client side check_certificate is producing false positives

Open rth opened this issue 1 year ago • 6 comments

The current check_certificate might be a bit too strict on the client side. For instance when connecting to an Ignition OPCUA server, I'm hitting 2 failed checks:

 1. certificate does not contain the application uri ({application_uri}). Most applications will reject a connection without it.
 2. certificate does not contain the hostname in DNSNames {hostname}. Some applications will check this.

these will be logged for each new connection as an error, and yet the connection works fine. There is also no way of disabling these short of monkeypatching.

I'm not very knowledgeable about certificate validation best practices, and could be mistaken, but I feel it's not really client's role to do such strong enforcement of certificates. In particular, logging as an error that "Most (or some) applications " will fail with this certificate, does seem to be a false positive when the application works fine.

Version
Python-Version: 3.11 opcua-asyncio Version: master

rth avatar Sep 07 '23 15:09 rth

opc ua reference has some strict rules on that to avoid security issues e.g. check if the client which is connected has the same uri that is in the subject altname extension of the cert used

https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2

AndreasHeine avatar Sep 07 '23 20:09 AndreasHeine

Also this is logged because we had lot of problems users, that could not connect to servers. Also like the message sugguest, nearly all servers will need these parameters.

Maybe we could log a warning instead of an error.

schroeder- avatar Sep 08 '23 05:09 schroeder-

I understand. +1 to make it a warning (debug or info) so that servers that don't fully respect that part of the spec can still be connected without flooding the logs with these messages.

rth avatar Sep 08 '23 08:09 rth

I understand. +1 to make it a warning (debug or info) so that servers that don't fully respect that part of the spec can still be connected without flooding the logs with these messages.

should be optional to ignore cert issues

AndreasHeine avatar Sep 09 '23 04:09 AndreasHeine

yes if it does not break things it should be a warning.

oroulet avatar Sep 10 '23 08:09 oroulet

With PR #1415 there is a certificate validator available that can be configured what to check from a certificate. When the validator is used, maybe should also be used on the locations where now check_certificate is used?

bitkeeper avatar Sep 10 '23 08:09 bitkeeper