Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Controlling Certificate Validations in EasyUAClient

More
05 Oct 2024 12:02 - 05 Oct 2024 14:36 #13205 by support
Hello, and thank you. You gave me some stuff to think about. Ideally, we would somehow satisfy both worlds - maintain the design principles I described, and support custom certificate validation too. I do not think it is fully possible, but perhaps we can offer a separate "mode" of operation in which the custom validation will be used. Obviously this is not something to be implemented in short term. If this feature is a "must", our library is probably not for you.

If you like, we can go on troubleshooting path, and try to determine the exact cause of the certificate validation failure. Let me know if you are interested in it. Sometimes the reasons are different from what one would guess.

But you might be right about the relation CRLs. In fact, in OPC UA the expected mechanism to distribute trust lists *including* CRLs is via the OPC UA GDS (Global Discovery Server), which is usually front-ending some CA. And the usual CRL distribution points (URLs) are not used. CRLs are then located inside the OPC UA certificate stores. This is possible with OPC UA directory-based certificate stores, which have "crl" subdirectory for it. But, Windows certificate stores (which you mentioned you are using) cannot store CRLs.

An online CRL check might also be possible, and we can look into it, but first it would be necessary to know for sure what the cause of the certificate validation failure is in your case.
Last edit: 05 Oct 2024 14:36 by support. Reason: typo

Please Log in or Create an account to join the conversation.

More
02 Oct 2024 19:33 #13197 by LAS.Carter
No worries! Thank you for taking the time to respond equally on this dialogue :)

Given the current widespread "development economy", I appreciate your products pragmatic alignment to the governing standard.

Although I normally take configuration into consideration, I had not considered the factors of "repeatability"/idempotence factors at the product layers you described.
While your prioritization on this is not applicable to us, I could see how many companies, especially in the public sector, would consider this priority indispensable.
As a conforming product, you must prioritize standards adherence, and do so in such a way that adherence is maintained at-scale.
If I recall correctly, the OPC-UA standards include a definition for a centralized client-configuration facility; If this related, restricting horizontal configuration to discrete values guarantees that your users can scale your solution vertically in a "turn-key" manner.

In our environment, we sometimes decide to wrap/repackage certain "architectural" libraries, to limit or expedite the interface available to our developers.
Like many companies, we sometimes leverage contracted developers, and this approach helps regulate change management, risk adoption, and maintenance commitments.
This is why custom certificate validation was my first choice; I will most likely wrap your library regardless, to ensure certificate-related options such as store locations and validation options, cannot be manipulated by developers in a production environment, but I do appreciate that this is not the case for pretty much all of your customers.

Focusing on the issue at hand, when I say that we are required to utilize existing internal certificate infrastructure for certificate-based client-server communications, let me provide some depth on what this entails and how we currently intend to structure our OPC-UA architecture.
  • We intend to use our certificate infrastructure to prove governance/authority/identity of server-entities in our environment - All client (applications) and server endpoints will be configured for Sign+Encrypt Security Policy only.
  • Client certificates will be generated by each application, which must be manually approved on the server-side, also ensuring that new client adoption is controlled.
  • Server certificates and their chains are scrutinized for Issuer/Trust, using appropriately configured/separated Windows X.509 certificate stores on the Client-side, to improve serviceability for security personnel who may know little or nothing about OPC-UA.
  • Server certificates prove to a client (application) that it is talking to a server we have trust/control/regulate; Clients will still be required to authenticate/authorize using one of the many available UserTokenPolicy.
  • Server certificates will be checked by clients for Certification Revocation Status. (Why I want the custom certificate validation)

I have a certificate chain that, succeeds when tested for Certificate Revocation status using a different implementation, but fails when using the OPC-UA specified Certificate Revocation validations.
When I say that the certificate chain succeeds using a different implementation, I mean that I have confirmed that the non-OPC implementation properly fails for a revoked certificate and passes a non-revoked certificate as it should.

I'm mostly shooting in the dark here, but maybe the OPC-UA implementation expects that a certificate identifies it's own CRL distribution point, which is different from how HTTPS and many businesses internal certificate authorities are established.
In these systems, it is common to have the issued certificate include the the CRL distribution point governing the issued certificate, and in this sense the root certificate does not include a CRL distribution point.
Again, this is just my best guess; Maybe the OPC-UA implementation has no issue with this and something else is preventing CRL validation.
Let me know what you think.

Please Log in or Create an account to join the conversation.

More
28 Sep 2024 17:16 #13187 by support
Hello.

Thank you for the detailed feedback, I really appreciate it. I feel that I have to provide more elaborate explanation of our design as well, and address at least some of the points you raised.

There is a large amount of effort that went and goes into QuickOPC. Implementing the "hook" for custom certificate validation would be a minor deal in terms of work amount - if we decided to do it. But, it is not for bad prioritization or laziness that we do not have it, and it is also not *just* because of the reason you mention - the goal to provide quick/easy development. There are more important reasons. The two most important ones are:

1. Consistency in the QuickOPC design principle in which whatever information is necessary to access the target should be specified by *data*, and not *code*. Hooking a custom certificate validation requires code, and makes it impossible to describe the intended behavior just by listing the properties of participating objects. There are higher-level features that depend on the principle. For example, you won't be able to simply serialize the endpoint/node descriptor from one program to other program, and be sure that it works - because the hooks (the code behind them) don't get serialized. On even higher level, in the reactive programming model, the streams of notifications are treated as pieces of data that you can manipulate, combine, transfer around…. And none of that works if there is code attached to objects that does not serialize.

2. Security. The certificate validation algorithm is one of the critical pieces of OPC UA security architecture. The details of the certificate validation procedures are quite long, and they get improvements and clarifications in practically every revision of OPC UA specifications. The corresponding code in the library matches the specifications. When we provide properties that allow you to influence the validation, and you change them, it is blatantly obvious that you are affecting the security, and each property tells you what effects it has. So even if you decide to turn the validation off (and I agree - this is not for any production use, it is just for troubleshooting), you at least know that you did it. Or, if you decrease certain aspect of the security, again you have to explicitly specify that. Allowing developers to fully override the validation by their own code is a recipe for security disaster. 99.9% of developers who will do it will *think* they have done it securely, but there will be insecurities in their code. Believing that you are secure, while you are not, is worse than knowingly turning the security off.

It is true the users are often struggling with getting the certificates right in OPC UA. It is either because they do not understand the underlying concepts, or that they do not understand the particular implementation or behavior we have - which, however, is not much different from what other products do. And we are trying various measures to make the whole process less painful. The tech support issues, however, rarely call for resolution through the custom certificate validation. In fact, you might be the 2nd or 3rd over many years. In normal cases, there is a more appropriate solution - which simply consists of having the right certificates in the right places. Trying to get around that with custom validation would be *guaranteed* to be insecure.

I am totally with you on your other recommendations, such as guiding the users from the concrete/visual to the more abstract concepts - we will try to incorporate this.

I have re-read your original entry, and I am trying to understand how your requirements look like. When you wrote "Our network security policies require that we use our existing internal certificate infrastructure…", does that mean that you cannot use the certificate stores (directory based or platform-defined) to hold the certificates? Or, are you saying that perhaps the certificate storage is OK, but you must obey specific requirements for certificate validation that are different from what is implemented in QuickOPC? In the latter case, if you requirements were in any relevant aspect "looser" than what is mandated by OPC UA specifications, following such requirements will not be compliant with the OPC UA specs - and that is simply not what we are making our product for.

Best regards

Please Log in or Create an account to join the conversation.

More
27 Sep 2024 19:40 #13186 by LAS.Carter
I appreciate that a custom certificate validations feature does not seem to coincide with the product goal of being a "quick" and/or "easy" OPC solution.
I also understand that the OPC-UA Standard and OPC Labs build upon an industry-standard/accurate X509 infrastructure, but it is more rigid than the industry-normal, which is (in just my own opinion) why the OPC-UA Reference Implementation extends the feature I used as an example.

Regarding your suggestion, I think that these options paint a user-story of security disablement rather than configuration, which is not well-intentioned; Although there are definitely exceptions, it is unlikely that your users choose to be insecure, but they must choose to be business-functional.
Although few users truly need their own custom validation code, the feature could serve as a powerful trace-point when investigating certificate issues, for users troubleshooting on their own and when working with support. (similar to attaching a `Console.WriteLine` to the `EasyUAClient.LogEntry` event)

Many users seem to approach this forum with certificate issues, after they have tried to resolve the issue for multiple days.
Ostensibly, your users seek self-sufficiency because they do not want to call themselves "security disablers".
Guiding the user story towards features that empower them, rather than taking away something they don't understand (or even know where to begin understanding) might be a long-term design goal you can agree with.
As a literal example, a user might not understand the concepts of X509 standards without examples or hand-holding; They can understand the Certificate Path tab they see when they open a '.cer' on a Windows machine, and building from this visual concept they can associate the concepts of trust-anchors, certificate Trust versus Chain Validity, etc.

Obviously your goal is to hide and expedite what can and should be generalized, so it makes sense to take an opinion to prevent extreme scope-creep, but I think that having this feature could reduce development friction.
If a developer can surface a `CertificationFailure` event using Visual Studio Intellisense, like my developers did with `EasyUAClient.LogEntry`, a developer can further 'echo-locate' themselves educationally or derive a solution that they can ship confidently.
In this sense, they can take use their development experience as an opportunity to educate themselves further, to understand why their certificates are not working.

Sorry for the long read, but if it wasn't obvious I'm definitely in favor of adding the feature :P

Please Log in or Create an account to join the conversation.

More
27 Sep 2024 07:54 #13178 by support
Hello.
No, there is (by design, although we may reconsider it in the future) no such hook.

There are settings in CertificateAcceptancePolicy (which can be set globally or overridden on specific endpoint) that can be used to influence which certificates are accepted. I am listing some of them below. But, if the setting you are looking for is missing, there is currently no way (well, the AcceptAnyCertificate can always do it, but that essentially turns off *any* certificate check).

- AcceptAnyCertificate
- AllowSha1SignedCertificates
- CheckTimeValidAndNested
- MinimumCertificateKeySize
- RequireRevocationStatusKnown

Regards

Please Log in or Create an account to join the conversation.

More
27 Sep 2024 00:03 #13176 by LAS.Carter
Our network security policies require that we use our existing internal certificate infrastructure for certificate-based client-server communications.
This questions is not regarding the generation of OPC-UA compliant certificates, nor the reasoning as to why any specific certificate fails to pass "X" validation.

Does the EasyUAClient provide a "point-of-entry" to insert additional certificate validation procedures, such that an application can decide that an otherwise "invalid" certificate should be treated as valid?
Just to be clear on what I am trying to describe, this is a link to the OPC-UA reference implementation, showing something functionally equivalent to what I am looking for: CertificateValidator.cs at master · OPCFoundation/UA-.NETStandard

Does the EasyUAClient have anything like this?

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.058 seconds