OPC-UA证书问题

【问题标题】:OPC-UA certificate issuesOPC-UA证书问题
【发布时间】:2023-02-01 16:24:37
【问题描述】:

我正在使用 Qt qtopcuaviewer example 来测试与 PLC 的连接。 通常它工作正常,我可以检索变量。使用这个特定的 PLC,我得到以下输出:

"Creating PKI path '/home/user/bin/pki/trusted/certs': SUCCESS."
"Creating PKI path '/home/user/bin/pki/trusted/crl': SUCCESS."
"Creating PKI path '/home/user/bin/pki/issuers/certs': SUCCESS."
"Creating PKI path '/home/user/bin/pki/issuers/crl': SUCCESS."
Discovering servers on  "opc.tcp://192.168.1.50:4840"
qt.opcua.plugins.open62541.sdk.userland: "AcceptAll Certificate Verification. Any remote certificate will be accepted."
qt.opcua.plugins.open62541.sdk.securechannel: "Connection 11 | SecureChannel 3778283009 | Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None"
qt.opcua.plugins.open62541.sdk.client: "Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good"
qt.opcua.plugins.open62541.sdk.client: "Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: Good"
qt.opcua.plugins.open62541.sdk.userland: "AcceptAll Certificate Verification. Any remote certificate will be accepted."
qt.opcua.plugins.open62541.sdk.securechannel: "Connection 11 | SecureChannel 3778283010 | Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None"
qt.opcua.plugins.open62541.sdk.client: "Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good"
qt.opcua.plugins.open62541.sdk.client: "Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: Good"
qt.opcua.plugins.open62541: Directory is empty
Client state changed QOpcUaClient::Connecting
qt.opcua.plugins.open62541: Directory is empty
qt.opcua.plugins.open62541.sdk.userland: "AcceptAll Certificate Verification. Any remote certificate will be accepted."
qt.opcua.plugins.open62541.sdk.securitypolicy: "The Basic128Rsa15 security policy with openssl is added."
qt.opcua.plugins.open62541.sdk.securitypolicy: "The basic256 security policy with openssl is added."
qt.opcua.plugins.open62541.sdk.securitypolicy: "The basic256sha256 security policy with openssl is added."
qt.opcua.plugins.open62541.sdk.client: "The configured ApplicationURI does not match the URI specified in the certificate for the SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None"
qt.opcua.plugins.open62541.sdk.securechannel: "Connection 11 | SecureChannel 3778283011 | Opened SecureChannel with SecurityPolicy http://opcfoundation.org/UA/SecurityPolicy#None"
qt.opcua.plugins.open62541.sdk.client: "Client Status: ChannelState: Open, SessionState: Closed, ConnectStatus: Good"
qt.opcua.plugins.open62541.sdk.client: "Rejecting UserTokenPolicy 0 (username) in endpoint 0: configuration doesn't match"
qt.opcua.plugins.open62541.sdk.client: "Rejecting endpoint 1: security mode doesn't match"
qt.opcua.plugins.open62541.sdk.client: "Rejecting endpoint 2: security policy doesn't match"
qt.opcua.plugins.open62541.sdk.client: "Rejecting endpoint 3: security mode doesn't match"
qt.opcua.plugins.open62541.sdk.client: "Rejecting endpoint 4: security policy doesn't match"
qt.opcua.plugins.open62541.sdk.client: "Rejecting endpoint 5: security mode doesn't match"
qt.opcua.plugins.open62541.sdk.client: "No suitable UserTokenPolicy found for the possible endpoints"
qt.opcua.plugins.open62541.sdk.client: "Client Status: ChannelState: Closed, SessionState: Closed, ConnectStatus: BadInternalError"
qt.opcua.plugins.open62541: Open62541: Failed to connect
Client error changed QOpcUaClient::UnknownError
Client state changed QOpcUaClient::Disconnected

PLC 的开发人员说不需要证书——我仍然不确定是否了解拒绝连接的根本原因。

我能做些什么来调试这个问题吗?或者它太清楚了,我有限的知识阻止我修复它?

编辑

getEndpoints() 函数中,我添加了以下调试调用:

void MainWindow::getEndpoints()
{
    ui->endpoints->clear();
    updateUiState();

    if (ui->servers->currentIndex() >= 0) {
        const QString serverUrl = ui->servers->currentText();
        createClient();
        mOpcUaClient->requestEndpoints(serverUrl);
        qDebug() << mOpcUaClient->supportedSecurityPolicies();
        qDebug() << mOpcUaClient->supportedUserTokenTypes();
    }
}

这是输出:

QList("http://opcfoundation.org/UA/SecurityPolicy#None", "http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15", "http://opcfoundation.org/UA/SecurityPolicy#Basic256", "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256")

QList(0, 1)

这里是 TokenType 的枚举:

enum TokenType {
    Anonymous = 0,
    Username = 1,
    Certificate = 2,
    IssuedToken = 3
};
Q_ENUMS(TokenType)

这有帮助吗?

更新

通过上面提到的应用程序,我找到了这些端点:

据我了解,它似乎是对证书的请求。 相反,其他机器(工作的机器)显示了这个另一个端点:

那么,第一台机器真的如厂商所言“不需要任何安全证书”吗?

【问题讨论】:

  • 我猜 PLC 没有为您的客户端提供任何匹配的安全策略或 UserTokenTypes ...您可以使用 supportedSecurityPolicies() 和 supportedUserTokenTypes() 来检查您的客户端支持什么。 Wireshark 数据包捕获也可能有帮助
  • @CamilleG。问题已更新。如果我可以做任何其他事情来找出解决问题的方法,请告诉我。
  • @CamilleG。使用发现的端点更新问题

标签: qt security openssl ssl-certificate opc-ua


【解决方案1】:

192.168.1.50 似乎只支持安全通信(无不存在)。 192.168.1.12 仅支持不安全通信。我猜您的 OPC UA 客户端未配置为连接到安全服务器。检查另一个支持安全通信的 OPC UA 客户端(即:UA Expert)

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2019-07-09
    • 1970-01-01
    • 2020-04-28
    • 2023-04-05
    • 2023-02-02
    • 2017-08-23
    • 2021-03-26
    • 2023-02-09
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode