Python opc-ua通信使用自签名证书和basic128rsa15加密
Python opc-ua communication using self signed certificate and basic128rsa15 encryption
我想通过 python opcua 库与使用 Basic128Rsa15 加密的 opcua 服务器通信。
client.set_security_string("Basic128Rsa15,"
"SignAndEncrypt,"
"cert.pem,"
"key.pem")
我使用 Basic256Sha256 加密与 Prosys 服务器进行了相同的通信,一切正常。使用 Basic128Rsa15(使用 KEPserver)我收到以下错误:
In [19]: runfile('opcuaclient.py', wdir='/home/di29394/fue4bfi/python/fuere4bfi')
DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Protocol Error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 101, in _run
self._receive()
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 121, in _receive
self._call_callback(0, ua.UaStatusCodeError(msg.Error.value))
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 131, in _call_callback
.format(request_id, self._callbackmap.keys())
opcua.ua.uaerrors._base.UaError: No future object found for request: 0, callbacks in list are
Traceback (most recent call last):
File "<ipython-input-18-4187edd51b2b>", line 1, in <module>
runfile('opcuaclient.py', wdir='/home/opcuauser')
File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 705, in runfile
execfile(filename, namespace)
File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 102, in execfile
exec(compile(f.read(), filename, 'exec'), namespace)
File "opcuaclient.py", line 57, in <module>
connected = client.connect()
File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 259, in connect
self.open_secure_channel()
File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 309, in open_secure_channel
result = self.uaclient.open_secure_channel(params)
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 265, in open_secure_channel
return self._uasocket.open_secure_channel(params)
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 199, in open_secure_channel
response = struct_from_binary(ua.OpenSecureChannelResponse, future.result(self.timeout))
File "/usr/lib/python3.6/concurrent/futures/_base.py", line 430, in result
raise CancelledError()
CancelledError
证书是使用加密库(代码段)自签名的:
cert = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(key.public_key())
.serial_number(1000)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=10*365)) # ggf. auch dynamisch machen
.add_extension(basic_contraints, False)
.add_extension(san, False)
.sign(key, hashes.SHA256(), default_backend())
我是否必须根据 Basic128Rsa15 更改证书生成,或者是否存在其他错误?
提前致谢。
错误信息其实很清楚!
DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!
Basic128Rsa15 不再被 OPC 基金会视为安全的,建议弃用它。
可能仍然可以将它与 KEPServerEx 一起使用,但我不建议将它用于与测试不同的用途。
注意:Basic256 也被 OPC 基金会认为已过时,因此推荐的最低 OPC UA 安全策略是 Basic256Sha256.
一些 OPC UA 客户端和服务器已经支持最新和更安全的安全策略:
- Aes128Sha256RsaOaep
- Aes256Sha256RsaPss
感觉Basic128Rsa15不太好用。但显然这不是问题所在。问题是,我至少两次使用不同的证书但相同的有效 URI 连接到 KEPServer。服务器对此有问题,因此拒绝了所有传入连接(错误消息似乎不是很有帮助)。删除服务器上的所有请求并重新连接后,一切正常(即使使用 Basic128Rsa15)。
我习惯跟风
client.set_security_string("Basic256Sha256,SignAndEncrypt,xxxxx.der,xxxxx.pem")
请试试这个
我想通过 python opcua 库与使用 Basic128Rsa15 加密的 opcua 服务器通信。
client.set_security_string("Basic128Rsa15,"
"SignAndEncrypt,"
"cert.pem,"
"key.pem")
我使用 Basic256Sha256 加密与 Prosys 服务器进行了相同的通信,一切正常。使用 Basic128Rsa15(使用 KEPserver)我收到以下错误:
In [19]: runfile('opcuaclient.py', wdir='/home/di29394/fue4bfi/python/fuere4bfi')
DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Protocol Error
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 101, in _run
self._receive()
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 121, in _receive
self._call_callback(0, ua.UaStatusCodeError(msg.Error.value))
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 131, in _call_callback
.format(request_id, self._callbackmap.keys())
opcua.ua.uaerrors._base.UaError: No future object found for request: 0, callbacks in list are
Traceback (most recent call last):
File "<ipython-input-18-4187edd51b2b>", line 1, in <module>
runfile('opcuaclient.py', wdir='/home/opcuauser')
File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 705, in runfile
execfile(filename, namespace)
File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 102, in execfile
exec(compile(f.read(), filename, 'exec'), namespace)
File "opcuaclient.py", line 57, in <module>
connected = client.connect()
File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 259, in connect
self.open_secure_channel()
File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 309, in open_secure_channel
result = self.uaclient.open_secure_channel(params)
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 265, in open_secure_channel
return self._uasocket.open_secure_channel(params)
File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 199, in open_secure_channel
response = struct_from_binary(ua.OpenSecureChannelResponse, future.result(self.timeout))
File "/usr/lib/python3.6/concurrent/futures/_base.py", line 430, in result
raise CancelledError()
CancelledError
证书是使用加密库(代码段)自签名的:
cert = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.public_key(key.public_key())
.serial_number(1000)
.not_valid_before(now)
.not_valid_after(now + timedelta(days=10*365)) # ggf. auch dynamisch machen
.add_extension(basic_contraints, False)
.add_extension(san, False)
.sign(key, hashes.SHA256(), default_backend())
我是否必须根据 Basic128Rsa15 更改证书生成,或者是否存在其他错误?
提前致谢。
错误信息其实很清楚!
DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!
Basic128Rsa15 不再被 OPC 基金会视为安全的,建议弃用它。
可能仍然可以将它与 KEPServerEx 一起使用,但我不建议将它用于与测试不同的用途。
注意:Basic256 也被 OPC 基金会认为已过时,因此推荐的最低 OPC UA 安全策略是 Basic256Sha256.
一些 OPC UA 客户端和服务器已经支持最新和更安全的安全策略:
- Aes128Sha256RsaOaep
- Aes256Sha256RsaPss
感觉Basic128Rsa15不太好用。但显然这不是问题所在。问题是,我至少两次使用不同的证书但相同的有效 URI 连接到 KEPServer。服务器对此有问题,因此拒绝了所有传入连接(错误消息似乎不是很有帮助)。删除服务器上的所有请求并重新连接后,一切正常(即使使用 Basic128Rsa15)。
我习惯跟风
client.set_security_string("Basic256Sha256,SignAndEncrypt,xxxxx.der,xxxxx.pem")
请试试这个