Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

<title>CTT test:OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: BadCertificateIssuerRevocationUnknown #2759

Open
5 tasks
codeJJL opened this issue Sep 10, 2024 · 1 comment
Labels
compliance An issue was found which is not compliant with the OPC UA specification. Pending Feedback Pending on further feedbacks or clarification from person who create the issue.

Comments

@codeJJL
Copy link

codeJJL commented Sep 10, 2024

Type of issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Current Behavior

Security Certificate Validation
Certificate will be validated as specified in OPC UA Part 4. This includes among others structure and signature examination.
Allowing for some validation errors to be suppressed by administration directive.

Connect using a client certificate signed by a not trusted but known CA where there is no revocation list available.

OpenSecureChannel.Response is not good; received 'BadSecurityChecksFailed (0x80130000)'. Expected: BadCertificateIssuerRevocationUnknown
(0x801c0000); Would accept: Good (0x00000000)

具体报错:OpenSecureChannel( MessageSecurityMode: SignAndEncrypt; RequestedSecurityPolicyUri: http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss ); Result = BadSecurityChecksFailed (0x80130000) Expected: BadCertificateIssuerRevocationUnknown (0x801c0000); Would accept: Good (0x00000000)
image
image
image

Expected Behavior

No response

Steps To Reproduce

No response

Environment

- OS:
- Environment:
- Runtime:
- Nuget Version:
- Component:
- Server:
- Client:

Anything else?

No response

@mregen
Copy link
Contributor

mregen commented Sep 24, 2024

@codeJJL , please provide the CTT version. in general, the security check return values are obsfuscated to not provide an attacker insights. So BadSecurityChecksFailed is mostly a valid response. unless it is an older CTT.

@mregen mregen added compliance An issue was found which is not compliant with the OPC UA specification. Pending Feedback Pending on further feedbacks or clarification from person who create the issue. labels Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compliance An issue was found which is not compliant with the OPC UA specification. Pending Feedback Pending on further feedbacks or clarification from person who create the issue.
Projects
None yet
Development

No branches or pull requests

2 participants