Skip to content

OPC UA 1.05 Maintenance Update

Latest
Latest
Compare
Choose a tag to compare
@opcfoundation-org opcfoundation-org released this 04 Dec 12:12
1.5.374.158
f5d00d9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

1.05.374 roll up until Dec 4th.

This release is based on the 1.05.03 Nodeset with generated files from the ModelCompiler.
The focus in this release was on perf improvements and bug fixes.

Breaking change

Based on a recent security review, the Https server endpoints enforce by request TLS mutual authentication and change behavior without.
It is highly recommended to only use mutual TLS authentication. Some clients may not support the new scheme yet.

A new configuration variable

    <HttpsMutualTls>true</HttpsMutualTls>

enables or disables the mutual TLS authentication support (default: true).

The behavior of the https TLS endpoint changes according to the following settings:

HttpsMutualTls is true

  • The server checks the trust on the certificate which is used by the client for TLS authentication. It must be a valid OPC UA application certificate which is trusted.
  • A client can still connect without providing a client certificate, but then it is only able to call discovery services.
  • In order to create a session, the client must use the same application certificate that was used for the TLS channel.

HttpsMutualTls is false

  • There is no application authentication. The server endpoint uses security None and there is no client application authentication.
  • Instead, only user authentication is used to secure the server, anonymous user authentication is disabled.
  • Discovery service calls are supported.

Enhancements

  • Supports native .NET 9 assemblies. A new X509CertificateLoader was introduced for older .NET versions to keep the code readable without ifdef.
  • Server GDS Push CreateSigningRequest supports regeneration of the public/private key pair. by @romanett.
  • Callback to notify about channel token renewal.
  • Server detection algorithm for clients which try to exploit the known Basic128Rsa15 vulnerability.

Bug fixes

  • Client ReadNodes throws an BadInvalidType if a value type returns null.
  • Client reading of large dictionaries is split in chunks. by @ThomasNehring.
  • Mixed opc.https and https endpoint prevent a server from starting up .
  • Server endpoint certificates were not updated after GDS Push UpdateCertificate. by @romanett.
  • Event reports ignore session context. by @Filippo-Oliva-ABB.
  • Accept namespace Uri which are not well formed. Stricter handling was added in previous release, but for IOP is again relaxed.
  • Reading complex types from a server could cause a null pointer exception in BinaryDecoder. by @marcschier.
  • Reading operation limits could cause an exception (thus operation limits were ignored).
  • CRL with invalid content could cause exception when reading property with lazy decoding, decode CRL always when constructore is called to catch issues early.
  • Channel token HMAC references were not disposed after a channel renew.
  • Allow decoding of extension objects which set the length to -1.
  • Fix for CauseMappings and bug in ConditionRefresh/2 by @Archie-Miller

What's Changed

  • Bump Serilog and System.Diagnostics.DiagnosticSource by @dependabot in #2780
  • Update CauseMappings to support transitions correctly by @Archie-Miller #2877
  • ConditionRefreshAsync always results in BadNodeIdUnknown by @Archie-Miller #2876
  • [Server] GDS Push: Enable regeneratePrivatekey for CreateSigningRequest method of Server by @romanett in #2778
  • Client ReadNodes, throw BadInvalidType if a value type returned by an attribute is null by @mregen in #2746
  • [Client] Read large dictionaries by @ThomasNehring in #2782
  • Server doesn't start up with mixed https endpoints by @mregen in #2789
  • #2777 Fix for - MonitoredItem2.OnReportEvent Ignores Session in ISystemContext During Notification Process by @Filippo-Oliva-ABB in #2779
  • [Server] update endpoint descriptions after certificate update by @romanett in #2735
  • Moved the modified reference server from the unit test to its own file by @ThomasNehring in #2725
  • #2656 Fix for - Session is not provided by ClearChangeMasks when a change is notified by @Filippo-Oliva-ABB in #2772
  • Revert "#2656 Fix for - Session is not provided by ClearChangeMasks w… by @mregen in #2792
  • Fix ExpandedNodeId.Format output for not well formed uri and JSON Verbose WriteStatusCode by @mregen in #2794
  • Null pointer exception when reading a complex type from umati server.… by @marcschier in #2798
  • Add ReturnDiagnostics to Session Constructor by @romanett in #2810
  • IOP: Fix FetchOperationLimits for some use cases by @mregen in #2807
  • Update version.json to allow preview builds from develop by @mregen in #2813
  • Fix bugs in JSON decoder by @mregen in #2828
  • Update brokerHostName before MqttClientOptionsBuilder uses it's value by @mrsuciu in #2830
  • Improve crl handling in certificate stores by @romanett in #2829
  • Using Uri.TryCreate causes regression with namespace uri that use mixed lower/uppercase letters in the of the Uri. by @KircMax in #2837
  • ChannelToken: Dispose HMAC and improve lifetime calculations. by @mregen in #2846
  • Added a minimal rogue client detection mechanism at the transport level by @mrsuciu in #2850
  • ValidateRolePermissions for MIs montioring the Value of a Node by @romanett in #2809
  • [Server] ValidateRolePermissions of MonitoredItems based of the saved user identity to allow validation when no session is present by @romanett in #2832
  • Support .NET 9.0 build by @mregen in #2865
  • Client perf and memory improvements for JSON encoding and subscriptions by @mregen in #2864
  • Register callback to notify about new channel token activation (#2872) by @marcschier in #2873
  • [Client] Fix: KeepAliveInterval was not updated on ModifySubscription by @romanett in #2871
  • Merge fixes from master in stable branch by @mregen in #2878
  • Bump BouncyCastle.Cryptography from 2.4.0 to 2.5.0 by @mregen in #2875
  • Allow decoding of extension objects for legacy devices which do not set the length by @mregen in #2869
  • Enable mutual tls on server https endpoints by @mrsuciu in #2849
  • fix serialization of ApplicationConfiguration /CertificateTrustList by @romanett in #2879
  • Merge develop/main374 into release/1.5.374 by @mregen in #2881

New Contributors

Full Changelog: 1.5.374.126...1.5.374.158

Contributors

romanett, mregen, and 7 other contributors
Assets 2
Loading