Python opc-ua communication using self signed certificate and basic128rsa15 encryption

Question

I want to communicate via python opcua library to an opcua server that uses Basic128Rsa15 encryption.

client.set_security_string("Basic128Rsa15,"
                               "SignAndEncrypt,"
                               "cert.pem,"
                               "key.pem")

I did the same communication to an Prosys server using Basic256Sha256 encryption and all was ok. With Basic128Rsa15 (using KEPserver) I get following error:

In [19]: runfile('opcuaclient.py', wdir='/home/di29394/fue4bfi/python/fuere4bfi')
DEPRECATED! Do not use SecurityPolicyBasic128Rsa15 anymore!
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Received an error: MessageAbort(error:StatusCode(BadSecurityChecksFailed), reason:An error occurred verifying security.)
Protocol Error
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 101, in _run
    self._receive()
  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 121, in _receive
    self._call_callback(0, ua.UaStatusCodeError(msg.Error.value))
  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 131, in _call_callback
    .format(request_id, self._callbackmap.keys())
opcua.ua.uaerrors._base.UaError: No future object found for request: 0, callbacks in list are 
Traceback (most recent call last):

  File "<ipython-input-18-4187edd51b2b>", line 1, in <module>
    runfile('opcuaclient.py', wdir='/home/opcuauser')

  File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 705, in runfile
    execfile(filename, namespace)

  File "/usr/lib/python3/dist-packages/spyder/utils/site/sitecustomize.py", line 102, in execfile
    exec(compile(f.read(), filename, 'exec'), namespace)

  File "opcuaclient.py", line 57, in <module>
    connected = client.connect()

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 259, in connect
    self.open_secure_channel()

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/client.py", line 309, in open_secure_channel
    result = self.uaclient.open_secure_channel(params)

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 265, in open_secure_channel
    return self._uasocket.open_secure_channel(params)

  File "/usr/local/lib/python3.6/dist-packages/opcua/client/ua_client.py", line 199, in open_secure_channel
    response = struct_from_binary(ua.OpenSecureChannelResponse, future.result(self.timeout))

  File "/usr/lib/python3.6/concurrent/futures/_base.py", line 430, in result
    raise CancelledError()

CancelledError

The certificate was self signed using cryptography library (snippet):

cert = (
        x509.CertificateBuilder()
        .subject_name(name)
        .issuer_name(name)
        .public_key(key.public_key())
        .serial_number(1000)
        .not_valid_before(now)
        .not_valid_after(now + timedelta(days=10*365)) # ggf. auch dynamisch machen
        .add_extension(basic_contraints, False)
        .add_extension(san, False)
        .sign(key, hashes.SHA256(), default_backend())

Do I have to change the certificate generation according to Basic128Rsa15 or is there something different wrong?

Thanks in advance.

Michael Hecht Michael Hecht · Accepted Answer · 2020-03-23T14:08:39

I felt not so good about using Basic128Rsa15. But obviously this was not the problem. The problem was, that I've been connected to the KEPServer at least two times with different certificates but same - valid - URI. The server had problems with this, so rejected all incomming connections (the error message seems to be not very helpful). After deleting all requests on the server and connecting again, all was fine (even with Basic128Rsa15).

Python opc-ua communication using self signed certificate and basic128rsa15 encryption

3 Answers