Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Change SSL Certificate thumbprint algorithm to SHA256 #211

Open
pradeipk opened this issue Apr 1, 2021 · 4 comments
Open

Change SSL Certificate thumbprint algorithm to SHA256 #211

pradeipk opened this issue Apr 1, 2021 · 4 comments

Comments

@pradeipk
Copy link
Contributor

pradeipk commented Apr 1, 2021

We wanted to change SSL certificate thumbprint algorithm from SHA1 to SHA256. For this we made changes in createThumbprint method of CertificateUtils class. and tried to test it with UA CPP and Softing simuation servers.

For UACpp server, we got following exception:
Exception in thread "main" org.opcfoundation.ua.common.ServiceResultException: Bad_EncodingLimitsExceeded (0x80080000) "The message encoding/decoding limits imposed by the stack have been exceeded."
at org.opcfoundation.ua.transport.tcp.io.TcpConnection$ReadThread.run

For Softing, the exception is:
Exception in thread "main" org.opcfoundation.ua.common.ServiceResultException: Bad_SecurityChecksFailed (code=0x80130000, description="Could not verify security on OpenSecureChannel request.")
at org.opcfoundation.ua.transport.tcp.io.TcpConnection$ReadThread.run

Looks like we will need further changes to fix this.
@jouniaro was this tried before? We are not familiar with the java stack code to that extent, can you suggest what else we will need to change in order to fix this. This is reported as a security vulnerability in one of our security scans.

@pradeipk
Copy link
Contributor Author

@jouniaro Do you have any idea about this?

@jouniaro
Copy link
Contributor

As far as I know the thumbprint is not used for security checks. It's just an identifier for the certificate. So you must have some other issue.

@pradeipk
Copy link
Contributor Author

Yes. But with SHA1 there are no errors and as soon as we change it to SHA256, we get errors. Is there any way to change the thumbprint algorithm from SHA1 to SHA256?

@pradeipk
Copy link
Contributor Author

We think that with SHA256 the thumbprint length increases and when it's being transferred over using TCP it gives the error 'message encoding/decoding limits have been exceeded'. We just changed the createThumbprint method in CertificateUtils.class to use SHA256.
We don't get any error with SHA1.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants