-
Notifications
You must be signed in to change notification settings - Fork 949
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modbus Identity (TLS) Verification #606
Comments
@starnight Would you mind taking a look in to this please ? |
Thanks @dhoomakethu, while a solution is found, I'm doing a trick that consists of taking the client's cert directly from the CA and extracting from the cert the public key to send to the external identity verification. |
@sfl0r3nz05 Seems you found a solution. However, I have a question for doing Server Identity Verification "again". I believe the TLS handshake provided by Python's ssl library has already done "client verifies server's certificate" action. The 4th step mentioned in Is there any reason leads you verifying the server's certificate on client side again? |
@starnight, I appreciate your comments. Before answering your question, I should mention that the solution found is partial, because I am not receiving the certificate from the client (on the server side) but retrieving it directly from the CA. Actually, I would need to retrieve it in the red square in the figure. So, I would appreciate if you can recommend me how to implement do_handshake() in the server sync. The reason is that external identity verification for me is hyperledger fabric blockchain (hfb). The identity of each Modbus device is based on the public key, so when the Modbus device, e.g. server, receives the certificate from the other party, e.g. client, it retrieves the public key and verifies the identity of this device (client) in hfb. |
Okay! Blockchain is an interesting usage. What you mentioned is more like the 8th step ClientCertificate and 9th step VerifyClientCertSig in
The According to the description of ssl.CERT_NONE:
Here is why you do not see the client's certificate on server side. Goes back to the 8th step ClientCertificate in
Here is what you want, I guess. But, this has not implemented in pymodbus' MBAPS yet, due to the default behavior of Python's ssl library. |
Thanks for the response @starnight, this is exactly what happens and what I need. I will close the issue and come back when I find a solution. |
Verification is okay, but I have not implement this feature yet. Because I have not figured out how to implement the authorization action in pymodbus. Since we know this is due to Python's ssl library, we can simplify this problem into simple TCP server/client socket over TLS. You also have to prepare the server/client's key/cert pair, of course. As you can see,
These are all about the class of SSL Contexts. I think |
If someone figures out how to implement the authorization, pull request is welcomed! :) |
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1], This feature is implemented with an optional argument "reqclicert" of StartTlsServer() in both sync and async_io. So, users can force server require client's certificate, or according to the SSL Context's original behavior [2]. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1], This feature is implemented with an optional argument "reqclicert" of StartTlsServer() in both sync and async_io. So, users can force server require client's certificate, or according to the SSL Context's original behavior [2]. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1], This feature is implemented with an optional argument "reqclicert" of StartTlsServer() in both sync and async_io. So, users can force server require client's certificate, or according to the SSL Context's original behavior [2]. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1], This feature is implemented with an optional argument "reqclicert" of StartTlsServer() in both sync and async_io. So, users can force server require client's certificate, or according to the SSL Context's original behavior [2]. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1], This feature is implemented with an optional argument "reqclicert" of StartTlsServer() in both sync and async_io. So, users can force server require client's certificate, or according to the SSL Context's original behavior [2]. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
This patch adds server requiring client's certificate feature which is mentioned in the 6th step CertificateRequest to 9th step VerifyClientCertSig in Table 5 TLS Full Handshake Protocol of MODBUS/TCP Security Protocol Specification [1]. This patch implements the feature within both sync and async_io version. * Server side: Add an optional argument "reqclicert" of StartTlsServer(). So, users can force server require client's certificate for TLS full handshake, or according to the SSL Context's original behavior [2]. * Client side: Add optional arguments "certfile" and "keyfile" for replying, if the server requires client's certificate for TLS full handshake. Besides, also add an optional argument "password" on both server and client side for decrypting the private keyfile. This fixes part of pymodbus-dev#606 [1]: http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf [2]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_mode
Pymodbus Specific
Description
Hello Modbus experts,
I am trying to provide a mechanism for identity verification. For this, I need to retrieve the server and client certificates, as they are exchanged (see figure below). It is not clear to me how to retrieve these certificates from the current TLS implementation of pymodbus.
I would appreciate any hints.
Best,
Santiago.
The text was updated successfully, but these errors were encountered: