OPC UA server rejects client certificate after update
we have noticed that a 3rd party application cannot connect to the OPC UA server anymore after updating from WinCC OA 3.17 P011 to P025.
In the trace logs of the OPC stack we have found the following message:
"UaServer::secureChannelCertificateError - rejected certificate because ExtendedKeyUsage does not contain TLS Web Client Authentication"
The OPC Server requires that the EKU in the certificate contains the OID for the client authentication.
This is fine, but is it possible to disable this requirement temporairily ?
I cannot get new certificates shortly.
BR/Florian
Code: Select all
18:48:55.362|6|1350* [uastack] OpcUa_P_OpenSSL_CertificateStore_IsExplicitlyTrusted: check trust status of cert 00000155CF90AC20 (chain length 1; trusted certificates 0)
18:48:55.362|6|1350* [uastack] OpcUa_P_OpenSSL_CertificateStore_IsExplicitlyTrusted: 0) check cert 00000155CF90AC20
18:48:55.363|6|1350* [uastack] OpcUa_SecureListener_ValidateCertificate: success
18:48:55.363|6|1350* [uastack] ProcessOpenSecureChannelRequest: Client Certificate validated! (0x00000000)
18:48:55.363|6|1350* [uastack] OpcUa_Endpoint_OnSecureChannelEvent: ID 2183750377 open certificate verification request with status 0x00000000!
18:48:55.363|6|1350* --> UaServer::secureChannelCertificateError uStatus=0x0
18:48:55.363|7|1350* [uastack] OpcUa_SecureListener_ChannelManager_GetChannelBySecureChannelID: Searched SecureChannel 00000155D54E3450 with id 2183750377 refs 1->2!
18:48:55.363|7|1350* [uastack] OpcUa_SecureListener_ChannelManager_ReleaseChannel: SecureChannel 00000155D54E3450 with id 2183750377 refs 2->1!
18:48:55.363|3|1350* UaServer::secureChannelCertificateError - rejected certificate because ExtendedKeyUsage does not contain TLS Web Client Authentication
18:48:55.363|6|1350* <-- UaServer::secureChannelCertificateError [ret=0x80180000]
18:48:55.363|4|1350* [uastack] ProcessOpenSecureChannelRequest: Client Certificate could not be validated by callback! (0x80180000)