Moderate severityNVD Advisory· Published Jun 13, 2018· Updated Aug 5, 2024
CVE-2018-7559
CVE-2018-7559
Description
An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An oracle attack in OPC UA .NET stacks allows remote attackers to recover a server's private key via crafted UserIdentityTokens.
Vulnerability
The vulnerability exists in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13 [1][2]. By sending carefully constructed malformed UserIdentityTokens, a remote attacker can exploit an oracle attack to determine the server's private key [4]. The affected versions include those using weak security policies such as Basic128Rsa15 and SHA1, which were removed in the fixes [1][2].
Exploitation
An attacker needs network access to the OPC UA server and the ability to send UserIdentityTokens as part of the authentication process. The attacker sends a series of crafted tokens and observes the server's responses (e.g., error messages or timing differences) to infer information about the private key. This is a classic oracle attack where the server's behavior leaks bits of the key [4].
Impact
Successful exploitation allows the attacker to recover the server's private key. With the private key, the attacker can decrypt encrypted communications, impersonate the server, or sign messages as the server, leading to complete compromise of confidentiality, integrity, and authentication in OPC UA sessions [4].
Mitigation
The fix involves removing weak security policies (Basic128Rsa15 and SHA1) from default server configurations and upgrading to stronger policies like Basic256Sha256 [1][2]. Users should update to the latest versions of the OPC UA .NET Standard Stack (after 2018-04-12) and OPC UA .NET Legacy Stack (after 2018-03-13). No workaround is available other than applying the patches. The vulnerability is not listed on CISA's KEV.
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OPCFoundation.NetStandard.Opc.UaNuGet | < 1.3.352.12 | 1.3.352.12 |
Affected products
1Patches
2ebcf026a54ddSecurity policy Basic128Rsa15 removed from default server configurations.
8 files changed · +27 −129
ComIOP/Wrapper/ServerWrapper/Opc.Ua.ComServerWrapper.Config.xml+5 −19 modified@@ -59,26 +59,12 @@ <!-- <ua:String>http://localhost:48401/UA/ComServerWrapper</ua:String> --> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> + <!--Removing no security option from the configuration as this is a security risk <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> + </ServerSecurityPolicy>--> + <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> @@ -104,14 +90,14 @@ <ua:UserTokenPolicy> <ua:TokenType>UserName_1</ua:TokenType> <!-- passwords must be encrypted - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Allows user certificates --> <ua:UserTokenPolicy> <ua:TokenType>Certificate_2</ua:TokenType> <!-- certificate possession must be proven with a digital signature - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> </UserTokenPolicies>
SampleApplications/Samples/Client.Net4/Opc.Ua.SampleClient.Config.xml+5 −21 modified@@ -137,7 +137,7 @@ Additional URLs are created by appending strings to the base address. For example, a URL used for an endpoint which uses the Basic256 security policy would look like this: - http://localhost:61211/UA/SampleClient/Basic256 --> + http://localhost:61211/UA/SampleClient/Basic256Sha256 --> <BaseAddresses> <ua:String>opc.tcp://localhost:61210/UA/SampleClient</ua:String> <ua:String>https://localhost:61212/UA/SampleClient</ua:String> @@ -169,34 +169,18 @@ The first policy in the list is assigned to base address. --> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <!--Removing no secuirty option from the configuration as this is a security risk <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> </ServerSecurityPolicy>--> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> </ServerSecurityPolicy> </SecurityPolicies> @@ -216,14 +200,14 @@ <ua:UserTokenPolicy> <ua:TokenType>UserName_1</ua:TokenType> <!-- passwords must be encrypted - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Allows user certificates --> <ua:UserTokenPolicy> <ua:TokenType>Certificate_2</ua:TokenType> <!-- certificate possession must be proven with a digital signature - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Issued tokens are any type of WS-Security compliant token @@ -232,7 +216,7 @@ <ua:UserTokenPolicy> <ua:TokenType>IssuedToken_3</ua:TokenType> <ua:IssuedTokenType>urn:oasis:names:tc:SAML:1.0:assertion:Assertion</ua:IssuedTokenType> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> --> </UserTokenPolicies>
SampleApplications/Samples/Client/Opc.Ua.SampleClient.Config.xml+3 −19 modified@@ -165,27 +165,11 @@ The first policy in the list is assigned to base address. --> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <!--Removing no secuirty option from the configuration as this is a security risk <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> </ServerSecurityPolicy>--> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> @@ -212,14 +196,14 @@ <ua:UserTokenPolicy> <ua:TokenType>UserName_1</ua:TokenType> <!-- passwords must be encrypted - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Allows user certificates --> <ua:UserTokenPolicy> <ua:TokenType>Certificate_2</ua:TokenType> <!-- certificate possession must be proven with a digital signature - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Issued tokens are any type of WS-Security compliant token @@ -228,7 +212,7 @@ <ua:UserTokenPolicy> <ua:TokenType>IssuedToken_3</ua:TokenType> <ua:IssuedTokenType>urn:oasis:names:tc:SAML:1.0:assertion:Assertion</ua:IssuedTokenType> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> --> </UserTokenPolicies>
SampleApplications/Samples/Client/Opc.Ua.SampleClient.Endpoints.xml+7 −7 modified@@ -13,7 +13,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:61210/UA/SampleClient</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -43,7 +43,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:51210/UA/SampleServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -73,7 +73,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62541/UA/ReferenceServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -103,7 +103,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62547/Quickstarts/DataAccessServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -133,7 +133,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62544/Quickstarts/AlarmConditionServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -163,7 +163,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62550/Quickstarts/HistoricalAccessServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -193,7 +193,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62553/Quickstarts/HistoricalEventsServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType>
SampleApplications/Samples/GDS/ClientTest/Opc.Ua.GlobalDiscoveryTestServer.Config.xml+1 −9 modified@@ -59,14 +59,6 @@ <ua:String>opc.tcp://localhost:58810/GlobalDiscoveryTestServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> @@ -79,7 +71,7 @@ </ua:UserTokenPolicy> <ua:UserTokenPolicy> <ua:TokenType>UserName_1</ua:TokenType> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> </UserTokenPolicies> <DiagnosticsEnabled>true</DiagnosticsEnabled>
SampleApplications/Samples/NetCoreConsoleServer/Opc.Ua.SampleServer.Config.xml+0 −16 modified@@ -79,27 +79,11 @@ --> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <!--Removing no secuirty option from the configuration as this is a security risk <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> </ServerSecurityPolicy>--> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri>
SampleApplications/Samples/Server.Net4/Opc.Ua.SampleServer.Config.xml+3 −19 modified@@ -80,14 +80,6 @@ <SecurityMode>SignAndEncrypt_3</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> @@ -97,14 +89,6 @@ <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> </ServerSecurityPolicy>--> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> </SecurityPolicies> <MinRequestThreadCount>5</MinRequestThreadCount> @@ -123,20 +107,20 @@ <ua:UserTokenPolicy> <ua:TokenType>UserName_1</ua:TokenType> <!-- passwords must be encrypted - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Allows user certificates --> <ua:UserTokenPolicy> <ua:TokenType>Certificate_2</ua:TokenType> <!-- certificate possession must be proven with a digital signature - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- <ua:UserTokenPolicy> <ua:TokenType>IssuedToken_3</ua:TokenType> <ua:IssuedTokenType>urn:oasis:names:tc:SAML:1.0:assertion:Assertion</ua:IssuedTokenType> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> --> </UserTokenPolicies>
SampleApplications/Samples/Server/Opc.Ua.SampleServer.Config.xml+3 −19 modified@@ -75,27 +75,11 @@ --> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <!--Removing no secuirty option from the configuration as this is a security risk <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> </ServerSecurityPolicy>--> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> @@ -122,20 +106,20 @@ <ua:UserTokenPolicy> <ua:TokenType>UserName_1</ua:TokenType> <!-- passwords must be encrypted - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- Allows user certificates --> <ua:UserTokenPolicy> <ua:TokenType>Certificate_2</ua:TokenType> <!-- certificate possession must be proven with a digital signature - this specifies what algorithm to use --> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> <!-- <ua:UserTokenPolicy> <ua:TokenType>IssuedToken_3</ua:TokenType> <ua:IssuedTokenType>urn:oasis:names:tc:SAML:1.0:assertion:Assertion</ua:IssuedTokenType> - <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</ua:SecurityPolicyUri> + <ua:SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</ua:SecurityPolicyUri> </ua:UserTokenPolicy> --> </UserTokenPolicies>
e2a781b38efbCloses #108. SHA1 security policy removed from default configurations.
27 files changed · +108 −327
ComIOP/Wrapper/ServerWrapper/Opc.Ua.ComServerWrapper.Config.xml+16 −11 modified@@ -18,18 +18,18 @@ <SubjectName>UA COM Server Wrapper</SubjectName> </ApplicationCertificate> - <!-- Where the trust list is stored (UA Applications) --> - <TrustedPeerCertificates> - <StoreType>Windows</StoreType> - <StorePath>LocalMachine\UA Applications</StorePath> - </TrustedPeerCertificates> - <!-- Where the issuer certificate are stored (certificate authorities) --> <TrustedIssuerCertificates> <StoreType>Directory</StoreType> <StorePath>%CommonApplicationData%\OPC Foundation\CertificateStores\UA Certificate Authorities</StorePath> </TrustedIssuerCertificates> + <!-- Where the trust list is stored (UA Applications) --> + <TrustedPeerCertificates> + <StoreType>Windows</StoreType> + <StorePath>LocalMachine\UA Applications</StorePath> + </TrustedPeerCertificates> + <!-- The directory used to store invalid certficates for later review by the administrator. --> <RejectedCertificateStore> <StoreType>Directory</StoreType> @@ -55,16 +55,21 @@ <ua:String>http://localhost:48401/UA/ComServerWrapper</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> + <ServerSecurityPolicy> + <SecurityMode>Sign_2</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>1</SecurityLevel> + </ServerSecurityPolicy> + <ServerSecurityPolicy> + <SecurityMode>SignAndEncrypt_3</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> + </ServerSecurityPolicy> </SecurityPolicies> <MinRequestThreadCount>5</MinRequestThreadCount> <MaxRequestThreadCount>100</MaxRequestThreadCount>
SampleApplications/SampleLibraries/Controls/Endpoints/ConfiguredServerDlg.cs+1 −0 modified@@ -901,6 +901,7 @@ private void InitializeSecurityPolicies(EndpointDescriptionCollection endpoints) SecurityPolicyCB.Items.Add(SecurityPolicies.GetDisplayName(SecurityPolicies.None)); SecurityPolicyCB.Items.Add(SecurityPolicies.GetDisplayName(SecurityPolicies.Basic128Rsa15)); SecurityPolicyCB.Items.Add(SecurityPolicies.GetDisplayName(SecurityPolicies.Basic256)); + SecurityPolicyCB.Items.Add(SecurityPolicies.GetDisplayName(SecurityPolicies.Basic256Sha256)); } // find all unique security policies.
SampleApplications/Samples/Client/Opc.Ua.SampleClient.Config.xml+2 −26 modified@@ -211,45 +211,21 @@ The first policy in the list is assigned to base address. --> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> - <SecurityLevel>5</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> ---> - </SecurityPolicies> <MinRequestThreadCount>5</MinRequestThreadCount>
SampleApplications/Samples/Client/Opc.Ua.SampleClient.Endpoints.xml+5 −5 modified@@ -74,7 +74,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62541/UA/ReferenceServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -105,7 +105,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62547/Quickstarts/DataAccessServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -136,7 +136,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62544/Quickstarts/AlarmConditionServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -167,7 +167,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62550/Quickstarts/HistoricalAccessServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -198,7 +198,7 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:62553/Quickstarts/HistoricalEventsServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType>
SampleApplications/Samples/HistoryClient/Helpers.cs+3 −3 modified@@ -231,8 +231,8 @@ public static ApplicationConfiguration CreateServerConfiguration() ServerSecurityPolicy policy1 = new ServerSecurityPolicy(); policy1.SecurityMode = MessageSecurityMode.SignAndEncrypt; - policy1.SecurityPolicyUri = SecurityPolicies.Basic128Rsa15; - policy1.SecurityLevel = 1; + policy1.SecurityPolicyUri = SecurityPolicies.Basic256Sha256; + policy1.SecurityLevel = 5; configuration.ServerConfiguration.SecurityPolicies.Add(policy1); @@ -279,7 +279,7 @@ public static EndpointDescription CreateEndpointDescription() // specify the security policy to use. // endpointDescription.SecurityPolicyUri = SecurityPolicies.None; // endpointDescription.SecurityMode = MessageSecurityMode.None;; - endpointDescription.SecurityPolicyUri = SecurityPolicies.Basic128Rsa15; + endpointDescription.SecurityPolicyUri = SecurityPolicies.Basic256Sha256; endpointDescription.SecurityMode = MessageSecurityMode.SignAndEncrypt; // specify the transport profile.
SampleApplications/Samples/Publisher/Opc.Ua.Publisher.Endpoints.xml+4 −4 modified@@ -9,14 +9,14 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://localhost:61210/UA/Publisher</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> </UserTokenPolicy> </UserIdentityTokens> <TransportProfileUri>http://opcfoundation.org/UA/profiles/transport/wsxmlorbinary</TransportProfileUri> - <SecurityLevel>0</SecurityLevel> + <SecurityLevel>5</SecurityLevel> </ua:Endpoint> <ua:UpdateBeforeConnect>true</ua:UpdateBeforeConnect> <ua:SelectedUserTokenPolicy>0</ua:SelectedUserTokenPolicy> @@ -25,14 +25,14 @@ <ua:Endpoint> <EndpointUrl>opc.tcp://192.168.2.101:51210/UA/SampleServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> </UserTokenPolicy> </UserIdentityTokens> <TransportProfileUri>http://opcfoundation.org/UA/profiles/transport/wsxmlorbinary</TransportProfileUri> - <SecurityLevel>0</SecurityLevel> + <SecurityLevel>5</SecurityLevel> </ua:Endpoint> <ua:UpdateBeforeConnect>true</ua:UpdateBeforeConnect> <ua:SelectedUserTokenPolicy>0</ua:SelectedUserTokenPolicy>
SampleApplications/Samples/Server/Opc.Ua.SampleServer.Config.xml+2 −21 modified@@ -84,37 +84,18 @@ <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>1</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> </SecurityPolicies> + <MinRequestThreadCount>5</MinRequestThreadCount> <MaxRequestThreadCount>100</MaxRequestThreadCount> <MaxQueuedRequestCount>2000</MaxQueuedRequestCount>
SampleApplications/Samples/ServerTest/Opc.Ua.ServerTestTool.Endpoints.xml+2 −2 modified@@ -8,7 +8,7 @@ <ua:Endpoint> <EndpointUrl>http://localhost:61211/UA/SampleClient</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType> @@ -35,7 +35,7 @@ <ua:Endpoint> <EndpointUrl>http://localhost:51211/UA/SampleServer</EndpointUrl> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <UserIdentityTokens> <UserTokenPolicy> <TokenType>Anonymous_0</TokenType>
SampleApplications/Stack Test/Server/Opc.Ua.StackTestServer.Config.xml+3 −13 modified@@ -53,25 +53,15 @@ <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> </SecurityPolicies> <UserTokenPolicies />
SampleApplications/Workshop/AlarmCondition/Server/Quickstarts.AlarmConditionServer.Config.xml+3 −15 modified@@ -54,33 +54,21 @@ <ua:String>opc.tcp://localhost:62544/Quickstarts/AlarmConditionServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Boiler/Server/Quickstarts.BoilerServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/Quickstarts/BoilerServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/ComDa/Server/Quickstarts.ComDaServerWrapper.Config.xml+8 −8 modified@@ -64,19 +64,19 @@ <AlternateBaseAddresses xmlns:d3p1="http://opcfoundation.org/UA/2008/02/Types.xsd" /> <SecurityPolicies> <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> + <SecurityMode>None_1</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> + <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> - <SecurityMode>None_1</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> - <SecurityLevel>0</SecurityLevel> + <SecurityMode>SignAndEncrypt_3</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> </SecurityPolicies> <MinRequestThreadCount>10</MinRequestThreadCount>
SampleApplications/Workshop/DataAccess/Server/Quickstarts.DataAccessServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62547/Quickstarts/DataAccessServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/DataTypes/Server/Quickstarts.DataTypesServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/DataTypesServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/DSATS/Server/DsatsDemoServer.Config.xml+7 −2 modified@@ -51,10 +51,15 @@ <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityMode>Sign_2</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> + <ServerSecurityPolicy> + <SecurityMode>SignAndEncrypt_3</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> + </ServerSecurityPolicy> </SecurityPolicies> <MinRequestThreadCount>10</MinRequestThreadCount> <MaxRequestThreadCount>100</MaxRequestThreadCount>
SampleApplications/Workshop/Empty/Server/Quickstarts.EmptyServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62546/Quickstarts/EmptyServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/HistoricalAccess/Server/Quickstarts.HistoricalAccessServer.Config.xml+3 −15 modified@@ -56,33 +56,21 @@ <ua:String>opc.tcp://localhost:62550/Quickstarts/HistoricalAccessServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/HistoricalEvents/Server/Quickstarts.HistoricalEventsServer.Config.xml+3 −15 modified@@ -56,33 +56,21 @@ <ua:String>opc.tcp://localhost:62553/Quickstarts/HistoricalEventsServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Methods/Server/Quickstarts.MethodsServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/Quickstarts/MethodsServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/PerfTest/Server/Quickstarts.PerfTestServer.Config.xml+3 −15 modified@@ -43,33 +43,21 @@ <ua:String>opc.tcp://localhost:62541/Quickstarts/PerfTestServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Reference/Server/Quickstarts.ReferenceServer.Config.xml+10 −5 modified@@ -54,16 +54,21 @@ <ua:String>opc.tcp://localhost:62541/Quickstarts/ReferenceServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> + <ServerSecurityPolicy> + <SecurityMode>Sign_2</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>1</SecurityLevel> + </ServerSecurityPolicy> + <ServerSecurityPolicy> + <SecurityMode>SignAndEncrypt_3</SecurityMode> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> + </ServerSecurityPolicy> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/SimpleEvents/Server/Quickstarts.SimpleEventsServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/Quickstarts/SimpleEventsServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Tutorial/Server - Final/TutorialServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/TutorialServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Tutorial/Server - Initial/TutorialServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/TutorialServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Tutorial/Server/TutorialServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62541/TutorialServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/UserAuthentication/Server/Quickstarts.UserAuthenticationServer.Config.xml+3 −17 modified@@ -55,35 +55,21 @@ <ua:String>opc.tcp://localhost:62541/Quickstarts/UserAuthenticationServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <!-- - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> - --> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
SampleApplications/Workshop/Views/Server/Quickstarts.ViewsServer.Config.xml+3 −15 modified@@ -55,33 +55,21 @@ <ua:String>opc.tcp://localhost:62546/Quickstarts/ViewsServer</ua:String> </BaseAddresses> <SecurityPolicies> - <ServerSecurityPolicy> - <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> - <SecurityLevel>3</SecurityLevel> - </ServerSecurityPolicy> - <ServerSecurityPolicy> - <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>2</SecurityLevel> - </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>None_1</SecurityMode> <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#None</SecurityPolicyUri> <SecurityLevel>0</SecurityLevel> </ServerSecurityPolicy> - <!-- <ServerSecurityPolicy> <SecurityMode>Sign_2</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15</SecurityPolicyUri> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> <SecurityLevel>1</SecurityLevel> </ServerSecurityPolicy> <ServerSecurityPolicy> <SecurityMode>SignAndEncrypt_3</SecurityMode> - <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256</SecurityPolicyUri> - <SecurityLevel>4</SecurityLevel> + <SecurityPolicyUri>http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256</SecurityPolicyUri> + <SecurityLevel>5</SecurityLevel> </ServerSecurityPolicy> - --> </SecurityPolicies> <UserTokenPolicies> <ua:UserTokenPolicy>
Vulnerability mechanics
Root cause
"The use of weak cryptographic security policies in OPC UA applications allows for an oracle attack that can reveal the server's private key."
Attack vector
A remote attacker can exploit this vulnerability by sending carefully crafted `UserIdentityTokens` to an OPC UA server. By observing the server's responses, the attacker can perform an oracle attack to determine the server's private key. This attack relies on the server supporting weak or vulnerable cryptographic security policies.
Affected code
The vulnerability affects the configuration files of various OPC UA sample applications, specifically those defining `SecurityPolicies` and `UserTokenPolicies`. The affected files include `Opc.Ua.SampleClient.Config.xml`, `Opc.Ua.SampleServer.Config.xml`, and several others within the `SampleApplications` directory [patch_id=14429, patch_id=14428]. These configurations previously permitted the use of insecure security policies such as `Basic128Rsa15` and `Basic256`.
What the fix does
The patches remove insecure security policies, specifically `Basic128Rsa15` and `Basic256`, from the default server and client configurations [patch_id=14429, patch_id=14428]. These policies are replaced with more secure alternatives like `Basic256Sha256`. By disabling the vulnerable policies, the server is no longer susceptible to the oracle attack that could lead to the exposure of its private key.
Preconditions
- configThe OPC UA application must be configured to use vulnerable security policies such as Basic128Rsa15 or Basic256.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gr4c-5rq6-cgh3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-7559ghsaADVISORY
- www.securityfocus.com/bid/108688ghsavdb-entryx_refsource_BIDWEB
- github.com/OPCFoundation/UA-.NET-Legacy/commit/e2a781b38efb8686d2bd850c2f2372b5c670bc45ghsax_refsource_CONFIRMWEB
- github.com/OPCFoundation/UA-.NETStandard/commit/ebcf026a54dd0c9052cff009d96d827ac923d150ghsax_refsource_CONFIRMWEB
- opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-7559.pdfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.