Welcome to our new forum
All users of the legacy CODESYS Forums, please create a new account at account.codesys.com. But make sure to use the same E-Mail address as in the old Forum. Then your posts will be matched.
Close
I'm trying to develop a TCP Client connection that can utilise TLS. The latest version of the NBS library 3.5.16 seems to have code for this but there are no application examples as per the previous 3.5.15 library.
I have created the static call for the TLS interface and linked it to the certificate in the security Screen. Handles are generated when I monitor the structures but I see no initiation of TLS handshake in wireshark.
I have managed to get a normal TCP connection working with the new library, but I'm not sure how to trigger the use of TLS or if I need any other extra FB calls apart from TCP_CLIENT, TCP_READ, TCP_WRITE.
Hello Richie, Hello JJ,
Here is an ST example for TCP_Client with TLS.
If you are not using Client certificates, do not forget to run cert-gendhparams at least one time at the PLCShell.
The issue appeared to be the initialisation of both the TLSContext and the TCP_Client.
It turns out this has to be done either during declaration/instantiation of context and FB or by using the SetInitialValue method.
This is undocumented as far as I can see.
Here some results from a test with test.mosquitto.org on port 8883.
On declaration/instantiation (just setting what you need):
Works fine, also when setting for TLS 1.3 protocol.
Since there can be good reasons wanting to use the SetInitialValue method, there is an issue since both methods require all parameters to be set and required initial values are not clear for all variables from the library documentation. The workaround/solution here is to call the method by resetting the values using their original values. Like this:
There appears to be a limitation for using the CipherList. Initial value as stated in the documentation for the CipherList is βHIGHβ. Trying to set another CipherList (such as 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256') generates an error message from inside the NBS library: TlsCreateContext: Invalid Cipher List given. This limitation is undocumented and not according to the documented link to openssl.org. Some work left to be done there I guess.
Anyway, so far so good.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm trying to develop a TCP Client connection that can utilise TLS. The latest version of the NBS library 3.5.16 seems to have code for this but there are no application examples as per the previous 3.5.15 library.
I have created the static call for the TLS interface and linked it to the certificate in the security Screen. Handles are generated when I monitor the structures but I see no initiation of TLS handshake in wireshark.
I have managed to get a normal TCP connection working with the new library, but I'm not sure how to trigger the use of TLS or if I need any other extra FB calls apart from TCP_CLIENT, TCP_READ, TCP_WRITE.
Has anybody got this working?
Hi, same here. No client hello started. Already found a solution?
Hello Richie, Hello JJ,
Here is an ST example for TCP_Client with TLS.
If you are not using Client certificates, do not forget to run cert-gendhparams at least one time at the PLCShell.
Thanks Ian, got it working now.
The issue appeared to be the initialisation of both the TLSContext and the TCP_Client.
It turns out this has to be done either during declaration/instantiation of context and FB or by using the SetInitialValue method.
This is undocumented as far as I can see.
Here some results from a test with test.mosquitto.org on port 8883.
On declaration/instantiation (just setting what you need):
TLSContext : NBS.TLSContext := (sUseCaseName := 'example', ePurpose := NBS.PURPOSE.CLIENT_SIDE);
TCP_Client : NBS.TCP_Client := (itfTLSContext := TLSContext);
Works fine, also when setting for TLS 1.3 protocol.
Since there can be good reasons wanting to use the SetInitialValue method, there is an issue since both methods require all parameters to be set and required initial values are not clear for all variables from the library documentation. The workaround/solution here is to call the method by resetting the values using their original values. Like this:
useCaseName : STRING := 'example';
TLSContext : NBS.TLSContext;
TLSContext.SetInitialValue (
psUseCaseName := ADR (useCaseName),
ePurpose := NBS.PURPOSE.CLIENT_SIDE,
psTLSVersion := ADR (TLSContext.sTLSVersion),
psCipherList := ADR (TLSContext.sCipherList),
psHostname := ADR (TLSContext.sHostname),
udiVerificationMode := TLSContext.udiVerificationMode,
pciCertInfo := ADR (TLSContext.ciCertInfo),
itfCertVerifer := TLSContext.itfCertVerifer);
TCP_Client.SetInitialValue (itfTLSContext := TLSContext, itfAsyncProperty := TCP_Client.itfAsyncProperty, itfTSNContext := TCP_Client.itfTSNContext);
There appears to be a limitation for using the CipherList. Initial value as stated in the documentation for the CipherList is βHIGHβ. Trying to set another CipherList (such as 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256') generates an error message from inside the NBS library: TlsCreateContext: Invalid Cipher List given. This limitation is undocumented and not according to the documented link to openssl.org. Some work left to be done there I guess.
Anyway, so far so good.