Starting with the Qt 5.13 release, due end of May, the Qt OPC UA API in combination with the Unified Automation backend officially supports secure connections to servers (Sign or SignAndEncrypt message security mode). The following article outlines the changes to the Qt OPC UA API and shows how to get secure connections also with the open62541 backend.
Security related QOpcUaClient API changes
To enable secure connections a number of changes to the API of the QOpcUaClient were necessary – some of them preventing existing code from compiling. In summary:
- The connectToEndpoint() method which takes a QUrl parameter has been removed. The only supported way to specify which server to connect to is now via an endpoint description retrieved using requestEndpoints().
- supportedSecurityPolicies() returns a list with the OPC UA security policies supported by the current backend.
- setPkiConfiguration() is used to configure QOpcUaClient with a client certificate, a corresponding private key and the necessary data to verify server certificates.
- setIdentity() configures the identity information QOpcUaClient provides to the server during the connect. This information can also be initialized from the client certificate.
- Up to Qt 5.12, login credentials were supplied to QOpcUaClient by encoding username and password in the URL. setAuthenticationInformation() replaces this by a clean API which can be used to select anonymous, username and password or X509 certificate based authentication.
- The connectError() signal is emitted when a connection to a server fails. Depending on the error, the connected slot is able to override it (for example an untrusted or no longer valid server certificate).
- If the private key is protected with a password, the passwordForPrivateKeyRequired() signal is emitted. The user can then supply the password in the connected slot.
State of the open62541 backend
The open62541 backend does not support secure connections in Qt 5.13 because this requires open62541 v0.4 which is not released yet.
A preview of security support based on the open62541 master branch has already been implemented and is available on gerrit.
The preview implements secure connections with the following security policies
- http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
- http://opcfoundation.org/UA/SecurityPolicy#Basic256
- http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
and the following user authentication token types
- Anonymous
- UserName
Using password protected private keys and overriding certificate checking errors is not available yet.
Give it a try
In addition to the usual dependencies of Qt OPC UA, the preview requires mbedTLS which must be available in the system’s library search path.
The source code of the preview is available on gerrit. The easiest way to build it is following the instructions in our overall Qt OPC UA tutorial. As an additional step, the last patch set from gerrit must be downloaded via the Anonymous HTTP checkout command (See the gerrit-link above for the details).
Make sure the output of the qmake step contains “mbedtls …. yes”. If this is not the case, the open62541 backend will be built without security support. In this case, the config.log file should be consulted to find out why detecting the mbedTLS library has failed.
Outlook
We are working towards officially enabling secure connections for the open62541 backend in a later release of Qt. Till then we encourage you to try out this preview and to provide feedback on its current state.
19 Responses
Hello,
I wanted to know if it is possible to include this library update in the QT 5.12.5 Version of QtOpcUa. If it is, how would i go about to apply the patch, as it didnt seem to work for me.
When running qmake, theres no line avaiable for the mbedTLS library, and according to the log files it doesnt even get searched.
Kind Regards
Well, in the end it was kind of my own stupidity that stopped me from doing this properly. I applied the patch the wrong way which resulted in all kinds of mistakes. I had to add LIBS+= -lmbedtls -lmbedx509 -lmbedcrypto to the open62541.pri file, to make it properly nmake.
In the end I still think something went wrong along the way, as client.supportedSecurityPolicies returns only 1, which is none.
Once again replying to my own comment, it was AdvAPI32.lib that Iadded to the win32: LIBS += line, instead of the thing i wrote before.
I just keep posting problems and then solving them a day later, but at least I can maybe help if anyone else has this problem.
This time the problem was once again applying the patch incorrectly. With no experience with gerrit, i thought it would be sufficient to install only the linked patch, which was not the case.
In reality, I also need the other one, thats linked on the right side of the gerrit page.
Hi, could you please tell, how exactly can one apply the patch? I lack experience with gerrit. The gerrit link contains 2 related chains:
a) Add secure connect to the open62541 plugin (v1.0)
b) Fix build and tests with the current open62541 v1.0
which chain should i be checking out? Or am i missing something? Please help.
The secure connect feature has been merged into Qt OPC UA for several years now. What branch do you want to apply the patch to?
I would like to install and try out this patch but I’m running into some problems.
After a lot of working to get qmake to finally accept my mbed libs and giving me the long awaited mbedtls…..yes, the nmake step fails.
I get this error:
mbedcrypto.lib(entropy_poll.obj) : error LNK2019: unresolved external symbol __imp__CryptAcquireContextA@20 referenced in function _mbedtls_platform_entropy_poll
I followed your tutorial on building Qt OPC UA, although i used vcvarsamd64_x86 instead of vcvarsx86_amd64, as I am building for a QT 32-bit version.
After cloning the qtopcua directory, I run
git fetch “https://codereview.qt-project.org/qt/qtopcua” refs/changes/11/226111/33 && git checkout FETCH_HEAD
to apply the Patch
226111: Fix build and tests with the current open62541 v1.0.
Do you know ehre i could have made a mistake in these Steps ? Or is it possible that my mbedtls libs are corrupt in some way ?
I hope for feedback
Many thanks
Hello,
Did you guys made it through and got this working? I am currently running Qt 5.14.2 (Qtopcua at same version). I have built the Qtopcua plugin with MBED and SSL installed. I dont know how to check which open62541 version I have running via the Qtopcua API. After compiling this all + examples I am able to run the OPCUA viewer example. I can choose the proper backend and certified endpoint. The problem is I cannot conect to the server:
12:37:44: Starting /home/Qt/Examples/Qt-5.14.2/opcua/build-opcuaviewer-Desktop_Qt_5_14_2_GCC_64bit-Debug/opcuaviewer ...
"Creating PKI path '/home/Qt/Examples/Qt-5.14.2/opcua/build-opcuaviewer-Desktop_Qt_5_14_2_GCC_64bit-Debug/pki/trusted/certs': SUCCESS."
"Creating PKI path '/home/Qt/Examples/Qt-5.14.2/opcua/build-opcuaviewer-Desktop_Qt_5_14_2_GCC_64bit-Debug/pki/trusted/crl': SUCCESS."
"Creating PKI path '/home/Qt/Examples/Qt-5.14.2/opcua/build-opcuaviewer-Desktop_Qt_5_14_2_GCC_64bit-Debug/pki/issuers/certs': SUCCESS."
"Creating PKI path '/home/Qt/Examples/Qt-5.14.2/opcua/build-opcuaviewer-Desktop_Qt_5_14_2_GCC_64bit-Debug/pki/issuers/crl': SUCCESS."
qt.opcua.security: No client certificate found at "/home/Qt/Examples/Qt-5.14.2/opcua/build-opcuaviewer-Desktop_Qt_5_14_2_GCC_64bit-Debug/pki/own/certs/opcuaviewer.der" . Application identity will be invalid.
Did any of you guys face this? I would appreciate all help.
Hello,
you have to generate a private key / certificate pair for opcuaviewer according to the instructions in https://doc.qt.io/QtOPCUA/security.html#create-a-new-application-certificate and place the files in the pki directory structure the application has created on the first start.
Edit: I have just updated the client certificate in examples/opcua/opcuaviewer/pki/ on the 5.14 branch. This certificate should work too, you can just copy the entire pki directory.
I’m also using 5.14 Version 2 of QT and qtopcua are the same version, but I have a problem when compiling: prompt me, fatal error: OpenSSL / asnl h:No such file or directory #include , I have downloaded openssl-win32. How should I complete qtopcua5 Installation of version 14.2.
I look forward to and thank you for your reply, and add my previous question:
I’m also using QT 5.14.2 and qtopcua are the same version, but I have a problem when compiling: prompt me, fatal error: OpenSSL / asnl h:No such file or directory #include , I have downloaded openssl-win32.
then i try to add libcrypto.lib and libssl.lib in the file opcua.pro, which in the path C:\Qt\Qt5.14.2\5.14.2\msvc2017\qtopcua\src\opcua\opcua.pro, from OpenSSL-Win32. then compile succeed, but when i run example (opcuaviewer), something error:
Project ERROR: You cannot build examples inside the Qt source tree, except as part of a proper Qt build.
the process “C: \ QT \ qt5.14.2 \ 5.14.2 \ msvc2017 \ bin \ qmake. Exe” exited with exit code 3.
Error while building/deploying project opcuaviewer (kit: Desktop Qt 5.14.2 MSVC2017 32bit)
The kit Desktop Qt 5.14.2 MSVC2017 32bit has configuration issues which might be the root cause for this problem.
When executing step “qmake”
Hi, Please try using a build directory outside the qtopcua directory.
Qt OPC UA Viewer open62541 Backend
Die Verbindung wird automatisch getrennt, wenn ein Item in dem QTreeView nach gewisser Zeit (nachvollziehbar) angeklickt wird.
…
Debug: Client error changed QOpcUaClient::ConnectionError
Debug: Client state changed QOpcUaClient::Disconnected
Das kommt daher, dass das Explorer-Beispiel keine Subscription aufmacht und daher nur bei jedem Öffnen eines Elements Daten mit dem Server ausgetauscht werden.
Das Beispiel müsste um einen Timer erweitert werden, der als Keepalive-Mechanismus periodisch z.B. den Node mit der aktuellen Uhrzeit vom Server liest.
vielen Dank für den Hinweis.
Wenn ich es richtig verstanden habe, es gäbe zwei Lösungen:
1. Sendet der Client mehrere PublishRequests an den Server periodisch.
2. Liest einen Node mit der aktuellen Uhrzeit vom Server periodisch.
Ich werde es ausprobieren.
Hi,
I’m trying to connect the server with secure connection. My Qt version is Qt 5.14.2. I can work correctly with OPCUA data access under None encryption connection. When I try to connect server with secure connection under the example of opcuaviewer. It shows that qt.opcua.plugins.open62541: The open62541 plugin has been built without encryption support
And I found out that after “qmake ..”, the mbedtls…….is No.
So I download the mbedtls lib from (https://github.com/ARMmbed/mbedtls) and include the lib (INCLUDEPATH += $$PWD/open62541/mbedtls-development/include) in “open62541.pri”.
I open the “open62541.h” with Qt Creator, and set “#define UA_ENABLE_ENCRPTION” and build project. It shows a lot of undefined reference to mbedtls_x509 functions. But when I click “F2” on those functions. It is linked to the mbedtls lib. So it seems the lib is linked, but I don’t know why there are undefined reference error.
Can someone tell me where I am getting wrong and how to make “mbedtls” be “Yes”.
Best Regard,
Hi . I want to apply the patch to the branch 5.13.2.
As mentioned above in this article “As an additional step, the last patch set from gerrit must be downloaded via the Anonymous HTTP checkout command (See the gerrit-link above for the details).”
I tried checking out the chain ” Fix build and tests with the current open62541 v1.0″ but during qmake, it doesn’t even detect mbedtls as per configuration summary.
My qmake command which explicitly includes mbedtls includes and libraries:
C:\Qt\5.13.2\msvc2017_64\qtopcua\build>C:\Qt\5.13.2\msvc2017_64\bin\qmake.exe “C:\Qt\5.13.2\msvc2017_64\qtopcua\qtopcua.pro” EXTRA_INCLUDEPATH+=” C:\mbedtls-3.2.1\mbedtls-3.2.1\include\mbedtls” EXTRA_LIBDIR+=”C:\mbedtls-3.2.1\mbedtls-3.2.1\build_dir\library\Release”
Running configuration tests…
Checking for mbedtls… no
Checking for Open62541… no
Checking for Unified Automation C++ SDK… no
Done running configuration tests.
Configure summary:
Qt Opcua:
Open62541 ………………………… yes
Unified Automation C++ SDK …………. no
Support for namespace 0 NodeId names … yes
Namespace 0 NodeIds generator ………. no
mbedtls ………………………….. no
As per config.log, i am getting these linking errors:
> mbedcrypto.lib(entropy_poll.obj) : error LNK2019: unresolved external symbol __imp_CryptAcquireContextA referenced in function mbedtls_platform_entropy_poll
> mbedcrypto.lib(entropy_poll.obj) : error LNK2019: unresolved external symbol __imp_CryptReleaseContext referenced in function mbedtls_platform_entropy_poll
> mbedcrypto.lib(entropy_poll.obj) : error LNK2019: unresolved external symbol __imp_CryptGenRandom referenced in function mbedtls_platform_entropy_poll
I tried adding LIBS+= -lmbedtls -lmbedx509 -lmbedcrypto and AdvAPI32.lib to win32: LIBS += line in the open62541.pri file as mentioned in above conversation but that didn’t help as well.
What am i missing? Have i applied the patch correctly? I would appreciate all help. Thanks
I think you’ll need to specify these flags separately for the configuration test (if necessary directly in the corresponding project file).
Please also consider to a recent version of Qt. 5.15.x might be the most appropriate for you. 5.13.2 is very outdated.