Get rid of insecure Transport Layer Security (TLS) Ciphersuites|OPC UA Standard|Forum|OPC Foundation

Avatar
sp_LogInOut Log In
sp_Search Search
Advanced Search
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
sp_Search Search
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Get rid of insecure Transport Layer Security (TLS) Ciphersuites
Avatar
Matthias Schulz
New Member
Members
Forum Posts: 2
Member Since:
09/03/2024
sp_UserOfflineSmall Offline
1
09/03/2024 - 02:16
sp_Permalink sp_Print sp_EditHistory

OPCUA 1.04 specifies TLS ciphersuites that are considered weak for various reasons.

For a security point of view such ciphersuites shall be avoided and replaced by one that is recommened for state-of-the art products.

Current mandatory ciphersuits:

https://reference.opcfoundatio…..cs/6.6.160 
TLS_DHE_RSA with AES_nnn_CBC_SHA256
https://ciphersuite.info/cs/TL…..BC_SHA256/ 

https://reference.opcfoundatio…..cs/6.6.159 
TLS_RSA with AES_256_CBC_SHA256
https://ciphersuite.info/cs/TL…..BC_SHA256/ 

 

Here is a list of recommended ciphersuites:

https://ciphersuite.info/cs/?s…..t=sec-desc 

 

Additionally, mbedTLS is dropping support for such weak ciphersuites in future versions:

https://github.com/Mbed-TLS/mb…..ssues/8170

Avatar
Randy Armstrong
Admin
Forum Posts: 1549
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
09/03/2024 - 11:41
sp_Permalink sp_Print sp_EditHistory

Please create a mantis issue on Part 7:

https://apps.opcfoundation.org…..default=no

Avatar
Matthias Schulz
New Member
Members
Forum Posts: 2
Member Since:
09/03/2024
sp_UserOfflineSmall Offline
sp_Feed
Go to top
Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 11
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1423
Posts: 4813