View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000981410000-007: ProfilesSpecpublic2024-09-04 06:472024-09-17 15:25
ReporterMatthias Schulz Assigned ToPaul Hunkar  
PriorityhighSeveritymajorReproducibilityalways
Status assignedResolutionopen 
Product Version1.04 
Summary0009814: Usage of weak TLS ciphersuites
Description

OPCUA 1.04 specifies TLS ciphersuites that are considered weak for various reasons.

For a security point of view such ciphersuites shall be avoided and replaced by one that is recommened for state-of-the art products.

Current mandatory ciphersuits:

https://reference.opcfoundation.org/Core/Part7/v104/docs/6.6.160 
TLS_DHE_RSA with AES_nnn_CBC_SHA256
https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_256_CBC_SHA256/ 

https://reference.opcfoundation.org/Core/Part7/v104/docs/6.6.159 
TLS_RSA with AES_256_CBC_SHA256
https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA256/ 

Here is a list of recommended ciphersuites:

https://ciphersuite.info/cs/?security=recommended&sort=sec-desc 

Additionally, mbedTLS is dropping support for such weak ciphersuites in future versions:

https://github.com/Mbed-TLS/mbedtls/issues/8170

TagsPart 7
Commit Version1.05.04
Fix Due Date2024-09-22

Activities

Randy Armstrong

2024-09-04 15:17

administrator   ~0021656

Recommendations now:

TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLS 1.3
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256

Matthias Schulz

2024-09-05 06:33

reporter   ~0021657

Sounds good!

Matthias Schulz

2024-09-05 06:37

reporter   ~0021658

What is your plan to deprecate the weak ciphers? Will there be a phase, where TLSRSA... ciphers are deprecated and the new ones already mandatory? In the end, the weak ciphers shall not be allowed anymore, alto to prevent downgrade attacks.

Issue History

Date Modified Username Field Change
2024-09-04 06:47 Matthias Schulz New Issue
2024-09-04 06:47 Matthias Schulz Tag Attached: Part 7
2024-09-04 14:11 Randy Armstrong Project 10000-002: Security => 10000-007: Profiles
2024-09-04 15:17 Randy Armstrong Note Added: 0021656
2024-09-05 06:33 Matthias Schulz Note Added: 0021657
2024-09-05 06:37 Matthias Schulz Note Added: 0021658
2024-09-17 15:22 Jim Luth Assigned To => Paul Hunkar
2024-09-17 15:22 Jim Luth Status new => assigned
2024-09-17 15:25 Jim Luth Commit Version => 1.05.04
2024-09-17 15:25 Jim Luth Fix Due Date => 2024-09-22