From OpenSCADAWiki
Jump to: navigation, search

Other languages:
Module Name Version License Source Languages Platforms Type Author Description
SSL SSL 2.4 GPL2 tr_SSL.so en,uk,ru,de x86,x86_64,ARM Transport Roman Savochenko
  Maxim Lysenko (2009) — this page initial translation
Provides transport based on the secure sockets' layer. OpenSSL is used and SSLv3, TLSv1, TLSv1.1, TLSv1.2, DTLSv1, DTLSv1_2 are supported.

The module provides support for secure sockets layer (SSL) based transports to the program. The module is based on the library OpenSSL. Input and output transport protocols SSLv3, TLSv1, TLSv1.1, TLSv1.2, DTLSv1, DTLSv1_2 are supported; the general list of which depends on their availability in the OpenSSL library and, in the absence of a direct specification, it is selected for most relevant and safe.

You can add new input and output safe sockets through the configuration of the transport subsystem in any OpenSCADA configurator.

1 Input transports

The configured and running input transport opens server SSL-socket for the expectation of connection of the clients. SSL-socket is a multi-stream one, i.e. when the client connects, the client SSL-connection and a new stream in which the client is served are created. The server SSL-socket in this moment switches to the waiting for the request from the new client. Thus the parallel service of the clients is achieved.

Each input transport is necessarily associated with one of the available transport protocols, to which input messages are transmitted. In conjunction with the transport protocol is supported by a mechanism of the combining of pieces of requests, disparate while transferring.

Configuration dialog of the input SSL-transport is shown in Figure 1.

Fig.1. Configuration dialog of the input SSL-transport.

Using this dialog you can set:

  • State of the transport, that is: "Status", "Running", name of the database (containing the configuration) and a list with information about the active connections.
  • Identifier, name and description of the transport.
  • Address of the transport in the format "{addr}:{port}[:{mode}]", where:
    • addr — address to open SSL, it must be one of the addresses of the host. Empty or "*" address opens SSL for all interfaces. There may be as the symbolic representation as well as IPv4 "127.0.0.1" or IPv6 "[::1]".
    • port — network port on which the SSL is opened, indication of the character name of the port, according to /etc/services is available.
    • mode — SSL-mode and version (SSLv3, TLSv1, TLSv1_1, TLSv1_2, DTLSv1, DTLSv1_2), by default and in error, the safest and most appropriate one is used.
  • Selecting of the transport protocols.
  • State "Running", in which the transport must be translated at boot.
  • Certificates, private SSL key and password of the private SSL key.
  • Maximum number of clients, Maximum number of clients per host and Size of the input buffer.
  • Keep alive requests. Closing the connection after the specified requests. Zero value to disable - not close ever.
  • Keep alive timeout, seconds. Closing the connection after no requests at the specified timeout. Zero value to disable - not close ever.
At.png We do not recommend disable the function by the TCP/IP network's properties does not guarantee notice the server about the connection disable, for example after power supply lost on the client. As result the opened client connections will left forever and after their number achieve to the limit, server will drop new connections!
  • Transport's tasks priority.

2 Output transports

Configured and running output transport opens a connection to the specified server. In the case of destroying the connection, output transport is stopped. In order to resume the connection transport must be re-run, that all protocols do automatically.

The transport supports the direct definition of multiple server addresses and the processing of all IP addresses in which the symbolic address is resolved, which allows you to build vertical redundancy directly by the transport that will be automatically connected to the first available server.

Main tab of the configuration page of the output SSL-transport is shown in Figure 2.

Fig.2. Main tab of the configuration page of the output SSL-transport.

Using this dialog you can set:

  • State of the transport, that is: "Status", "Running" and the name of the database, containing the configuration.
  • Identifier, name and description of the transport.
  • Address of the transport in the format "{addr}[,{addrN}]:{port}[:{mode}]", where:
    • addr — address with which the connection is made. There may be as the symbolic representation as well as IPv4 "127.0.0.1" or IPv6 "[::1]".
    • port — network port with which the connection is made. Indication of the character name of the port according to /etc/services is available.
    • mode — SSL-mode and version (SSLv3, TLSv1, TLSv1_1, TLSv1_2, DTLSv1, DTLSv1_2), by default and in error, the safest and most appropriate one is used.
  • The state "Running", in which the transport must be translated at boot.
  • Certificates, private SSL key and password of the private SSL key.
  • Connection timings in the format "{conn}:{next}", where:
    • conn — maximum time of waiting the connection, in seconds;
    • next — maximum time of waiting for continue the response, in seconds.
Can be prioritatile specified into the address field as the second global argument, as such "localhost:123||5:1".
  • Attempts of the requesting both for this transport and protocol, for full requests.
Can be prioritatile specified into the address field as the third global argument, as such "localhost:123||5:1||3".

3 Certificates and keys

For the full function of the module, you need certificates and private keys. In the case of input SSL-transport (server), they are mandatory. In the case of the output SSL-transport, they may not be installed, although their use is desirable.

The simplest configuration of the certificate is self-subscription certificate and private key. The following describes how to create them using the tool openssl:

# Generation the secret key
$ openssl genrsa -out ./key.pem -des3 -rand /var/log/messages 2048
# Generation of self-subscription certificate
$ openssl req -x509 -new -key ./key.pem -out ./selfcert.pem -days 365

Next, the contents of the files "key.pem" and "selfcert.pem" is copied into the text field of the certificate and key. Password of the private key is installed in the appropriate field.