New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modbus/TCP Security #560
base: master
Are you sure you want to change the base?
Modbus/TCP Security #560
Conversation
Since this adds a new dependency, the options conservatively defaults to "no".
TLS related code is conditionally compiled according to USE_TLS macro defined in config.h by ./configure options, except in modbus-tcp.h where the macro is unavailable. The code added to this header, however, does not depend on OpenSSL definitions.
You can generate the required certificates for client, server, and CA using OpenSSL command line tool: $ openssl genrsa -out ca.key 4096 $ openssl req -new -x509 -days 3650 -key ca.key -out ca.pem $ openssl genrsa -out client.key 4096 $ openssl req -new -key client.key -out client.csr $ openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client.pem $ openssl genrsa -out server.key 4096 $ openssl req -new -key server.key -out server.csr $ openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 02 -out server.pem
Hello Matheus, First of all, many thanks for you good work on implementing TLS. It has helped me a lot to integrate this security layer in my project. My first remark is about the compatibility with OpenSSL version. Indeed, your code only compiles with a recent release (>= 1.1.1). In my case I am using a version 1.0.2 (soon to be migrated to 1.1.1 but not yet, unfortunately). That's why I have added a preprocessor check around the creation of the SSL context. These macros ( The second is about the unit tests. When I configure the library to build without TLS, the compilation fails. I think the macro
My first adaptation of this pull request has been to add a new Finally, I encountered some issues when I tried to conciliate my project requirements and your TLS integration. Mainly I need to be able to accept a self-signed certificate and the SSL library default certificate validation (which you are using in your implementation) does not allow it. Without any changes, when my client receives a self-signed certificate, the method Below an example of use of this modified interface.
This last modification is very specific and is a big rework of your implementation. Nevertheless in my point of view, the dependency injection can be a good practice to allow users to define and customize the SSL library behaviour without patch. Best regards. |
Hi @calligp. I'm glad it was useful! Do keep in mind the TODOs though, it's something that needs to be fixed before it gets to production. Otherwise, your application may be stuck forever in one of the calls to
The project that I was working on when this patch was developed started with 1.0.x, and we did the upgrade. I preferred to submit this newer version as major distributions with libmodbus packages were already using 1.1.x. Supporting both OpenSSL versions can be tricky because some methods may have functional differences that wouldn't break the compilation but have some problem at runtime.
Yeah, there is something wrong. It's not defined in the generated #define HAVE_INTTYPES_H 1
#define HAVE_STDINT_H 1
#define USE_TLS @USE_TLS@ I don't know much about autotools, but I guess we'll need diff --git a/configure.ac b/configure.ac
index 363b35f..a7ff189 100644
--- a/configure.ac
+++ b/configure.ac
@@ -160,7 +160,8 @@ AM_CONDITIONAL(BUILD_TLS, [test $enable_tls != no])
AS_IF([test $enable_tls != no],
[AC_DEFINE([USE_TLS], [1], [Define if SSL/TLS feature is enabled])]
[AC_CHECK_LIB([ssl], [SSL_new])]
- [AC_CHECK_LIB([crypto], [CRYPTO_new_ex_data])],)
+ [AC_CHECK_LIB([crypto], [CRYPTO_new_ex_data])],
+ [AC_DEFINE([USE_TLS], [0],)])
AC_CONFIG_HEADERS([config.h tests/unit-test.h])
AC_CONFIG_FILES([ And then change all
At the time, we didn't have to handle connection failure reasons, but it sure is a necessary error code.
As I mentioned in the PR, the code originally supported OpenSSL and mbedTLS, so it couldn't have any parameter specific to one or the other. The application code itself wouldn't even include any TLS related header. However, if it's decided to support a single TLS implementation,
Thanks for your feedback and for taking the time to post the patches here. I'm not planning to maintain this code as a fork, so I wouldn't change it without a clear path to upstream it. However, I encourage you to keep this work and have the patchs in a public branch, so people with these use cases can more easily find them. |
This is a first approach to adding TLS support to libmodbus, by creating a new
modbus_backend_t
. Although functional, the Modbus/TCP Security is not fully implemented, notably missing Role-Based Client Authorization.OpenSSL is used as the TLS implementation, currently tested with version 1.1.1. The new "
--enable-tls
" option, witch defaults to "no", is added to control the inclusion of this new dependency. I also developed this backend based on mbedTLS, but omited it here since OpenSSL seems to be a more sensible option for general use cases. If desired, I can send the patches to make "--enable-tls
" select which lib to use.In the second patch, in
modbus-tcp.c
, whensend
-ing (line 182 to 223) orrecv
-ing (line 235 to 276), it may be necessary toselect
for read or write. I'm not sure whitch timeout to use for these calls, so I left it with NULL and marked the code with "TODOs". The code works this way, but its not a desirable solution.This work was funded by the Research and Development project PD 2866-0468/2017, granted by the Brazilian Electricity Regulatory Agency (ANEEL) and Companhia Paranaense de Energia (COPEL). Some results using the mbedTLS backend where presented at INDUSCON 2018 and COBEP 2019.