CODESYS - the IEC 61131-3 automation software

Welcome to the official CODESYS Forum
Deutsche Version English version russian version 
It is currently Mon Jan 22, 2018 3:05 pm

All times are UTC+01:00




Post new topic  Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Aug 06, 2014 9:23 pm 
Offline
Site Admin

Joined: Mon Sep 05, 2005 9:42 am
Posts: 2419
Hi,

Communication encryption for CODESYS WebVisu

In order to prevent communication from being hacked between a CODESYS compatible controller, which
supports the CODESYS WebVisu, and an internet browser on a PC or mobile device, an HTTPS connection
with encryption is available. It protects the integrity of the displayed data.

What is needed to publish a SSL encrypted Webvisualisation with the Raspberry Pi or any >= Version 3.5SP5 CODESYS plc?
For example you want to have access from internet to your home where your pi Webvisu is running

Sure for doing this you need a official ssl certificate and sure if you do not have a official certificate I would prefer a VPN connection additional
Passwort/UserManagement is needed in any case.
For testing purpose you could generate a ssl certificate to see how SSL Webvisu could be established/activated

On the pi runtime side you have the setting 'ConnectionType' in /etc/CODESYSControl.cfg

[CmpWebServer]
ConnectionType=3



HTTP_ONLY, /* = 0 */ -->access your visu by http://RaspiIpAdress:8080/webvisu.htm
HTTPS_ONLY, /* = 1 */ -->access your visu by https://RaspiIpAdress:443/webvisu.htm gehen
HTTP_AND_HTTPS, /* = 2 */ -->access your visu by http://RaspiIpAdress:8080/webvisu.htm und https://localhost:443/webvisu.htm gehen
REDIRECT_HTTP_TO_HTTPS /* = 3 */ -->access your visu by http://RaspiIpAdress:8080/webvisu.htm will be redirected to https://localhost:443/webvisu.htm

for testing purpose you could generate on the pi a certificate by the following bash script (attached):
copy this to the pi (this could be done by CODESYS plc file browser) then connect by ssh (putty) to the pi
and execute the script (after make it executable by chmod +x generateKeys.sh ).
Generate process take some time, be patient.
After that long long key generation process and restart of the plc, you could connect by ssl encrypted connection to the Webvisu.

Code:
#!/bin/bash
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
rm server.csr
openssl x509 -noout -in server.crt -fingerprint
openssl dhparam -outform pem -out dhparams.pem 1024
#copy the generated key to the runtime location
echo "make dirs"
mkdir /root/PKI
mkdir /root/PKI/cert
mkdir /root/PKI/crl
mkdir /root/PKI/private
mkdir /root/PKI/trusted
echo "move certificate"
mv server.crt /root/PKI/cert/server.cer
echo "move key"
mv server.key /root/PKI/private/
echo "move dhparams"
mv dhparams.pem /root/PKI/private/


Check the documentation here for more details:
"c:\Program Files (x86)\3S CODESYS\GatewayPLC\Documentation\WebServerSSL_en.pdf"


Best Regards
Edwin


You do not have the required permissions to view the files attached to this post.


Top
   
PostPosted: Thu Jan 11, 2018 5:29 pm 
Offline

Joined: Tue May 19, 2015 6:27 am
Posts: 14
Hi,
I tried this, created certificates, but without success (web page is redirected to https, but nothing is displayed)

---------Unable to connect
Firefox can't establish a connection to the server at "IP_ADDRESS"
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
----------------

I tried setting connection back to 0 (ConnectionType=0), but web server is still redirecting to https!!!

Also PDF is not installed with V3.5 SP12 x64...

BR,
Gregor


Top
   
PostPosted: Fri Jan 12, 2018 8:27 am 
Offline

Joined: Tue May 19, 2015 6:27 am
Posts: 14
Some more problems & diagnosys.

1) I created OpenSSL certificate and I see it in /root/KPI directory. This is OK.
When I set .cfg file ConnectionType=3, web server redirects to https protocol. This works OK.
But when I reset ConnectionType=0 (set from 3 back to 0), webserver is allways (still) redirecting to https. With settings back to 0, only http protocol should be used, so resetting this setting doesn't work.
I also did system restart, without success. Still webserver redirects to https.

2) Then I installed security agent. I managed to create webserver certificate on the RPi. https redirection works, and now I got connection erorr: ERR_SSL_VERSION_OR_CIPHER_MISMATCH (both in FF and Chrome). In my knowledge this is a problem with certificate not beeing trusted, outdated technology ...
At least now I see connection to https protocol works and webserver on RPi knows where certificate is installed.

Once again I set ConnectionType back to 0. Still there is a problem of webserver allways redirects to https.

Best Regards,
Gregor


Top
   
PostPosted: Fri Jan 12, 2018 11:18 am 
Offline
Site Admin

Joined: Mon Sep 05, 2005 9:42 am
Posts: 2419
Hi,

yes this is an open point you need to execute:

cert-gendhparams 1024

in the plc Shell.
Then it will work at least with IE and Firefox.
It is an open point which need to be fixed.

BR
Edwin


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 4 posts ] 

All times are UTC+01:00


Who is online

Users browsing this forum: polygj and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited