Secure Connections with Qt OPC UA

Starting with the Qt 5.13 release, due end of May, the Qt OPC UA API in combination with the Unified Automation backend officially supports secure connections to servers (Sign or SignAndEncrypt message security mode). The following article outlines the changes to the Qt OPC UA API and shows how to get secure connections also with the open62541 backend.

Security related QOpcUaClient API changes

To enable secure connections a number of changes to the API of the QOpcUaClient were necessary – some of them preventing existing code from compiling. In summary:

  • The connectToEndpoint() method which takes a QUrl parameter has been removed. The only supported way to specify which server to connect to is now via an endpoint description retrieved using requestEndpoints().
  • supportedSecurityPolicies() returns a list with the OPC UA security policies supported by the current backend.
  • setPkiConfiguration() is used to configure QOpcUaClient with a client certificate, a corresponding private key and the necessary data to verify server certificates.
  • setIdentity() configures the identity information QOpcUaClient provides to the server during the connect. This information can also be initialized from the client certificate.
  • Up to Qt 5.12, login credentials were supplied to QOpcUaClient by encoding username and password in the URL. setAuthenticationInformation() replaces this by a clean API which can be used to select anonymous, username and password or X509 certificate based authentication.
  • The connectError() signal is emitted when a connection to a server fails. Depending on the error, the connected slot is able to override it (for example an untrusted or no longer valid server certificate).
  • If the private key is protected with a password, the passwordForPrivateKeyRequired() signal is emitted. The user can then supply the password in the connected slot.

State of the open62541 backend

The open62541 backend does not support secure connections in Qt 5.13 because this requires open62541 v0.4 which is not released yet.

A preview of security support based on the open62541 master branch has already been implemented and is available on gerrit.
The preview implements secure connections with the following security policies

  • http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15
  • http://opcfoundation.org/UA/SecurityPolicy#Basic256
  • http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256

and the following user authentication token types

  • Anonymous
  • UserName

Using password protected private keys and overriding certificate checking errors is not available yet.

Give it a try

In addition to the usual dependencies of Qt OPC UA, the preview requires mbedTLS which must be available in the system’s library search path.

The source code of the preview is available on gerrit. The easiest way to build it is following the instructions in our overall Qt OPC UA tutorial. As an additional step, the last patch set from gerrit must be downloaded via the Anonymous HTTP checkout command (See the gerrit-link above for the details).

Make sure the output of the qmake step contains “mbedtls …. yes”. If this is not the case, the open62541 backend will be built without security support. In this case, the config.log file should be consulted to find out why detecting the mbedTLS library has failed.

Outlook

We are working towards officially enabling secure connections for the open62541 backend in a later release of Qt. Till then we encourage you to try out this preview and to provide feedback on its current state.

5 thoughts on “Secure Connections with Qt OPC UA”

  1. Hello,

    I wanted to know if it is possible to include this library update in the QT 5.12.5 Version of QtOpcUa. If it is, how would i go about to apply the patch, as it didnt seem to work for me.
    When running qmake, theres no line avaiable for the mbedTLS library, and according to the log files it doesnt even get searched.

    Kind Regards

    1. Well, in the end it was kind of my own stupidity that stopped me from doing this properly. I applied the patch the wrong way which resulted in all kinds of mistakes. I had to add LIBS+= -lmbedtls -lmbedx509 -lmbedcrypto to the open62541.pri file, to make it properly nmake.

      In the end I still think something went wrong along the way, as client.supportedSecurityPolicies returns only 1, which is none.

      1. Once again replying to my own comment, it was AdvAPI32.lib that Iadded to the win32: LIBS += line, instead of the thing i wrote before.

      2. I just keep posting problems and then solving them a day later, but at least I can maybe help if anyone else has this problem.
        This time the problem was once again applying the patch incorrectly. With no experience with gerrit, i thought it would be sufficient to install only the linked patch, which was not the case.
        In reality, I also need the other one, thats linked on the right side of the gerrit page.

  2. I would like to install and try out this patch but I’m running into some problems.
    After a lot of working to get qmake to finally accept my mbed libs and giving me the long awaited mbedtls…..yes, the nmake step fails.

    I get this error:
    mbedcrypto.lib(entropy_poll.obj) : error LNK2019: unresolved external symbol __imp__CryptAcquireContextA@20 referenced in function _mbedtls_platform_entropy_poll

    I followed your tutorial on building Qt OPC UA, although i used vcvarsamd64_x86 instead of vcvarsx86_amd64, as I am building for a QT 32-bit version.

    After cloning the qtopcua directory, I run
    git fetch “https://codereview.qt-project.org/qt/qtopcua” refs/changes/11/226111/33 && git checkout FETCH_HEAD
    to apply the Patch
    226111: Fix build and tests with the current open62541 v1.0.

    Do you know ehre i could have made a mistake in these Steps ? Or is it possible that my mbedtls libs are corrupt in some way ?

    I hope for feedback

    Many thanks

Leave a Reply

Your email address will not be published. Required fields are marked *