| Module | Name | Version | License | Source | Languages | Platforms | Type | Author | Description |
|---|---|---|---|---|---|---|---|---|---|
| SSL | SSL | 1.5 | GPL2 | tr_SSL.so | en,uk,ru,de | x86,x86_64,ARM | Transport | Roman Savochenko Maxim Lysenko (2009) — the page translation |
Provides transport based on the secure sockets' layer. OpenSSL is used and SSLv3, TLSv1, TLSv1.1, TLSv1.2, DTLSv1 are supported. |
The module SSL of the transport provides the support of transport based on secure sockets layer (SSL) into the system. In the basis of the module there is the library OpenSSL. Input and output transports of protocols SSLv3 and TLSv1 are supported.
It is possible to add new input and output transports through the transport subsystem configuration in any configurator of OpenSCADA system.
1 Input transports
The configured and running input transport opens server SSL-socket for the expectation of connection of the clients. SSL-socket is a multi-stream, i.e. when the client connects, the client SSL-connection and a new stream in which the client is served are created. Server SSL-socket in this moment switches to the waiting for the request from the new client. Thus the parallel service of the clients is achieved.
Each input transport is necessarily associated with one of the available transport protocols, to which input messages are transmitted. In conjunction with the transport protocol is supported by a mechanism of the combining of pieces of requests, disparate while transferring.
Configuration dialog of the input SSL-transport is depicted in Figure 1.
Using this dialog you can set:
- State of transport, namely: "Status", "Running", name of the database (containing the configuration) and list with information about the active connections.
- Id, name and description of transport.
- Address of the transport in the format: "{address}:{port}[:{mode}]", where:
- address — Address, on which the SSL is opened. It must be one of the addresses of the host. If the "*" is indicated then SSL will be available in all the host's interfaces. There may be as the symbolic representation as well as IP one of the address.
- port — Network port, on which the SSL is opened. Indication of the character name of the port (according to /etc/services) is available.
- mode — SSL-mode and version (SSLv3, SSLv23, TLSv1). By default and in case of error the SSLv23 is used.
- Choice of a transport protocol.
- State, in which the transport must be translated at boot: "To start".
- Certificates, private SSL key and password of private SSL key.
- Maximum number of clients to serve, maximum number of clients to serve per host and size of the input buffer.
- Keep alive requests. Close the connection after specified requests. Zero value for disable (not close ever).
- Keep alive timeout, seconds. Close the connection after no requests at specified timeout. Zero value for disable (not close ever).
We do not recommend disable the function by the TCP/IP network's properties does not guarantee notice the server about the connection disable, for example after power supply lost on the client. As result the opened client connections will left forever and after its number achieve to the limit server will drop new connections!
- Transport's tasks priority.
2 Output transports
Configured and running output transport opens the SSL connection to the specified server. In the case of destroying of the connection, output transport is disconnected. In order to resume the connection transport must be re-run.
Main tab of the configuration page of output SSL-transport is shown in Fig.2.
Using this dialog you can set:
- The state of transport, namely: "Status", "Running" and the name of the database, containing the configuration.
- Id, name and description of transport.
- Address of the transport in the format: "{address}:{port}[:{mode}]", where:
- address — Address with which the connection is made. There may be as the symbolic representation as well as IP one of the address.
- port — Network port with which the connection is made. Indication of the character name of the port (according to /etc/services) is available.
- mode — SSL-mode and version (SSLv3, SSLv23, TLSv1). By default and in case of error the SSLv23 is used.
- The state, in which the transport must be translated at boot: «To start».
- Certificates, private SSL key and password of private SSL key.
- Default timeout for connection and respond wait, separated.
3 Certificates and keys
For a valid module work certificates and private keys are required. In the case of the input SSL-transport (the server) they are compulsory. In the case of output SSL-transport they can not be even installed though their using is desirable.
The simplest configuration of the certificate is self-subscription certificate and private key. The following describes how to create them using the tool openssl:
# Generation the secret key $ openssl genrsa -out ./key.pem -des3 -rand /var/log/messages 2048 # Generation of self-subscription certificate $ openssl req -x509 -new -key ./key.pem -out ./selfcert.pem -days 365
Next, the contents of the files "key.pem" and "selfcert.pem" is copied into the text field of the certificate and key. Password of the private key is installed in the appropriate field.