github node-opcua/node-opcua v2.123.0
on GitHub

latest release: v2.124.0
one month ago

What's Changed

  • In this release, we've resolved a persistent issue in the OPCUA Client interface that led to premature disconnections or problems with security token renewal when there was a significant time discrepancy between the client and server clocks. Now, the OPCUA Client utilizes its own time, captured when the OpenSecurityChannelResponse is received, instead of relying on the server's time to calculate the security token's lifetime expiration. Additionally, it will display a warning in the console [NODE-OPCUA-W33] if there's a notable time difference between the server's time and the local time on the computer where the OPCUA client is running. This enhancement aims to make it easier to identify servers with time synchronization issues (#1349) (#1351).
    🎉 Special kudo to EirikVea for nailing the root cause.

the warning message looks like:
` 

[NODE-OPCUA-W33]  client : server token creation date exposes a time discrepancy of 10 minutes 23 seconds
                  the remote server clock doesn't match this computer date !
                  please check both server and client clocks are properly set .
                  server time:  2024-03-17 10:20:30.300Z
                  client time:   2024-03-17 10:30:53.300Z
                  server URL = opc.tcp.//mydevice:4840
  • Furthermore, we've incorporated the Aes256_Sha256_RsaPss security policy in this version, completing our transition to the OPC UA 1.05 security profiles by setting Aes256_Sha256_RsaPss as the default. We have also removed the Basic128Rsa15 and Basic256 security policies from the server's default policies. However, these can be reactivated, if necessary, by specifying the securityPolicies parameter in the OPCUA Server constructor. (#1348)

Default policies used if securityPolicies is not specified:

before now in v2.123.0
None None
Basic128Rsa15
Basic256
Basic256Sha256 Basic256Sha256
Aes128_Sha256_RsaOaep Aes128_Sha256_RsaOaep
Aes256_Sha256_RsaPss

  • We reintroduced PKCS1 padding (Issue #1347), which was previously removed in version 2.122.0, due to Node.js discontinuing support for PKCS padding with private key encryption. However, this reintroduction comes with a caveat for users of Node.js versions newer than 18.11.1 or NodeJS > 20.11.1. To enable PKCS1 padding, you must include the argument --security-revert=CVE-2023-46809 when running the Node.js executable. This step reverses a security fix in Node.js, allowing PKCS1 padding to function. Failure to apply this workaround may result in connectivity issues between the Client and Server when interacting with devices that still utilize the now-deprecated 128Rsa15 security policy for channel or user token encryption.

  • We found out that the recent version of NodeJS now emits an AggregateError instead of a Error on windows when multiple network cards are present, causing the connection mechanism to struggle, this only affects Node 20.11.1 on windows as far as we are aware [b4ff258]

details

🐛 Bug Fixes

  • [cd9dcb0] Fix crawler has throw error if the object does not contain displayName or description #1343
  • [b4ff258] Fix error message of AggregateError generated by Node.js 20.11.1 on Windows when connection is refused

✨ Enhancements

  • [26359c0] Fix Aes256_Sha256_RsaPss security policy #1259 #1281 (sponsored)
  • [31af8b2] Server: Adjust default security policies - add Aes256_Sha256_RsaPss in default security policies and remove deprecated Basic128Rsa15 and Basic256 from default security policies
  • [a9ec280] Client now displays a warning when the remote server clock is out of sync by more than 5 seconds #1349
  • [28efd1a] Now print time drift statistic to ClientSecureChannelLayer#toString
    [92dd8db] Display warning when the nodejs --security-revert=CVE-2023-46809 command line option needs to be used to allow legacy Basic192Rsa15 encryption and server ( in 20.11.1 and 18.11.1 onward)

🛠 Maintenance

  • [e65ef43] Chore: code cleanup
  • [2f8275f] Chore: remove unused files
  • [fa0b34f] Chore: coerceSecurityPolicies
  • [bec0df2] Chore: improve client connection error feedback
  • [5a10fb1] Chore: fix import issue
  • [ccf10ee] Chore: adjust test assert
  • [8fcfcdc] Chore: exclude tsbuildinfo files from packages
  • [7402e8c] Chore: make build_address_space_for_conformance_testing async
  • [b853ea6] Chore: add missing describe with leak detector in test
  • [28fbdde] Investigate test failure on Windows

👬🏽 contributors

Full Changelog: v2.122.0...v2.123.0

🌟 Join the NodeOPCUA Support Network! 🌟
NodeOPCUA continues to grow and evolve, thanks to the invaluable support from community members like YOU! 🚀

We're dedicated to enhancing and expanding the capabilities of node-opcua, and we invite you to be a part of this exciting journey. Consider contributing through our membership program at Sterfive or by donating on

OpenCollective.

🤝 Your support is crucial!

Your contributions foster innovation and strengthen a community founded on cooperation and the exchange of knowledge. 🌱

🌍 Together, we can drive the future of node-opcua forward! 🌍

Check out latest releases or
releases around node-opcua/node-opcua v2.123.0

Don't miss a new node-opcua release

NewReleases is sending notifications on new releases.

Get notifications