Designer startup : Verifying Signature of Designer

I am experiencing the same thing, no internet connection and self signed certificate. I disabled the "Check for server certificate revocation" in the AD and it still takes noticeable amount of time to open the designer .

That has no effect on Ignition.

Thanks Michael, this was really helpful for preventing the popup when launching client apps on the gateway machine. I've done the same on some other machines, but this doesn't seem to prevent the popup hanging when launching clients on these devices. I've had a look at the DNS traffic and have only seen ocsp.digicert.com and crl14.digicert.com, so I would think they'd be prevented by those lines in the host file but evidently not. Have you experienced similar?

I haven't, but I did notice in today's nightly release notes for 8.1.40 that they're adding an option for the designer launcher to specify how this should be handled so that air gapped systems can bypass the CRL check that hangs things up. The only other thing I would suspect is if the port/URL it reaches out to check is listening on your localhost, then it could be waiting on it to timeout/return something.

edit i may be misinterpreting your response to Jean's question. i took your reply to mean more ICS have internet access and used the context of this feature needing that access to check for cert revocations to come to that conclusion.

I disagree with this statement. There is a big difference in Industrial Control Systems building in secure access for isolated systems to have specific internet access and industrial network as a whole having access to the internet.

Ignition is built for industrial systems. Please tell me you didnt just build in a requirement for internet that without it...creates a long delay.

2 Likes

You can disagree all you want. More power to you. It doesn't change what I observe through my work with our support department.

There's a way to opt out of the OCSP verification starting in 8.1.40. It's only necessary if the network is configured such that the outbound traffic is blackholed instead of the connection explicitly failing.

4 Likes

**im staring at the delayed signature right now

observations aside. can you clarify something for me.

are you saying that Ignition designer now has a delay in start up due to the inability to reach the internet?

This is now a possibility depending on your network configuration unless you opt out of the security measures by using the new AIR_GAPPED or LOOSE values for the signature.verification.strength key in the launcher config.

It's not like we intentionally set out and made this decision but it's a consequence of how modern PKIX and code signing work.

2 Likes

Thanks for quick response and info on 8.1.40.

As to your customer networks with broad internet access. Oof. Not good.

1 Like

At first IA had to cater to dumb controls engineers, and now their product is so good they have to cater to dumb everyone

1 Like

Hmm. I dunno. I feel like you could have rolled this out without users having to make modifications to configuration files or requiring internet access. You could make it a non-persistent setting that's client based, rather than client launcher based, tied to the gateway the user is connecting to, configurable in said gateway.

Launcher queries gateway strength setting and applies setting to client session. Strength setting in the gateway is required and defaults to LENIENT. Each new client session requires a check (as it already does). Now, no matter what versions end users have of the launcher, it doesn't matter. The client launcher will honor the Gateway's signature strength requirement. I might be missing something here, but I don't see how this not only isn't possible, but difficult to implement.

Maybe doug is getting a little slack here, but they're right. Ya'll rolled out a feature that now requires internet access (or modifications to config files) to function as intended, when there were other possible (and better) solutions.

Same answer as I supplied over here:

1 Like