Skip to content

Commit e92615d

Browse files
gijzelaerrclaude
andcommitted
Merge master into fix-tls-layering (SessionKey handshake integration)
Resolves conflicts between the SessionKey handshake branch and recent master changes (#745, #747, #749, #750, #751, #742, #740): - connection.py: Keep branch's TIA-style CreateObject attributes, SessionKey auth, V3 HMAC framing, and PAOM string stripping. Use master's MemoryBIO TLS, 10-byte response headers (except CreateObject which keeps 14-byte), and shared codec functions. - _s7commplus_client.py: Keep branch's V3 EXPLORE path, add master's integrity_tail and reassemble params. - _s7commplus_server.py: Fix duplicate ObjectIds in CreateObject, restore 14-byte header for CreateObject response, use 10-byte _build_response_header for everything else. - Unified _server_session_version as Optional[bytes] (removed _raw). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2 parents 70f668a + 2f878ea commit e92615d

16 files changed

Lines changed: 1630 additions & 843 deletions

doc/connecting.rst

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,88 @@ when needed. You can also force a specific protocol:
9999
100100
See :doc:`API/client` for details on TLS and password authentication.
101101

102+
S7CommPlus over TLS (V2/V3, TIA Portal V17+)
103+
---------------------------------------------
104+
105+
S7-1500 firmware ≥ V2.9 and S7-1200 firmware ≥ V4.5 negotiate
106+
S7CommPlus V2 or V3, which transports the protocol inside a TLS 1.3
107+
session. Pass ``use_tls=True`` to ``connect`` to activate it:
108+
109+
.. code-block:: python
110+
111+
from s7 import Client, Protocol
112+
113+
client = Client()
114+
client.connect(
115+
"192.168.1.10", rack=0, slot=1,
116+
protocol=Protocol.S7COMMPLUS,
117+
use_tls=True,
118+
)
119+
data = client.db_read(1, 0, 4)
120+
client.disconnect()
121+
122+
The client wraps the ISO-on-TCP socket with TLS 1.3 between the
123+
``InitSSL`` exchange and the ``CreateObject`` request. By default the
124+
PLC's certificate is not verified — fine for development, not fine in
125+
production. To verify the PLC against a CA bundle, pass ``tls_ca``:
126+
127+
.. code-block:: python
128+
129+
client.connect(
130+
"192.168.1.10", rack=0, slot=1,
131+
protocol=Protocol.S7COMMPLUS,
132+
use_tls=True,
133+
tls_ca="/path/to/plc-ca.pem",
134+
)
135+
136+
If the PLC requires mutual TLS (client-side certificate), supply
137+
``tls_cert`` and ``tls_key`` as well.
138+
139+
The ``cryptography`` package is required for TLS support. Install
140+
with the ``s7commplus`` extra:
141+
142+
.. code-block:: bash
143+
144+
pip install 'python-snap7[s7commplus]'
145+
146+
.. note::
147+
148+
Older S7-1200 firmware (FW < 4.5) negotiates V1 of the S7CommPlus
149+
protocol, which predates TLS and uses a different proprietary
150+
handshake. ``Client(...)`` falls back transparently to legacy
151+
PUT/GET on those PLCs (``db_read`` / ``db_write`` work);
152+
``browse()`` and other CommPlus-only operations are not yet
153+
supported on those firmwares — see issue #710.
154+
155+
PLC Password Authentication
156+
----------------------------
157+
158+
If the PLC has a password configured (``Full access (no protection)``
159+
disabled in TIA Portal), call ``authenticate`` after ``connect``:
160+
161+
.. code-block:: python
162+
163+
from s7 import Client, Protocol
164+
165+
client = Client()
166+
client.connect(
167+
"192.168.1.10", rack=0, slot=1,
168+
protocol=Protocol.S7COMMPLUS,
169+
use_tls=True,
170+
)
171+
client.authenticate(password="hunter2")
172+
data = client.db_read(1, 0, 4)
173+
174+
Authentication requires TLS to be active (``use_tls=True``). The
175+
client auto-detects whether the PLC firmware uses the legacy SHA-1
176+
challenge or the newer AES-256-CBC challenge. For accounts with a
177+
username (TIA Portal V17+ user-based access control), pass it
178+
explicitly:
179+
180+
.. code-block:: python
181+
182+
client.authenticate(password="hunter2", username="operator")
183+
102184
S7-200 / Logo (TSAP Connection)
103185
--------------------------------
104186

0 commit comments

Comments
 (0)