4 files changed, 28 insertions, 19 deletions
diff --git a/src/common.c b/src/common.c
index 3e54ca9..2c0cb87 100644
--- a/src/common.c
+++ b/src/common.c
@@ -341,7 +341,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index)
 UA_Server *
 createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
               const char *keyPath, char **trustPaths, size_t trustSize,
-              UA_StatusCode *retval)
+              UA_Boolean discoveryOnly, UA_StatusCode *retval)
 {
   UA_Server *server = UA_Server_new ();
   UA_ServerConfig *config = UA_Server_getConfig (server);
@@ -360,18 +360,23 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
           config, port, &certificate, &privateKey, trustList, trustSize, NULL,
           0, NULL, 0);
 
-      /* Also offer SecurityPolicy#None, but restricted to discovery
-         services (FindServers, GetEndpoints) so that unencrypted clients
-         can still discover the server without being able to open a
-         full session.  We must add both the security *policy* (so the
-         server accepts None SecureChannels) and the *endpoint* (so the
-         None endpoint appears in GetEndpoints responses — required by
-         the open62541 client's internal endpoint negotiation). */
+      /* Always add SecurityPolicy#None so that clients can open an
+         initial unencrypted SecureChannel for the GetEndpoints
+         handshake, then reconnect with the selected secure policy.
+         Restrict None channels to discovery services only so that
+         nobody can open a full session without encryption.
+
+         When discoveryOnly is true (LDS) we also register a None
+         *endpoint* so that purely unencrypted clients can discover
+         the server — the open62541 client's internal endpoint
+         negotiation requires a matching endpoint in the
+         GetEndpoints response. */
       if (*retval == UA_STATUSCODE_GOOD)
         {
           UA_ServerConfig_addSecurityPolicyNone (config, &certificate);
-          UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
-                                       UA_MESSAGESECURITYMODE_NONE);
+          if (discoveryOnly)
+            UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
+                                         UA_MESSAGESECURITYMODE_NONE);
           config->securityPolicyNoneDiscoveryOnly = true;
         }
 
diff --git a/src/common.h b/src/common.h
index 6d5294a..8c3c9d6 100644
--- a/src/common.h
+++ b/src/common.h
@@ -52,11 +52,12 @@ void freeTrustStore (char **paths, size_t size);
  * @brief Creates a UA_Server, optionally configured with security policies.
  *
  * When @p certPath is non-NULL the server is initialized with encryption
- * (certificate, private key, trustlist) and also adds SecurityPolicy#None
- * restricted to discovery services (FindServers, GetEndpoints) so that
- * unencrypted clients can still discover the server.  When @p certPath is
- * NULL the server runs with SecurityPolicy#None only (keyPath and trustPaths
- * are ignored).  The applicationUri is set in both cases.
+ * (certificate, private key, trustlist).  When @p discoveryOnly is true
+ * the server additionally offers SecurityPolicy#None restricted to
+ * discovery services (FindServers, GetEndpoints) so that unencrypted
+ * clients can still discover the server.  When @p certPath is NULL the
+ * server runs with SecurityPolicy#None only (keyPath, trustPaths and
+ * discoveryOnly are ignored).  The applicationUri is set in both cases.
  *
  * @param port Server port number.
  * @param applicationUri OPC UA application URI.
@@ -64,13 +65,15 @@ void freeTrustStore (char **paths, size_t size);
  * @param keyPath Path to private key (.der), or NULL when certPath is NULL.
  * @param trustPaths Array of trustlist file paths (may be NULL).
  * @param trustSize Number of entries in trustPaths.
+ * @param discoveryOnly When true and certPath is non-NULL, add a None
+ *                      endpoint restricted to discovery services.
  * @param retval Output parameter set to the status code on failure.
  * @return A configured UA_Server, or NULL on error.
  */
 UA_Server *createServer (UA_UInt16 port, const char *applicationUri,
                          const char *certPath, const char *keyPath,
                          char **trustPaths, size_t trustSize,
-                         UA_StatusCode *retval);
+                         UA_Boolean discoveryOnly, UA_StatusCode *retval);
 
 /**
  * @brief Parses a log-level name into the corresponding UA_LogLevel value.
diff --git a/src/server_lds.c b/src/server_lds.c
index 14c26b7..99c1e8c 100644
--- a/src/server_lds.c
+++ b/src/server_lds.c
@@ -115,8 +115,9 @@ main (int argc, char *argv[])
     }
 
   UA_StatusCode retval;
-  UA_Server *server = createServer ((UA_UInt16)port, applicationUri, certPath,
-                                    keyPath, trustPaths, trustSize, &retval);
+  UA_Server *server
+      = createServer ((UA_UInt16)port, applicationUri, certPath, keyPath,
+                      trustPaths, trustSize, true, &retval);
   if (!server)
     {
       freeTrustStore (trustPaths, trustSize);
diff --git a/src/server_register.c b/src/server_register.c
index 817169f..44a4d49 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -246,7 +246,7 @@ main (int argc, char **argv)
   UA_StatusCode retval;
   server = createServer ((UA_UInt16)port, applicationUri, serverCertPath,
                          serverKeyPath, serverTrustPaths, serverTrustSize,
-                         &retval);
+                         false, &retval);
   if (!server)
     goto cleanup;