From 80aa098905cd7925cf6b665bba9d69621c44cc04 Mon Sep 17 00:00:00 2001 From: Thomas Vanbesien Date: Wed, 18 Feb 2026 16:56:44 +0100 Subject: Add None endpoint so unsecure clients can discover secure servers UA_ServerConfig_addSecurityPolicyNone only adds the security policy, not an endpoint entry. Without a None endpoint in the GetEndpoints response, the open62541 client's internal endpoint negotiation fails with BadIdentityTokenRejected before the FindServers request is sent. Adding the endpoint via UA_ServerConfig_addEndpoint makes the None endpoint visible; securityPolicyNoneDiscoveryOnly still restricts it to discovery services only. --- src/common.c | 9 +++++++-- tests/unsecure_anonymous/server_lds.conf | 4 ---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/common.c b/src/common.c index f8b08a1..3e54ca9 100644 --- a/src/common.c +++ b/src/common.c @@ -328,7 +328,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index) } UA_LOG_INFO (UA_Log_Stdout, UA_LOGCATEGORY_APPLICATION, - " [%4lu] %.*s | Level: %2d | %-14s | %.*s", + " [%4lu] %.*s | Level: %3d | %-14s | %.*s", (unsigned long)index, (int)endpoint->endpointUrl.length, endpoint->endpointUrl.data, endpoint->securityLevel, mode, (int)policyLen, policy); @@ -363,10 +363,15 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, /* Also offer SecurityPolicy#None, but restricted to discovery services (FindServers, GetEndpoints) so that unencrypted clients can still discover the server without being able to open a - full session. */ + full session. We must add both the security *policy* (so the + server accepts None SecureChannels) and the *endpoint* (so the + None endpoint appears in GetEndpoints responses — required by + the open62541 client's internal endpoint negotiation). */ if (*retval == UA_STATUSCODE_GOOD) { UA_ServerConfig_addSecurityPolicyNone (config, &certificate); + UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI, + UA_MESSAGESECURITYMODE_NONE); config->securityPolicyNoneDiscoveryOnly = true; } diff --git a/tests/unsecure_anonymous/server_lds.conf b/tests/unsecure_anonymous/server_lds.conf index b50d03f..c5808bd 100644 --- a/tests/unsecure_anonymous/server_lds.conf +++ b/tests/unsecure_anonymous/server_lds.conf @@ -4,10 +4,6 @@ port = 14840 applicationUri = urn:localhost:bobink:ServerLDS -# certificate = certs/ServerLDS_cert.der -# privateKey = certs/ServerLDS_key.der -# trustStore = certs/trust/server_lds - authMode = anonymous cleanupTimeout = 60 -- cgit v1.2.3