From 70381b3381d77845dbc04fd521b729b7098134a5 Mon Sep 17 00:00:00 2001 From: Thomas Vanbesien Date: Wed, 18 Feb 2026 20:30:33 +0100 Subject: Extract createUnsecureClientConfig, fix None endpoint negotiation UA_ClientConfig_setDefault leaves securityMode at SignAndEncrypt, so unsecure clients failed endpoint negotiation when the LDS only offered None endpoints. Extract the unsecure client setup into createUnsecureClientConfig() which explicitly sets securityMode and securityPolicyUri to None. Also enable discovery-only None endpoint on ServerRegister so unencrypted clients can discover it, and update the unsecure_anonymous test configs to run fully without encryption. --- src/common.c | 46 ++++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) (limited to 'src/common.c') diff --git a/src/common.c b/src/common.c index 2c0cb87..67ea135 100644 --- a/src/common.c +++ b/src/common.c @@ -341,7 +341,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index) UA_Server * createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, const char *keyPath, char **trustPaths, size_t trustSize, - UA_Boolean discoveryOnly, UA_StatusCode *retval) + UA_Boolean discovery, UA_StatusCode *retval) { UA_Server *server = UA_Server_new (); UA_ServerConfig *config = UA_Server_getConfig (server); @@ -360,23 +360,19 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, config, port, &certificate, &privateKey, trustList, trustSize, NULL, 0, NULL, 0); - /* Always add SecurityPolicy#None so that clients can open an - initial unencrypted SecureChannel for the GetEndpoints - handshake, then reconnect with the selected secure policy. - Restrict None channels to discovery services only so that - nobody can open a full session without encryption. - - When discoveryOnly is true (LDS) we also register a None - *endpoint* so that purely unencrypted clients can discover - the server — the open62541 client's internal endpoint - negotiation requires a matching endpoint in the - GetEndpoints response. */ - if (*retval == UA_STATUSCODE_GOOD) + /* When discovery is true (LDS) add SecurityPolicy#None + restricted to discovery services so that unencrypted clients + can still call FindServers / GetEndpoints. A matching None + endpoint is required because the open62541 client's internal + endpoint negotiation needs it in the GetEndpoints response. + + When discovery is false the server is purely secure — no + None security policy, no None endpoint. */ + if (*retval == UA_STATUSCODE_GOOD && discovery) { UA_ServerConfig_addSecurityPolicyNone (config, &certificate); - if (discoveryOnly) - UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI, - UA_MESSAGESECURITYMODE_NONE); + UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI, + UA_MESSAGESECURITYMODE_NONE); config->securityPolicyNoneDiscoveryOnly = true; } @@ -403,6 +399,24 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath, return server; } +UA_StatusCode +createUnsecureClientConfig (UA_ClientConfig *cc, const char *applicationUri) +{ + UA_StatusCode retval = UA_ClientConfig_setDefault (cc); + if (retval != UA_STATUSCODE_GOOD) + return retval; + + UA_String_clear (&cc->clientDescription.applicationUri); + cc->clientDescription.applicationUri = UA_String_fromChars (applicationUri); + + cc->securityMode = UA_MESSAGESECURITYMODE_NONE; + UA_String_clear (&cc->securityPolicyUri); + cc->securityPolicyUri = UA_String_fromChars ( + "http://opcfoundation.org/UA/SecurityPolicy#None"); + + return UA_STATUSCODE_GOOD; +} + UA_StatusCode createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri, const char *certPath, const char *keyPath, -- cgit v1.2.3