Server certificate handling without Security

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
sxdev
Full Member
Full Member
Posts: 7
Joined: 25 Mar 2020, 09:07

Server certificate handling without Security

Post by sxdev »

Hi everyone,

I have tried connecting to a server with Security Mode "None". I followed the examples and the documentation from here:
https://documentation.unified-automation.com/uasdkcpp/1.7.4/html/L2ClientSdkSecurity.html
That means I used the discovery service and then stored the server certificate from the endpoint description to my session security info.

When I try to validate this certificate, I get a BadNotSupported return code. The trace showed, that the splitCertificateChain method fails. So even, if I set the doServerCertificateVerify to false, the connection fails. When I skip setting the server certificate to my security info, the connection succeeds.

A UaExpert instance that connects with the same settings shows the "Trust Certificate?"-Window when connecting and also connects successfully when I choose the "Ignore" option. The trace of the UaExpert also shows no entry of a failed splitCertificateChain method.

Long story short, what is the UaExpert doing differently than me?
Is the server delivering a broken certificate, or shall I not use the server certificate in my security info with Security Mode "None"?

Additional information:
I use the C++ client SDK at version 1.7.4
The UaExpert's version is 1.5.1-331

Thank you!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Server certificate handling without Security

Post by Support Team »

Hello sxdev,

BadNotSupported is only returned if the SDK does not support PKI or the PKI provider is not initialized correctly.
Can you please let me know which exact configuration of the SDK you use. Is it a binary version or do you build the SDK from source?
Best regards
Unified Automation Support Team

sxdev
Full Member
Full Member
Posts: 7
Joined: 25 Mar 2020, 09:07

Re: Server certificate handling without Security

Post by sxdev »

Hello Support Team,

Thanks for the response. I use the uasdkcppclient-bin-64-vs2015 at Version 1.7.4.
In fact, the PKI store was not setup because the server vendor suggested to not use a secure endpoint, so we skipped the part of setting up the provider.
Is there actually any use for a certificate using an insecure endpoint? Because if there isn't, we don't need to set up the PKI and then we will not set the server certificate to the security info for simplicity reasons.

Thanks a lot and best regards!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Server certificate handling without Security

Post by Support Team »

Hello,

if an UA application from it's horse power is able to support security it SHOULD support the security features including the secured endpoints. Only if the device is very constrained (low CPU power, extreme low menory) you may decide for the NANO-profile. However, if you run on PC (which you do, as you are using Windows 64 Bit edition), you have no choice, you MUST support the security.

On a NONE endpoint you should also have a certificate, because when using "user/pwd" authentication you SHOULD encrypt the PWD in order to transfer over the wire. Therefore you need the certificate, because sending PWD in clear text is not realy an option.
Best regards
Unified Automation Support Team

sxdev
Full Member
Full Member
Posts: 7
Joined: 25 Mar 2020, 09:07

Re: Server certificate handling without Security

Post by sxdev »

Hello again,

our application is still in a beta status. The certificate store is one of the open issues.
Is it possible to use the windows certificate store with our SDK? Because in the header opcua_p_config.h the OPCUA_SUPPORT_PKI_WIN32 define is always defined as OPCUA_CONFIG_OFF!?

Post Reply