Verify server's certificate on OpcUa_SecurityPolicy_None?

[huazhang]

Hi support team,

When client try to connect to server. Client get a endpoint which is of None security policy.
At this situation,
1. Is it mandatory that this endpoint's ServerCertificate's ByteString be null?
2. Is it forbidden that client verify server's certificate file?
3. Is it mandatory that client connect to this endpoint with null ClientCertificate?

Thanks!

[Support Team]

Hello huazhang,

1) If the server has a certificate the server should always send it. It still can be used to encrypt the password for example.
2) I wouldn't say it is forbidden - it just doesn't make any sense to validate the certificate.
3) The specification just states that the server should ignore the client certificate

[huazhang]

Hi support team,

Thanks for your replay, and I have some confusions about 2) and 3).
I have 2 OPC UA servers, one is CODESYS, another is built by UA C++ SDK, let's name it "UA App Server".
I used UaExpert client to connect these 2 server with same configuration, security policy and message security mode are set to None.
CODESYS Server endpoint's ServerCertificate bytestring is null, UA App Server is NOT.
When connect to CODESYS Server, UaExpert logs "The server returned no certificate, all certificate checks will be skipped."
When connect to UA App Server, UaExpert popup a Certificate Validation window with context "BadCertificateUntrusted", and user "Trust Server Certificate" manually.
So,
4) Does it mean that client always validate server's certificate if server's endpoint's ServerCertificate is not NULL (Ignore the security policy setting)?
5) What should client do if server's endpoint's security policy is not None and ServerCertificate bytestring is NULL?

Thanks you!