🐛
- #881 fix issue preventing a connection when the server exposes alternate endpoints.
- fix certificate validation issue for CTT, [367d6de]. Now issuers must be explicitly trusted to allow untrusted certificated that they emit to be automatically trusted => makes CTT security test passes 🥳
👬 contributors
- @andi00, for detecting an issue with alternate endpoints
💔 breaking change
You may experience some change in behavior on the server since we now conform to more strict endpoint verification on the server-side to be compliant with CTT 1.0.4. This is particularly true if your server uses the 'alternateHostname' options during construction to expose more endpoints.
OPCUA Server may now reject connections from servers that do not provide an endpoint that is known by the server during the create session/ActiveSession process.
The behavior is :
-
If your server does not provide an alternate hostname specifically, you should be able to access it with any type of endpoint URL that resolved to the server machine. for instance:
opc.tcp://localhost:1234; opc.tcp://MYSERVER.com:1234 opc.tcp://myserver.mycompany.com:1234, opc.tcp://10.2.3.4:1234.
In these circumstances, the server will resolve the endpoint to the internal one, and there will be no ambiguity. -
if your server exposes an alternateHostname then the client must specifically use one of the endpoints exposed by the server.
In these circumstances, the server cannot resolve the endpoint to the internal one, and there is an ambiguity regarding which endpoint to use.
In version prior to 2.19.0, node-opcua server used to replace the unknown endpoint with one endpoint chosen at random amongst the possible one. But later on, this was causing random rejection during the activateSession process as the UserTokenPolicy.
If you are facing this type of issues you can either:
- not used alternateHostname options at all (this option is usually rarely used, and is only useful when the server has 2 network interfaces and addressed by two different hostnames )
- or complete alternateHostname by setting it up as an array containing all the possible endpoints to access the server.
Also, as spotted by #881, make sure that endpoint letter cases are correct in your endpoints.