kevinherron
commented
7 months ago It seems to me that the thumbprint provided by the client should be used as additional criteria in the endpoint matching logic.
Using the thumbprint seems obviously correct to me, whereas something about trying to use the host name doesn't sit right (beyond the obvious many scenarios where a client does not provide a matching host name).
https://github.com/eclipse/milo/blob/cd0f3d97f78de3823541229032642f8af9f00040/opc-ua-stack/stack-server/src/main/java/org/eclipse/milo/opcua/stack/server/transport/uasc/UascServerAsymmetricHandler.java#L382-L385
Matches the first EndpointDescription with requested Security and Path, but ignores the hostname in the URL.
This leads milo to choose a different endpoint than requested and then presenting a different certificate.
This is a problem when I want to keep a certificate the same for previously existing hostnames, but have an additional cert for hostnames/ips not covered by the existing certificate.
Maybe the path logic is necessary, I don't know, but EndpointDescriptions with both matching hostname and path should have precedence.
Is there another way to keep certs stable so that existing clients don't need to update their trust? Could I differentiate Endpoints by certificate - ua clients send their requested server cert fingerprint with the request.
Or is this achieved some other way?
Thanks for the all the work on this nice project.