search

locka99 / opcua

A client and server implementation of the OPC UA specification written in Rust
Mozilla Public License 2.0
496 stars 131 forks source link

Accept faulty certificate #98

Open pulzzedavid opened 3 years ago

pulzzedavid commented 3 years ago

I thought setting trust_server_certs would allow faulty certificates to be accepted, but looks like it just disregard keys? Whether it is the IP address that is not matching the cert, or other details of the cert, I am wondering whether there is an option to accept the certificate in ClientBuilder.

locka99 commented 3 years ago

Check these first:

  1. That the cert isn't already in the pki/rejected folder. e.g. maybe you set trust_server_certs to true but the pki had rejected before that flag was set. If the cert is already there then it will be untrusted even if that flag is later set. You should try deleting the value in the pki/rejected and try again. The second and subsequent times it should go straight into pki/trusted
  2. That the cert can be loaded. If the cert cannot be parsed as an X509 certificate then it will fail before the point of deciding whether to trust it or not.

If it's not working even after these two things, set your logging to debug level and see if you can capture the code which includes "Validating cert with name on disk" to see what is tripping it up.

pulzzedavid commented 3 years ago

Thanks for the information. I had checked those out but let me look into them again since it sounds like trust_server_certs should be doing the trick.

locka99 commented 2 years ago

Check if you have an update, otherwise I'll close