View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000979510000-004: ServicesSpecpublic2024-08-22 09:292025-03-12 19:50
ReporterMartin Regen Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilitysometimes
Status closedResolutionfixed 
Product Version1.05.03 
Fixed in Version1.05.06 RC1 
Summary0009795: Clarify how the client should validate the application uri
Description

Currently the text in https://reference.opcfoundation.org/Core/Part4/v105/docs/5.4.1 states:
A Client shall be careful when using the information returned from a DiscoveryEndpoint since it has no security. A Client does this by comparing the information returned from the DiscoveryEndpoint to the information returned in the CreateSession response. A Client shall verify that:

The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription.

The topic was discussed in the sec group on August 21st 2024:
The text above should mention that the application Uri to compare with the cert should be the one returned in the create session response, and not the one returned from the discovery endpoint.

Is the check still a shall?
Can the check be ignored?
If yes, when can the check be ignored?

Steps To Reproduce

.NET client implemented it in https://github.com/OPCFoundation/UA-.NETStandard/pull/2583
but checked the discovered server description. It caused a lot of IOP issues.

Fix: Moving check after the endpoint check of the create session response.

TagsNo tags attached.
Commit Version1.05.06 RC1
Fix Due Date2025-04-30

Activities

Jim Luth

2025-02-25 16:49

administrator   ~0022408

AGREED: The text above should mention that the application Uri to compare with the cert should be the one returned in the create session response, and not the one returned from the discovery endpoint.

Is the check still a shall? yes
Can the check be ignored? no

Matthias Damm

2025-03-10 18:35

developer   ~0022497

In 5.5 Discovery Service Set - 5.5.1 Overview
Extended
a) The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription.
with
a) The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription returned from CreateSession response.

Added to 5.7.2 CreateSession
The Client shall check that the ApplicationUri specified in the Server Certificate matches the ApplicationUri provided in the EndpointDescription returned by the CreateSession response. It it does not match, the Client shall close the Session.
The Server shall check that the ApplicationUri specified in the clientDescription matches the Client Certificate. It it does not match, CreateSession shall return Bad_CertificateUriInvalid.

Jim Luth

2025-03-12 19:50

administrator   ~0022525

Agreed to changes edited in F2F meeting.

Issue History

Date Modified Username Field Change
2024-08-22 09:29 Martin Regen New Issue
2025-02-25 16:49 Jim Luth Note Added: 0022408
2025-02-25 16:49 Jim Luth Assigned To => Matthias Damm
2025-02-25 16:49 Jim Luth Status new => assigned
2025-02-25 16:49 Jim Luth Commit Version => 1.05.06 RC1
2025-02-25 16:49 Jim Luth Fix Due Date => 2025-04-30
2025-03-10 18:35 Matthias Damm Status assigned => resolved
2025-03-10 18:35 Matthias Damm Resolution open => fixed
2025-03-10 18:35 Matthias Damm Fixed in Version => 1.05.06 RC1
2025-03-10 18:35 Matthias Damm Note Added: 0022497
2025-03-12 19:50 Jim Luth Status resolved => closed
2025-03-12 19:50 Jim Luth Note Added: 0022525