Suppressible and non-suppressible certificate validation checks

[oliveirars]

Hi guys.

I've recently had an issue using certificates to authenticate a software (using Eclipse Milo) on an OPC-UA server.

While I was investigating, I noticed two issues related to certificate validations. According to OPC-UA version 1.03 specification:

• The APPLICATION_URI check may not be suppressed. Although this validation is included in the list of NO_OPTIONAL_CHECKS, a client software component could instantiate the DefaultClientCertificateValidator passing a collection without this check, making this check optional.

• The REVOCATION check may not be suppressed, but it seems not to be handled as so - it is not in the non-optional checks collection, for example. In this case, an external component could pass a set of checks without this one.

My understanding can be wrong, but it seems the library should handle these as mandatory. Is there some reason to adopt a different strategy?

[kevinherron]

In practice I've found it best to leave an escape hatch for applications/implementations to choose to deviate from the spec on purpose to get a connection established.

I'm not sure additional effort to make it impossible to configure invalid validation checks is worth it, though certainly some sane defaults and documentation about what is or isn't mandatory according to the spec should exist.

[oliveirars]

Thank you so much for the explanation @kevinherron .

I think this is a nice decision since you let possibilities to configure or even create custom validators. I reported it to hear the aimed purpose, and it is fair enough.