Authenticate client using certificates/login

[Dubehh]

I found similar questions but didn't find a working answer. I'd like to authenticate the client before he's able to read data, is this possible? I tried using certificates but a client is able to use whatever certificate he or she desires (meaning it's not validated). I saw this reference but i'm not sure if it's the same as what I am looking for.

Server.py

server = Server()
await server.init()
await server.load_certificate("cert.der")
await server.load_private_key("key.pem")

server.set_security_IDs(["Basic256Sha256"])
server.set_endpoint('opc.tcp://127.0.0.1:4840/freeopcua/server/')
server.set_security_policy([ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt])

Client.py

client = Client("opc.tcp://127.0.0.1:4840/freeopcua/server/")
client.set_security_string(
        "Basic256Sha256,"
        "SignAndEncrypt,"
        "different_cert.der,"
        "different_key.pem")

client.connect()

I used a differently generated certificate/key for the client, yet he's still able to fetch data from the server. How do I validate these certificates?

If there's a way to authenticate with just username/password i'd be happy aswell..

(I test locally)

[mihainstr]

We had a similar issue and it was related to the policy incorrect handling, check this issue for a possible solution: #811

[Dubehh]

We had a similar issue and it was related to the policy incorrect handling, check this issue for a possible solution: #811

Unfortunately didn't fix it.

[zerox1212]

Security is waiting for PR from someone who knows certificate handling etc.

Meanwhile you could follow up with this #783 . Some work for user management was also added but you would have to dig into how it works; I'm not sure if much was documented. #691

[brubbel]

I used a differently generated certificate/key for the client, yet he's still able to fetch data from the server.

Possibly because security policy "NoSecurity" is still allowed. (in parallel with the certificate you have set up). You could remove this setting from server.py.

python-opcua/opcua/server/server.py

Lines 117 to 121 in 71ff089

	self._security_policy = [
	ua.SecurityPolicyType.NoSecurity,
	ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt,
	ua.SecurityPolicyType.Basic256Sha256_Sign
	]

[zerox1212]

@brubbel Shouldn't that policy list get overwritten when server.set_security_policy([ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt]) is called?

[brubbel]

My mistake, that policy setting is only for secure communications (i.e. trusted source), not for authentication.