Check that the host name in the endpoint URL matches with the domain names in the server certificate.
Syntax
Example
.NET
COM
// This example shows how in a console application, the user is asked to allow a server instance certificate with
// mismatched domain name.
//
// Find all latest examples here: https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
using System;
using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.OperationModel;
namespace UADocExamples.Interaction
{
class AllowEndpointDomain
{
public static void Main1()
{
// Define which server we will work with.
// Note that extra '.' at the end of the domain name. For the purpose of this example, it allows us to address
// the same domain, but cause a mismatch with what the names that are listed in the server instance certificate.
UAEndpointDescriptor endpointDescriptor = "opc.tcp://opcua.demo-this.com.:51210/UA/SampleServer";
// Instantiate the client object.
var client = new EasyUAClient()
{
// Enforce the endpoint domain check.
Isolated = true,
IsolatedParameters = {SessionParameters = {CheckEndpointDomain = true}}
};
UAAttributeData attributeData;
try
{
// Obtain attribute data.
// The component automatically triggers the necessary user interaction during the first operation.
attributeData = client.Read(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853");
}
catch (UAException uaException)
{
Console.WriteLine("*** Failure: {0}", uaException.GetBaseException().Message);
return;
}
// Display results.
Console.WriteLine("Value: {0}", attributeData.Value);
Console.WriteLine("ServerTimestamp: {0}", attributeData.ServerTimestamp);
Console.WriteLine("SourceTimestamp: {0}", attributeData.SourceTimestamp);
Console.WriteLine("StatusCode: {0}", attributeData.StatusCode);
}
}
}
# This example shows how in a console application, the user is asked to allow a server instance certificate with
# mismatched domain name.
#
# Find all latest examples here: https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
# OPC client and subscriber examples in Python on GitHub: https://github.com/OPCLabs/Examples-QuickOPC-Python .
# The QuickOPC package is needed. Install it using "pip install opclabs_quickopc".
import opclabs_quickopc
# Import .NET namespaces.
from OpcLabs.EasyOpc.UA import *
from OpcLabs.EasyOpc.UA.OperationModel import *
# Define which server we will work with.
# Note that extra '.' at the end of the domain name. For the purpose of this example, it allows us to address
# the same domain, but cause a mismatch with what the names that are listed in the server instance certificate.
endpointDescriptor = UAEndpointDescriptor('opc.tcp://opcua.demo-this.com.:51210/UA/SampleServer')
# Instantiate the client object.
client = EasyUAClient()
# Enforce the endpoint domain check.
client.Isolated = True
client.IsolatedParameters.SessionParameters.CheckEndpointDomain = True
try:
# Obtain attribute data.
# The component automatically triggers the necessary user interaction during the first operation.
attributeData = IEasyUAClientExtension.Read(client,
endpointDescriptor,
UANodeDescriptor('nsu=http://test.org/UA/Data/ ;i=10853'))
except UAException as uaException:
print('*** Failure: ' + uaException.GetBaseException().Message)
exit()
# Display results.
print('Value: ', attributeData.Value)
print('ServerTimestamp: ', attributeData.ServerTimestamp)
print('SourceTimestamp: ', attributeData.SourceTimestamp)
print('StatusCode: ', attributeData.StatusCode)
print()
print('Finished.')
' This example shows how in a console application, the user is asked to allow a server instance certificate with
' mismatched domain name.
'
' Find all latest examples here: https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
Imports OpcLabs.EasyOpc.UA
Imports OpcLabs.EasyOpc.UA.OperationModel
Imports OpcLabs.EasyOpc.UA.Engine
Namespace Interaction
Friend Class AllowEndpointDomain
Public Shared Sub Main1()
' Define which server we will work with.
' Note that extra '.' at the end of the domain name. For the purpose of this example, it allows us to address
' the same domain, but cause a mismatch with what the names that are listed in the server instance certificate.
Dim endpointDescriptor As UAEndpointDescriptor = "opc.tcp://opcua.demo-this.com.:51210/UA/SampleServer"
' Instantiate the client object.
Dim client = New EasyUAClient() With _
{ _
.Isolated = True, _
.IsolatedParameters = New EasyUAAdaptableParameters() With _
{ _
.SessionParameters = New UASmartSessionParameters() With _
{ _
.CheckEndpointDomain = True _
} _
} _
}
Dim attributeData As UAAttributeData
Try
' Obtain attribute data.
' The component automatically triggers the necessary user interaction during the first operation.
attributeData = client.Read(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853")
Catch uaException As UAException
Console.WriteLine("*** Failure: {0}", uaException.GetBaseException.Message)
Exit Sub
End Try
' Display results.
Console.WriteLine("Value: {0}", attributeData.Value)
Console.WriteLine("ServerTimestamp: {0}", attributeData.ServerTimestamp)
Console.WriteLine("SourceTimestamp: {0}", attributeData.SourceTimestamp)
Console.WriteLine("StatusCode: {0}", attributeData.StatusCode)
End Sub
End Class
End Namespace
// This example shows how in a console application, the user is asked to allow a server instance certificate with
// mismatched domain name.
//
// Find all latest examples here : https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
class procedure AllowEndpointDomain.Main;
var
AttributeData: _UAAttributeData;
Client: _EasyUAClient;
EndpointDescriptor: string;
begin
// Define which server we will work with.
// Note that extra '.' at the end of the domain name. For the purpose of this example, it allows us to address
// the same domain, but cause a mismatch with what the names that are listed in the server instance certificate.
EndpointDescriptor := 'opc.tcp://opcua.demo-this.com.:51210/UA/SampleServer';
// Instantiate the client object.
Client := CoEasyUAClient.Create;
// Enforce the endpoint domain check.
Client.Isolated := true;
Client.IsolatedParameters.SessionParameters.CheckEndpointDomain := true;
try
// Obtain attribute data.
// The component automatically triggers the necessary user interaction during the first operation.
AttributeData := Client.Read(EndpointDescriptor, 'nsu=http://test.org/UA/Data/ ;i=10853');
except
on E: EOleException do
begin
WriteLn(Format('*** Failure: %s', [E.GetBaseException.Message]));
Exit;
end;
end;
// Display results.
WriteLn('Value: ', AttributeData.Value);
WriteLn('ServerTimestamp: ', DateTimeToStr(AttributeData.ServerTimestamp));
WriteLn('SourceTimestamp: ', DateTimeToStr(AttributeData.SourceTimestamp));
WriteLn('StatusCode: ', AttributeData.StatusCode.ToString);
end;
Rem This example shows how in a console application, the user is asked to allow a server instance certificate with
Rem mismatched domain name.
Rem
Rem Find all latest examples here : https://opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Latest/examples.html .
Option Explicit
' Define which server we will work with.
' Note that extra '.' at the end of the domain name. For the purpose of this example, it allows us to address
' the same domain, but cause a mismatch with what the names that are listed in the server instance certificate.
Dim endpointDescriptor: endpointDescriptor = "opc.tcp://opcua.demo-this.com.:51210/UA/SampleServer"
' Instantiate the client object.
Dim Client: Set Client = CreateObject("OpcLabs.EasyOpc.UA.EasyUAClient")
' Enforce the endpoint domain check.
Client.Isolated = True
Client.IsolatedParameters.SessionParameters.CheckEndpointDomain = True
' Obtain attribute data.
' The component automatically triggers the necessary user interaction during the first operation.
On Error Resume Next
Dim AttributeData: Set AttributeData = Client.Read(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853")
If Err.Number <> 0 Then
WScript.Echo "*** Failure: " & Err.Source & ": " & Err.Description
WScript.Quit
End If
On Error Goto 0
' Display results
WScript.Echo "Value: " & AttributeData.Value
WScript.Echo "ServerTimestamp: " & AttributeData.ServerTimestamp
WScript.Echo "SourceTimestamp: " & AttributeData.SourceTimestamp
WScript.Echo "StatusCode: " & AttributeData.StatusCode
' Example output:
'
'OPC-UA Endpoint Domain Mismatch
'The effective host name in endpoint URL returned by the server does not match any of the domain names in the server certificate.
'Endpoint URL as returned by the server: opc.tcp://opcua.demo-this.com.:51210/UA/SampleServer
'The server certificate is for following domain names or IP addresses: opcua.demo-this.com
'This may be an indication of a spoofing attempt. Do you want to allow the endpoint anyway? [Y/n]: Y
'Value: -1.285897E+14
'ServerTimestamp: 11/28/2019 1:34:23 PM
'SourceTimestamp: 11/28/2019 1:34:23 PM
'StatusCode: Good
Requirements
Target Platforms: .NET Framework: Windows 10 (selected versions), Windows 11 (selected versions), Windows Server 2016, Windows Server 2022; .NET: Linux, macOS, Microsoft Windows
See Also