Skip to content

Remove localhost restriction from LDS registration certificate validation #3352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marcschier merged 4 commits into from
Dec 1, 2025
Merged

Remove localhost restriction from LDS registration certificate validation #3352

marcschier merged 4 commits into from
Dec 1, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 22, 2025
edited
Loading

Proposed changes

The RegistrationValidator_CertificateValidation method prevented servers from registering with remote LDS/LDS-ME servers by requiring the LDS certificate domain to resolve to the local hostname's IP address.

Changes:

  • Removed RegistrationValidator_CertificateValidation method and its event handler registration
  • LDS registration now uses the standard CertificateValidator which validates certificate chain, expiration, trust stores, and revocation lists
  • Pass configuration.ApplicationUri to UpdateAsync instead of null to ensure application certificates are loaded correctly even if the subject name is changed

This maintains security through proper certificate validation while enabling remote LDS registration.

Related Issues

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • Enhancement (non-breaking change which adds functionality)
  • Test enhancement (non-breaking change to increase test coverage)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
  • Documentation Update (if none of the other choices apply)

Checklist

  • I have read the CONTRIBUTING doc.
  • I have signed the CLA.
  • I ran tests locally with my changes, all passed.
  • I fixed all failing tests in the CI pipelines.
  • I fixed all introduced issues with CodeQL and LGTM.
  • I have added tests that prove my fix is effective or that my feature works and increased code coverage.
  • I have added necessary documentation (if appropriate).
  • Any dependent changes have been merged and published in downstream modules.

Further comments

Testing: 156/156 server tests and 7836/7836 core tests passed. No new security issues detected.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@CLAassistant
Copy link

CLAassistant commented Nov 22, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Copilot AI and others added 2 commits November 22, 2025 06:02
@marcschier
Remove localhost restriction from LDS registration certificate valida…
9025852 
…tion

The RegistrationValidator_CertificateValidation method prevented remote LDS registration
by requiring the LDS certificate domain to match the local hostname. This change removes
that restrictive validation and relies on the standard certificate validator which properly
checks certificate chain, expiration, trusted certificates, and revocation lists.

Co-authored-by: marcschier <11168470+marcschier@users.noreply.github.com>
@marcschier
Fix code indentation after removing try block
ba3edfe 
Co-authored-by: marcschier <11168470+marcschier@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix registration issue with remote LDS server Remove localhost restriction from LDS registration certificate validation Nov 22, 2025
Copilot AI requested a review from marcschier November 22, 2025 06:16
romanett
romanett reviewed Nov 27, 2025
View reviewed changes
Libraries/Opc.Ua.Server/Server/StandardServer.cs Outdated
await configuration
.CertificateValidator.UpdateAsync(
configuration.SecurityConfiguration,
applicationUri: null,
Copy link
Contributor

@romanett romanett Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot please take applicationUri from configuration instead of passing null, to ensure appliction certificates are loaded also if the subject name is changed

Copy link
Contributor Author

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 54e3217. Changed from applicationUri: null to configuration.ApplicationUri to ensure application certificates are loaded correctly even if the subject name is changed.

@romanett
Use configuration.ApplicationUri instead of null in UpdateAsync
54e3217 
This ensures application certificates are loaded correctly even if the
subject name is changed.

Co-authored-by: romanett <7413710+romanett@users.noreply.github.com>
Copilot AI requested a review from romanett November 27, 2025 14:04
@romanett romanett marked this pull request as ready for review November 27, 2025 14:05
@marcschier marcschier merged commit 14f03c6 into master Dec 1, 2025
130 of 160 checks passed
@romanett romanett deleted the copilot/fix-remote-lds-registration branch December 1, 2025 08:08
This was referenced Dec 19, 2025
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romanett romanett romanett approved these changes

+1 more reviewer

@marcschier marcschier marcschier approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@marcschier marcschier

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Registering to the Remote LDS Server is not possible

4 participants

@CLAassistant @romanett @marcschier