fix: Fix OPC UA server security configuration

Only configure secure security policies when certificates are available. When certificates are not available, only offer the None security policy and skip certificate validation configuration.
2025-11-01 20:12:50 +00:00 · 2025-11-01 20:12:50 +00:00 · 7917fb0968
parent 9c92c5c47f
commit 7917fb0968
1 changed files with 23 additions and 11 deletions
--- a/src/protocols/opcua_server.py
+++ b/src/protocols/opcua_server.py
@ -172,17 +172,22 @@ class OPCUAServer:
    async def _configure_security(self):
        """Configure OPC UA security with certificates."""
        try:
-            # Set security policies
-            self.server.set_security_policy([
-                SecurityPolicyBasic256Sha256,
-                "http://opcfoundation.org/UA/SecurityPolicy#None"
-            ])
-            
            # Load or generate certificates
            if self.certificate_path and self.private_key_path:
                # Load existing certificates
                await self.server.load_certificate(self.certificate_path)
                await self.server.load_private_key(self.private_key_path)
+                
+                # Set security policies for secure connections
+                self.server.set_security_policy([
+                    SecurityPolicyBasic256Sha256,
+                    "http://opcfoundation.org/UA/SecurityPolicy#None"
+                ])
+                
+                # Configure certificate validation
+                validator = CertificateValidator(CertificateValidatorOptions())
+                self.server.set_certificate_validator(validator)
+                
            elif HAS_CERT_GEN and setup_self_signed_cert:
                # Generate self-signed certificate for development
                await setup_self_signed_cert(
@ -194,18 +199,25 @@ class OPCUAServer:
                    "Lazio",
                    "calejo-control.com"
                )
+                
+                # Set security policies for secure connections
+                self.server.set_security_policy([
+                    SecurityPolicyBasic256Sha256,
+                    "http://opcfoundation.org/UA/SecurityPolicy#None"
+                ])
+                
+                # Configure certificate validation
+                validator = CertificateValidator(CertificateValidatorOptions())
+                self.server.set_certificate_validator(validator)
+                
            else:
-                # Certificate generation not available, use basic security
+                # Certificate generation not available, use only None security policy
                logger.warning("certificate_generation_not_available")
                self.server.set_security_policy([
                    "http://opcfoundation.org/UA/SecurityPolicy#None"
                ])
                return
            
-            # Configure certificate validation
-            validator = CertificateValidator(CertificateValidatorOptions())
-            self.server.set_certificate_validator(validator)
-            
            logger.info("opcua_security_configured")
            
        except Exception as e: