How to accept server certificate?

[aljoshakoecher]

Hey everyone,

thank you for providing so many examples! Thanks to them, I was able to quickly setup a client connecting to a server with a username and password (security mode sign & encrypt) in order to browse the server's nodeset.
I only struggle with one thing at the moment: I have to manually move the server's certificate into the trusted folder of my keystore. How can I do this automatically?

In the ClientRunnerExample , I can see that the server's certificate is added to the client's keystore. But in this example, the server is also created, so a reference to the server object exists.

How can I get the server's certificate while connecting with my client? I saw that there is a way to get the certificate from the session, but I don't really have a session because my connection fails due to the certificate not being trusted, right?

[kevinherron]

The server certificate is available in the EndpointDescriptions you get back from the GetEndpoints service.

If you are building a GUI client, you might take this opportunity to show the certificate to the user and ask if they want to trust it. If you wish to trust the certificate, then you can call DefaultTrustListManager::addTrustedCertificate.

[aljoshakoecher]

That was quick - thank you very much, Kevin! Works like a charm.
Right after I sent my question I saw that there also is an InsecureValidator. I don't build a GUI client, so in my case I'm trusting the server that a user chose to connect to and provided the endpoint URL of.
For this use case, is there a difference between your solution and using the InsecureValidator?

[kevinherron]

Well, GUI or not, it's not technically safe or secure to use the InsecureValidator (hence the name). It could allow, for example, an attacker to impersonate the server you are connected to without you knowing.

[aljoshakoecher]

Sure, that makes sense but that wasn't quite what I was thinking about.
I thought that blindly trusting the server without any additional logic on my side (the way I do it now) could result in the same security problems. But from your comment I get that this is not the case because certificates are automatically checked when adding them to the TrustListManager - which does also make a lot of sense ^^.
Anyways - I'm working on a proof of concept, so security is not super important right now...