TLS and certificate trust
Verify the server certificate, pin a CA bundle, enable mutual TLS, or disable verification (only in test).
TLS verification lives entirely on the HTTP client. The OPC UA
application certificate set via ClientBuilder::setClientCertificate()
is a separate concept and is not used by CurlHttpClient.
Verify against the system CA store
new CurlHttpClient(verifyTls: true);Pin a CA bundle
new CurlHttpClient(
verifyTls: true,
caBundle: '/etc/ssl/certs/internal-ca-bundle.crt',
);Useful when the server presents a certificate signed by an internal CA not in the system store.
Mutual TLS
new CurlHttpClient(
verifyTls: true,
caBundle: '/etc/ssl/certs/server-ca-bundle.crt',
clientCertPath: '/var/lib/myapp/client.pem',
clientKeyPath: '/var/lib/myapp/client.key',
clientKeyPassword: getenv('CLIENT_KEY_PASS') ?: null,
);The certificate and key are PEM. mTLS check happens during the TLS handshake, before any UA frame leaves the client.
Disable verification (test environments only)
new CurlHttpClient(verifyTls: false);Never use in production
Disables both peer chain validation and hostname matching. A network attacker can interpose silently.
Pin a TLS version
cURL negotiates TLS 1.2+ by default. To pin TLS 1.3 only:
new CurlHttpClient(
verifyTls: true,
extraCurlOptions: [CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_3],
);Working with the test server
uanetstandard-test-suite v1.5.0+ ships an opcua-https-binary service
with a pre-generated RSA 2048 certificate (CN HttpsBinaryServer, SAN
includes localhost + 127.0.0.1). For local tests:
new CurlHttpClient(verifyTls: false); // dev onlyor, with verification:
new CurlHttpClient(
verifyTls: true,
caBundle: __DIR__ . '/../uanetstandard-test-suite/certs/ca/ca-cert.pem',
);