Merge pull request #435 from Telecominfraproject/PKI2-208-Relaxed-security-settings-allow-rtty

carsten989 · web-flow · commit 36a19bcd8095 · 2026-03-31T14:19:30.000-04:00
Pki2 208 relaxed security settings allow rtty
diff --git a/src/rttys/RTTYS_server.cpp b/src/rttys/RTTYS_server.cpp
@@ -15,6 +15,7 @@
 
 #include "Poco/NObserver.h"
 #include <Poco/Net/Context.h>
+#include <Poco/Net/AcceptCertificateHandler.h>
 #include "Poco/Net/SocketNotification.h"
 #include "Poco/Net/NetException.h"
 #include "Poco/Net/WebSocketImpl.h"
@@ -74,9 +75,32 @@ namespace OpenWifi {
 				const auto &Cas = MicroServiceConfigPath("ucentral.websocket.host.0.cas", "");
 				const auto &ClientCasFile = MicroServiceConfigPath("ucentral.websocket.host.0.clientcas", "");
 
+				// Read the security mode from websocket configuration
+				const auto &SecurityMode =
+					MicroServiceConfigGetString("ucentral.websocket.host.0.security", "relaxed");
+
+				// Parse security mode string to verification mode
+				Poco::Net::Context::VerificationMode VerificationLevel = Poco::Net::Context::VERIFY_RELAXED;
+				if (SecurityMode == "strict") {
+					VerificationLevel = Poco::Net::Context::VERIFY_STRICT;
+				} else if (SecurityMode == "none") {
+					VerificationLevel = Poco::Net::Context::VERIFY_NONE;
+				} else if (SecurityMode == "relaxed") {
+					VerificationLevel = Poco::Net::Context::VERIFY_RELAXED;
+				} else if (SecurityMode == "once") {
+					VerificationLevel = Poco::Net::Context::VERIFY_ONCE;
+				}
+
+				// Determine if we should accept all certificates (when security is "none")
+				bool acceptAllCerts = (VerificationLevel == Poco::Net::Context::VERIFY_NONE);
+
+				poco_information(Logger(),
+					fmt::format("RTTY device socket security mode: {} (acceptAllCerts: {})",
+								SecurityMode, acceptAllCerts));
+
 				Poco::Net::Context::Params P;
 
-				P.verificationMode = Poco::Net::Context::VERIFY_ONCE;
+				P.verificationMode = acceptAllCerts ? Poco::Net::Context::VERIFY_RELAXED : VerificationLevel;
 				P.verificationDepth = 9;
 				P.loadDefaultCAs = RootCas.empty();
 				P.cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
@@ -109,6 +133,13 @@ namespace OpenWifi {
 				DeviceSecureContext->disableProtocols(Poco::Net::Context::PROTO_TLSV1 |
 													  Poco::Net::Context::PROTO_TLSV1_1);
 
+				// Accept all certificates when security mode is "none"
+				if (acceptAllCerts) {
+					DeviceSecureContext->setInvalidCertificateHandler(
+						Poco::SharedPtr<Poco::Net::InvalidCertificateHandler>(
+							new Poco::Net::AcceptCertificateHandler(true)));
+				}
+
 				SSL_CTX *SSLCtxDevice = DeviceSecureContext->sslContext();
 				SSL_CTX_dane_enable(SSLCtxDevice);
 				Poco::Net::IPAddress Addr(Poco::Net::IPAddress::wildcard(
