From ecc265861ec4e4f88a1fbd99d4c13bf593e799f8 Mon Sep 17 00:00:00 2001
From: Carsten Schafer <Carsten.Schafer@kinarasystems.com>
Date: Mon, 23 Mar 2026 13:27:07 -0400
Subject: [PATCH 1/3] Actually use the set security mode

Signed-off-by: Carsten Schafer <Carsten.Schafer@kinarasystems.com>
---
 src/AP_WS_Server.cpp            | 2 +-
 src/framework/SubSystemServer.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/AP_WS_Server.cpp b/src/AP_WS_Server.cpp
index 52dae456..e11dcacc 100644
--- a/src/AP_WS_Server.cpp
+++ b/src/AP_WS_Server.cpp
@@ -116,7 +116,7 @@ namespace OpenWifi {
 
 			Poco::Net::Context::Params P;
 
-			P.verificationMode = Poco::Net::Context::VERIFY_ONCE;
+			P.verificationMode = Svr.Level();
 			P.verificationDepth = 9;
 			P.loadDefaultCAs = Svr.RootCA().empty();
 			P.cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
diff --git a/src/framework/SubSystemServer.h b/src/framework/SubSystemServer.h
index 4f808ac6..2e7f967b 100644
--- a/src/framework/SubSystemServer.h
+++ b/src/framework/SubSystemServer.h
@@ -51,6 +51,7 @@ namespace OpenWifi {
 		[[nodiscard]] inline auto Name() const { return name_; };
 		[[nodiscard]] inline int Backlog() const { return backlog_; }
 		[[nodiscard]] inline auto Cas() const { return cas_; }
+		[[nodiscard]] inline auto Level() const { return level_; }
 
 		[[nodiscard]] Poco::Net::SecureServerSocket CreateSecureSocket(Poco::Logger &L) const;
 		[[nodiscard]] Poco::Net::ServerSocket CreateSocket([[maybe_unused]] Poco::Logger &L) const;

From 2e023c0f0fab3d65be020da066eb1028842eaec5 Mon Sep 17 00:00:00 2001
From: Carsten Schafer <Carsten.Schafer@kinarasystems.com>
Date: Mon, 23 Mar 2026 13:56:09 -0400
Subject: [PATCH 2/3] Need to use relaxed mode to get access to a certificate
 (so device can be identified)

Signed-off-by: Carsten Schafer <Carsten.Schafer@kinarasystems.com>
---
 src/AP_WS_Server.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/AP_WS_Server.cpp b/src/AP_WS_Server.cpp
index e11dcacc..f1cf7605 100644
--- a/src/AP_WS_Server.cpp
+++ b/src/AP_WS_Server.cpp
@@ -6,6 +6,7 @@
 //	Arilia Wireless Inc.
 //
 
+#include <Poco/Net/AcceptCertificateHandler.h>
 #include <Poco/Net/Context.h>
 #include <Poco/Net/HTTPHeaderStream.h>
 #include <Poco/Net/HTTPServerRequest.h>
@@ -116,7 +117,11 @@ namespace OpenWifi {
 
 			Poco::Net::Context::Params P;
 
-			P.verificationMode = Svr.Level();
+			// If VERIFY_NONE is configured, use VERIFY_RELAXED instead so we still
+			// request client certificates (needed to extract device serial from CN),
+			// but add AcceptCertificateHandler to ignore validation errors like expiration
+			bool acceptAllCerts = (Svr.Level() == Poco::Net::Context::VERIFY_NONE);
+			P.verificationMode = acceptAllCerts ? Poco::Net::Context::VERIFY_RELAXED : Svr.Level();
 			P.verificationDepth = 9;
 			P.loadDefaultCAs = Svr.RootCA().empty();
 			P.cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
@@ -125,6 +130,12 @@ namespace OpenWifi {
 			auto Context = Poco::AutoPtr<Poco::Net::Context>(
 				new Poco::Net::Context(Poco::Net::Context::TLS_SERVER_USE, P));
 
+			if (acceptAllCerts) {
+				Context->setInvalidCertificateHandler(
+					Poco::SharedPtr<Poco::Net::InvalidCertificateHandler>(
+						new Poco::Net::AcceptCertificateHandler(true)));
+			}
+
 			Poco::Crypto::X509Certificate Cert(Svr.CertFile());
 			Poco::Crypto::X509Certificate Root(Svr.RootCA());
 

From 370f48b44090df504eaf145760278d46fbac69f5 Mon Sep 17 00:00:00 2001
From: Carsten Schafer <Carsten.Schafer@kinarasystems.com>
Date: Mon, 23 Mar 2026 15:10:50 -0400
Subject: [PATCH 3/3] Add some logging for certificate dates

Signed-off-by: Carsten Schafer <Carsten.Schafer@kinarasystems.com>
---
 src/AP_WS_Connection.cpp      | 4 ++++
 src/AP_WS_Connection.h        | 2 ++
 src/AP_WS_Process_connect.cpp | 7 +++++++
 3 files changed, 13 insertions(+)

diff --git a/src/AP_WS_Connection.cpp b/src/AP_WS_Connection.cpp
index 32f63c5f..b6330817 100644
--- a/src/AP_WS_Connection.cpp
+++ b/src/AP_WS_Connection.cpp
@@ -4,6 +4,8 @@
 
 
 #include <Poco/Base64Decoder.h>
+#include <Poco/DateTimeFormat.h>
+#include <Poco/DateTimeFormatter.h>
 #include <Poco/Net/Context.h>
 #include <Poco/Net/HTTPServerRequestImpl.h>
 #include <Poco/Net/HTTPServerResponseImpl.h>
@@ -216,6 +218,8 @@ namespace OpenWifi {
 
 			State_.certificateExpiryDate = PeerCert.expiresOn().timestamp().epochTime();
 			State_.certificateIssuerName = PeerCert.issuerName();
+			CertificateValidFrom_ = Poco::DateTimeFormatter::format(PeerCert.validFrom(), Poco::DateTimeFormat::HTTP_FORMAT);
+			CertificateValidTo_ = Poco::DateTimeFormatter::format(PeerCert.expiresOn(), Poco::DateTimeFormat::HTTP_FORMAT);
 
 			poco_trace(Logger_,
 					   fmt::format("TLS-CONNECTION({}): Session={} CN={} Completed. (t={})", CId_,
diff --git a/src/AP_WS_Connection.h b/src/AP_WS_Connection.h
index f509072f..5d9c6fda 100644
--- a/src/AP_WS_Connection.h
+++ b/src/AP_WS_Connection.h
@@ -145,6 +145,8 @@ namespace OpenWifi {
 		std::double_t 	memory_used_=0.0, cpu_load_ = 0.0, temperature_ = 0.0;
 		std::uint64_t 	uuid_=0;
 		bool	Simulated_=false;
+		std::string CertificateValidFrom_;
+		std::string CertificateValidTo_;
 		std::atomic_uint64_t 	LastContact_=0;
 		Poco::Buffer<char> IncomingFrame_;
 
diff --git a/src/AP_WS_Process_connect.cpp b/src/AP_WS_Process_connect.cpp
index 9ba0955e..c4a0a3fc 100644
--- a/src/AP_WS_Process_connect.cpp
+++ b/src/AP_WS_Process_connect.cpp
@@ -259,6 +259,9 @@ namespace OpenWifi {
 												 "device. Session={} ConnectionCompletion Time={}",
 												 CId_, State_.sessionId,
 												 State_.connectionCompletionTime));
+					poco_information(Logger_,
+									 fmt::format("CONNECT({}): Certificate validity: NotBefore={} NotAfter={}",
+												 CId_, CertificateValidFrom_, CertificateValidTo_));
 				} else {
 					State_.VerifiedCertificate = GWObjects::MISMATCH_SERIAL;
 					if (AP_WS_Server()->AllowSerialNumberMismatch()) {
@@ -268,6 +271,10 @@ namespace OpenWifi {
 										"Serial={} Session={} ConnectionCompletion Time={}",
 										CId_, CN_, SerialNumber_, State_.sessionId,
 										State_.connectionCompletionTime));
+						poco_information(
+							Logger_,
+							fmt::format("CONNECT({}): Certificate validity: NotBefore={} NotAfter={}",
+										CId_, CertificateValidFrom_, CertificateValidTo_));
 					} else {
 						poco_information(
 							Logger_, fmt::format("CONNECT({}): Serial number mismatch disallowed. "