Skip to content

Configurable HTTPS/TLS Support #90

New issue
New issue
Open
Feature
Open
Configurable HTTPS/TLS Support#90
Feature
Labels
enhancementNew feature or requestsecuritySecurity feature
Milestone
MS5: Fleet & Advanced Features
@bburda

Description

@bburda
bburda
opened on Dec 19, 2025

Summary

Add configurable HTTPS support to the ros2_medkit gateway REST server to enable encrypted communication and prevent eavesdropping on sensitive diagnostic data.

Background

The current gateway uses HTTP, transmitting all data (including configurations, commands, and diagnostic information) in plaintext. For production deployments, especially in:

  • Networked vehicle diagnostics
  • Multi-robot fleets
  • Cloud-connected systems

TLS encryption is essential to protect data in transit and prevent man-in-the-middle attacks.

Proposed Solution

1. TLS Configuration Parameters

ros2_medkit_gateway:
  ros__parameters:
    server:
      host: "0.0.0.0"
      port: 8080

      # TLS/HTTPS Configuration
      tls:
        enabled: false  # Default disabled for backward compatibility
        cert_file: ""   # Path to PEM certificate file
        key_file: ""    # Path to PEM private key file
        ca_file: ""     # Optional: CA certificate for client verification

        # Minimum TLS version (1.2 or 1.3)
        min_version: "1.2"

        # Enable mutual TLS (client certificate verification)
        mutual_tls: false

2. Implementation Details

cpp-httplib supports SSL via the SSLServer class:

// In rest_server.cpp
#ifdef CPPHTTPLIB_OPENSSL_SUPPORT
if (tls_config.enabled) {
    ssl_server_ = std::make_unique<httplib::SSLServer>(
        tls_config.cert_file.c_str(),
        tls_config.key_file.c_str()
    );
}
#endif

3. Certificate Generation Helper

Add a helper script for development certificates:

# scripts/generate_dev_certs.sh
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
    -days 365 -nodes -subj "/CN=localhost"

Implementation Tasks

  • Add OpenSSL dependency to CMakeLists.txt
  • Create TlsConfig struct in config.hpp
  • Modify RESTServer to support SSLServer when TLS enabled
  • Add TLS configuration parameters to gateway_params.yaml
  • Add certificate validation and error handling
  • Add development certificate generation script
  • Unit tests for TLS configuration parsing
  • Integration tests with HTTPS endpoints
  • Update Docker images with OpenSSL support
  • Update documentation with TLS setup guide

Acceptance Criteria

  • Gateway starts with HTTPS when TLS enabled and valid certificates provided
  • Invalid/missing certificates produce clear error messages
  • HTTP connections rejected when TLS is enabled
  • Backward compatible: defaults to HTTP when TLS disabled
  • Works with self-signed and CA-signed certificates
  • sovd_web_ui can connect over HTTPS

Security Considerations

  • Private keys should have restricted file permissions (600)
  • Support secure cipher suites only (disable weak ciphers)
  • Log TLS handshake failures for debugging
  • Consider HSTS header support for browser clients

Additional Context

  • cpp-httplib requires CPPHTTPLIB_OPENSSL_SUPPORT define
  • OpenSSL is typically available in ROS 2 environments
  • Docker images may need libssl-dev package

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity feature

    Type

    Feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions