Split websocket ssl settings for public and private.

rippled-example.cfg

@@ -157,6 +157,16 @@
 #   this option will go away and the peer_ip will accept websocket client
 #   connections.
 #
+# [websocket_public_secure]
+#   0 or 1.
+#   0: Provide ws service for websocket_public_ip/websocket_public_port.
+#   1: Provide wss service for websocket_public_ip/websocket_public_port. [default]
+#
+#   Browser pages like the Ripple client will not be able to connect to a secure
+#   websocket connection if a self-signed certificate is used.  As the Ripple
+#   reference client currently shares secrets with its server, this should be
+#   enabled.
+#
 # [websocket_ip]:
 #   IP address or domain to bind to allow trusted ADMIN connections from backend
 #   applications.
@@ -167,6 +177,11 @@
 # [websocket_port]:
 #   Port to bind to allow trusted ADMIN connections from backend applications.
 #
+# [websocket_secure]
+#   0 or 1.
+#   0: Provide ws service for websocket_ip/websocket_port. [default]
+#   1: Provide wss service for websocket_ip/websocket_port.
+#
 # [websocket_ssl_key]:
 #   Specify the filename holding the SSL key in PEM format.
 #

src/cpp/ripple/Config.cpp

@@ -49,6 +49,7 @@
 #define SECTION_VALIDATION_SEED			"validation_seed"
 #define SECTION_WEBSOCKET_PUBLIC_IP		"websocket_public_ip"
 #define SECTION_WEBSOCKET_PUBLIC_PORT	"websocket_public_port"
+#define SECTION_WEBSOCKET_PUBLIC_SECURE	"websocket_public_secure"
 #define SECTION_WEBSOCKET_IP			"websocket_ip"
 #define SECTION_WEBSOCKET_PORT			"websocket_port"
 #define SECTION_WEBSOCKET_SECURE		"websocket_secure"
@@ -177,6 +178,7 @@ Config::Config()
 	RPC_PORT				= 5001;
 	WEBSOCKET_PORT			= SYSTEM_WEBSOCKET_PORT;
 	WEBSOCKET_PUBLIC_PORT	= SYSTEM_WEBSOCKET_PUBLIC_PORT;
+	WEBSOCKET_PUBLIC_SECURE	= true;
 	WEBSOCKET_SECURE		= false;
 	NUMBER_CONNECTIONS		= 30;
 
@@ -334,6 +336,9 @@ void Config::load()
 			if (sectionSingleB(secConfig, SECTION_WEBSOCKET_SECURE, strTemp))
 				WEBSOCKET_SECURE	= boost::lexical_cast<bool>(strTemp);
 
+			if (sectionSingleB(secConfig, SECTION_WEBSOCKET_PUBLIC_SECURE, strTemp))
+				WEBSOCKET_PUBLIC_SECURE	= boost::lexical_cast<bool>(strTemp);
+
 			sectionSingleB(secConfig, SECTION_WEBSOCKET_SSL_CERT, WEBSOCKET_SSL_CERT);
 			sectionSingleB(secConfig, SECTION_WEBSOCKET_SSL_CHAIN, WEBSOCKET_SSL_CHAIN);
 			sectionSingleB(secConfig, SECTION_WEBSOCKET_SSL_KEY, WEBSOCKET_SSL_KEY);

src/cpp/ripple/Config.h

@@ -101,6 +101,7 @@ public:
 	// Websocket networking parameters
 	std::string					WEBSOCKET_PUBLIC_IP;		// XXX Going away. Merge with the inbound peer connction.
 	int							WEBSOCKET_PUBLIC_PORT;
+	bool						WEBSOCKET_PUBLIC_SECURE;
 
 	std::string					WEBSOCKET_IP;
 	int							WEBSOCKET_PORT;

src/cpp/ripple/WSDoor.cpp

@@ -59,7 +59,7 @@ void WSDoor::startListening()
 
 	SSL_CTX_set_tmp_dh_callback(mCtx->native_handle(), handleTmpDh);
 
-	if (theConfig.WEBSOCKET_SECURE)
+	if (mPublic ? theConfig.WEBSOCKET_PUBLIC_SECURE : theConfig.WEBSOCKET_SECURE)
 	{
 		// Construct a single handler for all requests.
 		websocketpp::server_tls::handler::ptr	handler(new WSServerHandler<websocketpp::server_tls>(mCtx, mPublic));