From 8ffe4e284a9de9caacdbd3d4b7d859b63040f38d Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Fri, 4 Jul 2025 10:48:54 +1200
Subject: [PATCH] fix(tls): set insecureSkipVerify to false in FIPS mode
 [BE-11932] (#849)

---
 api/cmd/portainer/main.go             | 3 ++-
 api/hostmanagement/openamt/openamt.go | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 90fd34fd2..23bd540a5 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -383,7 +383,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	gitService := git.NewService(shutdownCtx)
 
-	openAMTService := openamt.NewService()
+	// Setting insecureSkipVerify to true to preserve the old behaviour.
+	openAMTService := openamt.NewService(true)
 
 	cryptoService := &crypto.Service{}
 
diff --git a/api/hostmanagement/openamt/openamt.go b/api/hostmanagement/openamt/openamt.go
index b27b78878..5843c1bdb 100644
--- a/api/hostmanagement/openamt/openamt.go
+++ b/api/hostmanagement/openamt/openamt.go
@@ -32,9 +32,9 @@ type Service struct {
 }
 
 // NewService initializes a new service.
-func NewService() *Service {
+func NewService(insecureSkipVerify bool) *Service {
 	tlsConfig := crypto.CreateTLSConfiguration()
-	tlsConfig.InsecureSkipVerify = true
+	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 
 	return &Service{
 		httpsClient: &http.Client{