HPCC-17247 Dafilesrv SSL and non-SSL together

Signed-off-by: Mark Kelly <mark.kelly@lexisnexisrisk.com>

common/remote/rmtfile.cpp

@@ -39,7 +39,7 @@ static class CSecuritySettings
 public:
     CSecuritySettings()
     {
-        querySecuritySettings(NULL, &daliServixPort, NULL, NULL);
+        querySecuritySettings(nullptr, &daliServixPort, nullptr, nullptr, nullptr);
     }
 
     unsigned short queryDaliServixPort() { return daliServixPort; }
@@ -315,7 +315,7 @@ bool testDaliServixPresent(const SocketEndpoint &_ep)
     if (ep.isNull())
         return false;
     try {
-        Owned<ISocket> socket = ISocket::connect_timeout(ep,10000);
+        Owned<ISocket> socket = connectDafs(ep, 10000);
         return true;
     }
     catch (IException *e)
@@ -339,7 +339,7 @@ unsigned getDaliServixVersion(const SocketEndpoint &_ep,StringBuffer &ver)
         return 0;
     try
     {
-        Owned<ISocket> socket = ISocket::connect_timeout(ep,10000);
+        Owned<ISocket> socket = connectDafs(ep, 10000);
         return getRemoteVersion(socket,ver);
     }
     catch (IException *e)
@@ -475,7 +475,7 @@ extern REMOTE_API int setDafileSvrTraceFlags(const SocketEndpoint &_ep,byte flag
     if (ep.isNull())
         return -3;
     try {
-        Owned<ISocket> socket = ISocket::connect_wait(ep,5000);
+        Owned<ISocket> socket = connectDafs(ep, 5000);
         return setDafsTrace(socket, flags);
     }
     catch (IException *e)
@@ -493,7 +493,7 @@ extern REMOTE_API int setDafileSvrThrottleLimit(const SocketEndpoint &_ep, Throt
     if (ep.isNull())
         return -3;
     try {
-        Owned<ISocket> socket = ISocket::connect_wait(ep,5000);
+        Owned<ISocket> socket = connectDafs(ep, 5000);
         return setDafsThrottleLimit(socket, throttleClass, throttleLimit, throttleDelayMs, throttleCPULimit, queueLimit, errMsg);
     }
     catch (IException *e)
@@ -511,7 +511,7 @@ extern REMOTE_API int getDafileSvrInfo(const SocketEndpoint &_ep, unsigned level
     if (ep.isNull())
         return false;
     try {
-        Owned<ISocket> socket = ISocket::connect_wait(ep,5000);
+        Owned<ISocket> socket = connectDafs(ep, 5000);
         return getDafsInfo(socket, level, retstr);
     }
     catch (IException *e)

common/remote/sockfile.cpp

@@ -162,7 +162,7 @@ struct dummyReadWrite
 // backward compatible modes
 typedef enum { compatIFSHnone, compatIFSHread, compatIFSHwrite, compatIFSHexec, compatIFSHall} compatIFSHmode;
 
-static const char *VERSTRING= "DS V2.0"       // dont forget FILESRV_VERSION in header
+static const char *VERSTRING= "DS V2.1"       // dont forget FILESRV_VERSION in header
 #ifdef _WIN32
 "Windows ";
 #else
@@ -179,14 +179,16 @@ static unsigned maxReceiveTime = 0;
 static class _securitySettings
 {
 public:
-    bool            useSSL;
+    SSLCfg          useSSL;
     unsigned short  daFileSrvPort;
+    unsigned short  daFileSrvSSLPort;
     const char *    certificate;
     const char *    privateKey;
+    const char *    passPhrase;
 
     _securitySettings()
     {
-        querySecuritySettings(&useSSL, &daFileSrvPort, &certificate, &privateKey);
+        queryDafsSecSettings(&useSSL, &daFileSrvPort, &daFileSrvSSLPort, &certificate, &privateKey, &passPhrase);
     }
 } securitySettings;
 
@@ -202,7 +204,7 @@ static ISecureSocket *createSecureSocket(ISocket *sock,SecureSocketType type)
         if (!secureContext)
         {
             if (securitySettings.certificate)
-                secureContext.setown(createSecureSocketContextEx(securitySettings.certificate,securitySettings.privateKey, NULL, type));
+                secureContext.setown(createSecureSocketContextEx(securitySettings.certificate, securitySettings.privateKey, securitySettings.passPhrase, type));
             else
                 secureContext.setown(createSecureSocketContext(type));
         }
@@ -547,7 +549,10 @@ void setDafsEndpointPort(SocketEndpoint &ep)
     }
     if (ep.port==0)
     {
-        ep.port = securitySettings.daFileSrvPort;
+        if ( (securitySettings.useSSL == SSLNone) || (securitySettings.useSSL == UnsecureFirst) )
+            ep.port = securitySettings.daFileSrvPort;
+        else
+            ep.port = securitySettings.daFileSrvSSLPort;
     }
 }
 
@@ -950,19 +955,32 @@ static Semaphore                 treeCopySem;
 
 class CRemoteBase: public CInterface
 {
-
     Owned<ISocket>          socket;
     static  SocketEndpoint  lastfailep;
     static unsigned         lastfailtime;
-    bool                    useSSL;
-    void connectSocket(SocketEndpoint &ep)
+    SSLCfg                  useSSL;
+
+    void connectSocket(SocketEndpoint &ep, unsigned localConnectTime=0, unsigned localRetries=0)
     {
-        sRFTM tm(maxConnectTime);
-        // called in CConnectionTable::crit
         unsigned retries = 3;
+
+        if (localConnectTime)
+        {
+            if (localRetries)
+                retries = localRetries;
+            if (localConnectTime > maxConnectTime)
+                localConnectTime = maxConnectTime;
+        }
+        else
+            localConnectTime = maxConnectTime;
+
+        sRFTM tm(localConnectTime);
+
+        // called in CConnectionTable::crit
+
         if (ep.equals(lastfailep)) {
             if (msTick()-lastfailtime<DAFS_CONNECT_FAIL_RETRY_TIME) {
-                StringBuffer msg("Failed to connect to dafilesrv/daliservix on ");
+                StringBuffer msg("Failed to connect (host marked down) to dafilesrv/daliservix on ");
                 ep.getUrlStr(msg);
                 throw createDafsException(DAFSERR_connection_failed,msg.str());
             }
@@ -974,7 +992,10 @@ class CRemoteBase: public CInterface
             StringBuffer eps;
             if (TF_TRACE_CLIENT_CONN) {
                 ep.getUrlStr(eps);
-                PROGLOG("Connecting %sto %s",useSSL?"SECURE ":"",eps.str());
+                if (ep.port == securitySettings.daFileSrvSSLPort)
+                    PROGLOG("Connecting SECURE to %s", eps.str());
+                else
+                    PROGLOG("Connecting to %s", eps.str());
                 //PrintStackReport();
             }
             bool ok = true;
@@ -986,7 +1007,7 @@ class CRemoteBase: public CInterface
                 }
                 else
                     socket.setown(ISocket::connect(ep));
-                if (useSSL)
+                if (ep.port == securitySettings.daFileSrvSSLPort)
                 {
 #ifdef _USE_OPENSSL
                     Owned<ISecureSocket> ssock = createSecureSocket(socket.getClear(), ClientSocket);
@@ -1006,7 +1027,7 @@ class CRemoteBase: public CInterface
                         lastfailep.set(ep);
                         lastfailtime = msTick();
                         e->Release();
-                        StringBuffer msg("Failed to connect to dafilesrv/daliservix on ");
+                        StringBuffer msg("Failed to connect (setting host down) to dafilesrv/daliservix on ");
                         ep.getUrlStr(msg);
                         throw createDafsException(DAFSERR_connection_failed,msg.str());
                     }
@@ -1044,7 +1065,10 @@ class CRemoteBase: public CInterface
                     sleeptime = remaining/2;
             }
             Sleep(sleeptime);       // prevent multiple retries beating
-            PROGLOG("Retrying %sconnect",useSSL?"SECURE ":"");
+            if (ep.port == securitySettings.daFileSrvSSLPort)
+                PROGLOG("Retrying SECURE connect");
+            else
+                PROGLOG("Retrying connect");
         }
         if (ConnectionTable)
             ConnectionTable->addLink(ep,socket);
@@ -1131,27 +1155,37 @@ protected: friend class CRemoteFileIO;
                         killSocket(tep);
                 }
             }
-            if (!socket) {
-                bool tryNonSecure = true;
-                if (useSSL) {
-                    try {
-                        connectSocket(tep);//first try secure connect
-                        tryNonSecure = false;
-                    }
-                    catch (IException *e) {
-
-                        StringBuffer s;
-                        e->errorMessage(s);
-                        e->Release();
-                        WARNLOG("Secure connect failed, retrying on legacy port (%s)",s.str());
 
-                        useSSL = false;
-                        tep.port = DAFILESRV_PORT;//retry on nonsecure port
-                        tryNonSecure = true;
+            if (!socket)
+            {
+                bool doConnect = true;
+                if (useSSL == SSLFirst || useSSL == UnsecureFirst)
+                {
+                    // MCK - could maintain a list of 100 or so previous endpoints and if connection failed
+                    // then mark port down for a delay (like 15 min above) to avoid having to try every time ...
+                    try
+                    {
+                        connectSocket(tep, 5000, 1);
+                        doConnect = false;
+                    }
+                    catch (IDAFS_Exception *e)
+                    {
+                        if (e->errorCode() == DAFSERR_connection_failed)
+                        {
+                            unsigned prevPort = tep.port;
+                            if (prevPort == securitySettings.daFileSrvSSLPort)
+                                tep.port = securitySettings.daFileSrvPort;
+                            else
+                                tep.port = securitySettings.daFileSrvSSLPort;
+                            WARNLOG("Connect failed on port %d, retrying on port %d", prevPort, tep.port);
+                            doConnect = true;
+                            e->Release();
+                        }
+                        else
+                            throw e;
                     }
                 }
-
-                if (tryNonSecure)
+                if (doConnect)
                     connectSocket(tep);
             }
         }
@@ -2602,6 +2636,77 @@ void CRemoteFile::copyTo(IFile *dest, size32_t buffersize, ICopyFileProgress *pr
 
 /////////////////////////
 
+void checkSocketSecure(ISocket *socket)
+{
+    if (!socket)
+        return;
+
+    if (securitySettings.useSSL == SSLNone)
+        return;
+
+    Owned<ISecureSocket> ssock;
+
+    char pname[256];
+    pname[0] = 0;
+    int pport = socket->peer_name(pname, sizeof(pname)-1);
+
+    if ( (pport == securitySettings.daFileSrvSSLPort) && (!socket->isSecure()) )
+    {
+#ifdef _USE_OPENSSL
+        ssock.setown(createSecureSocket(LINK(socket), ClientSocket));
+        int status = ssock->secure_connect();
+        if (status < 0)
+            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
+        socket = ssock;
+#else
+        throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
+#endif
+    }
+}
+
+ISocket *connectDafs(SocketEndpoint &ep, unsigned timeoutms)
+{
+    Owned<ISocket> socket;
+
+    if ( (securitySettings.useSSL == SSLNone) || (securitySettings.useSSL == SSLOnly) )
+    {
+        socket.setown(ISocket::connect_timeout(ep, timeoutms));
+        return socket.getClear();
+    }
+
+    unsigned newtimeout = timeoutms;
+    if (newtimeout > 5000)
+        newtimeout = 5000;
+
+    bool tryAgain = false;
+    try
+    {
+        socket.setown(ISocket::connect_timeout(ep, newtimeout));
+    }
+    catch (IJSOCK_Exception *e)
+    {
+        if (e->errorCode() == JSOCKERR_connection_failed)
+        {
+            unsigned prevPort = ep.port;
+            if (prevPort == securitySettings.daFileSrvSSLPort)
+                ep.port = securitySettings.daFileSrvPort;
+            else
+                ep.port = securitySettings.daFileSrvSSLPort;
+            WARNLOG("Connect failed on port %d, retrying on port %d", prevPort, ep.port);
+            tryAgain = true;
+        }
+        else
+            throw e;
+    }
+
+    if (tryAgain)
+        socket.setown(ISocket::connect_timeout(ep, timeoutms));
+
+    checkSocketSecure(socket);
+
+    return socket.getClear();
+}
+
 unsigned getRemoteVersion(CRemoteFileIO &remoteFileIO, StringBuffer &ver)
 {
     unsigned ret;
@@ -2648,17 +2753,24 @@ unsigned getRemoteVersion(ISocket * socket, StringBuffer &ver)
 
     Owned<ISecureSocket> ssock;
 
-    if (securitySettings.useSSL && !socket->isSecure())
+    if ( (securitySettings.useSSL == SSLOnly) || (securitySettings.useSSL == SSLFirst) )
     {
+        char pname[256];
+        pname[0] = 0;
+        int pport = socket->peer_name(pname, sizeof(pname)-1);
+
+        if ( (pport == securitySettings.daFileSrvSSLPort) && (!socket->isSecure()) )
+        {
 #ifdef _USE_OPENSSL
-        ssock.setown(createSecureSocket(LINK(socket), ClientSocket));
-        int status = ssock->secure_connect();
-        if (status < 0)
-            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
-        socket = ssock;
+            ssock.setown(createSecureSocket(LINK(socket), ClientSocket));
+            int status = ssock->secure_connect();
+            if (status < 0)
+                throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
+            socket = ssock;
 #else
-        throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
+            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
 #endif
+        }
     }
 
     unsigned ret;
@@ -4261,7 +4373,7 @@ class CRemoteFileServer : implements IRemoteFileServer, public CInterface
     int                 lasthandle;
     CriticalSection     sect;
     Owned<ISocket>      acceptsock;
-    Owned<ISocket>      rejectsock;//used to immediately reject nonsecure connection requests when in secure mode
+    Owned<ISocket>      securesock;
     Owned<ISocketSelectHandler> selecthandler;
     Owned<IThreadPool>  threads;    // for commands
     bool stopping;
@@ -5354,8 +5466,8 @@ public:
         stopping = true;
         if (acceptsock) 
             acceptsock->cancel_accept();
-        if (rejectsock)
-            rejectsock->cancel_accept();
+        if (securesock)
+            securesock->cancel_accept();
         reply.append((unsigned)RFEnoerror);
         return false;
     }
@@ -5629,143 +5741,187 @@ public:
         return new cCommandProcessor();
     }
 
-    void run(SocketEndpoint &listenep, bool useSSL)
+    void run(SSLCfg _useSSL, SocketEndpoint &listenep, unsigned sslPort)
     {
-        Owned<ISocket> acceptSocket, secureRejectSocket;
-        if (listenep.isNull())
-            acceptSocket.setown(ISocket::create(listenep.port));
+        SocketEndpoint sslep(listenep);
+        if (sslPort)
+            sslep.port = sslPort;
         else
+            sslep.port = securitySettings.daFileSrvSSLPort;
+        Owned<ISocket> acceptSocket, acceptSSLSocket;
+
+        if (_useSSL != SSLOnly)
         {
-            StringBuffer ips;
-            listenep.getIpText(ips);
-            acceptSocket.setown(ISocket::create_ip(listenep.port,ips.str()));
-        }
-        if (useSSL)
-        {
-            if (!securitySettings.certificate)
-                throw createDafsException(DAFSERR_connection_failed,"SSL Certificate information not found in environment.conf");
-            if (listenep.port <= 0)
-            {
-                assertex(FALSE);//should never get here
-                listenep.port = securitySettings.daFileSrvPort;
-            }
-            //Create unsecure socket to reject non-ssl client requests
+            if (listenep.port == 0)
+                throw createDafsException(DAFSERR_connection_failed, "dafilesrv port not specified");
+
             if (listenep.isNull())
-                secureRejectSocket.setown(ISocket::create(DAFILESRV_PORT));
+                acceptSocket.setown(ISocket::create(listenep.port));
             else
             {
                 StringBuffer ips;
                 listenep.getIpText(ips);
-                secureRejectSocket.setown(ISocket::create_ip(DAFILESRV_PORT,ips.str()));
+                acceptSocket.setown(ISocket::create_ip(listenep.port,ips.str()));
             }
         }
-        run(acceptSocket.getClear(), secureRejectSocket.getClear());
+
+        if (_useSSL)
+        {
+            if (sslep.port == 0)
+                throw createDafsException(DAFSERR_connection_failed, "Secure dafilesrv port not specified");
+
+            if ( (_useSSL != UnsecureFirst) && (!securitySettings.certificate || !securitySettings.privateKey) )
+                throw createDafsException(DAFSERR_connection_failed, "SSL Certificate and/or Key file information not found in environment.conf");
+
+            if (sslep.isNull())
+                acceptSSLSocket.setown(ISocket::create(sslep.port));
+            else
+            {
+                StringBuffer ips;
+                sslep.getIpText(ips);
+                acceptSSLSocket.setown(ISocket::create_ip(sslep.port,ips.str()));
+            }
+        }
+
+        run(_useSSL, acceptSocket.getClear(), acceptSSLSocket.getClear());
     }
-    void run(ISocket *socket, ISocket *secureRejectSocket)
+
+    void run(SSLCfg _useSSL, ISocket *regSocket, ISocket *secureSocket)
     {
-        acceptsock.setown(socket);
-        rejectsock.setown(secureRejectSocket);
-        bool useSSL = secureRejectSocket ? true : false;
-#ifdef _DEBUG
-        SocketEndpoint listenep;
-        socket->getPeerEndpoint(listenep);
-        StringBuffer sb;
-        listenep.getUrlStr(sb);
-        DBGLOG("Server accepting %sfrom %s", useSSL?"SECURE ":"", sb.str());
-#endif
-        selecthandler->start();
+        if (_useSSL != SSLOnly)
+        {
+            if (regSocket)
+                acceptsock.setown(regSocket);
+            else
+                throw createDafsException(DAFSERR_connection_failed, "Invalid non-secure socket");
+        }
 
-        UnsignedArray readSocks;
-        if (useSSL)
+        if (_useSSL)
         {
-            readSocks.append(acceptsock->OShandle());
-            readSocks.append(rejectsock->OShandle());
+            if (secureSocket)
+                securesock.setown(secureSocket);
+            else
+                throw createDafsException(DAFSERR_connection_failed, "Invalid secure socket");
         }
 
+        selecthandler->start();
+
         for (;;)
         {
             Owned<ISocket> sock;
+            Owned<ISocket> sockSSL;
             bool sockavail = false;
-            try
+            bool securesockavail = false;
+            if (_useSSL == SSLNone)
+                sockavail = acceptsock->wait_read(1000*60*1)!=0;
+            else if (_useSSL == SSLOnly)
+                securesockavail = securesock->wait_read(1000*60*1)!=0;
+            else
             {
-                if (!useSSL)
-                    sockavail = acceptsock->wait_read(1000*60*1)!=0;
-                else
+                UnsignedArray readSocks;
+                UnsignedArray waitingSocks;
+                readSocks.append(acceptsock->OShandle());
+                readSocks.append(securesock->OShandle());
+                int numReady = wait_read_multiple(readSocks, 1000*60*1, waitingSocks);
+                if (numReady > 0)
                 {
-                    UnsignedArray waitingSocks;
-                    //SSL Enabled. Listen for non SSL connection on DAFILESRV_PORT and reject them
-                    int numReady = wait_read_multiple(readSocks, 1000*60*1, waitingSocks);
-                    if (numReady)
+                    for (int idx = 0; idx < numReady; idx++)
                     {
-                        for (int idx = 0; idx < numReady; idx++)
-                        {
-                            if (waitingSocks.item(idx) == rejectsock->OShandle())
-                            {
-                                //Unsecure connection attemped, reject !
-                                Owned<ISocket> s;
-                                s.setown(rejectsock->accept(true));
-                                IpAddress ip;
-                                StringBuffer sb;
-                                s->getPeerAddress(ip);
-                                ip.getIpText(sb);
-                                DBGLOG("Rejecting nonsecure connect from %s",sb.str());
-                                s->close();
-                            }
-                            else
-                            {
-                                sockavail = true;
-                            }
-                        }
+                        if (waitingSocks.item(idx) == acceptsock->OShandle())
+                            sockavail = true;
+                        else if (waitingSocks.item(idx) == securesock->OShandle())
+                            securesockavail = true;
                     }
                 }
-#if 0
-                if (!sockavail)
-                {
-                    JSocketStatistics stats;
-                    getSocketStatistics(stats);
-                    StringBuffer s;
-                    getSocketStatisticsString(stats,s);
-                    PROGLOG( "Socket statistics : \n%s\n",s.str());
-                }
-#endif
             }
-            catch (IException *e)
+#if 0
+            if (!sockavail && !securesockavail)
             {
-                EXCLOG(e,"CRemoteFileServer(1)");
-                e->Release();
-                // not sure what to do so just accept
-                sockavail = true;
+                JSocketStatistics stats;
+                getSocketStatistics(stats);
+                StringBuffer s;
+                getSocketStatisticsString(stats,s);
+                PROGLOG( "Socket statistics : \n%s\n",s.str());
             }
+#endif
+
             if (stopping)
                 break;
-            if (sockavail)
+
+            if (sockavail || securesockavail)
             {
-                try
+                if (sockavail)
                 {
-                    sock.setown(acceptsock->accept(true));
-                    if (useSSL)
+                    try
                     {
-#ifdef _USE_OPENSSL
-                        Owned<ISecureSocket> ssock = createSecureSocket(sock.getClear(), ServerSocket);
-                        int status = ssock->secure_accept();
-                        if (status < 0)
-                            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
-                        sock.setown(ssock.getLink());
-#else
-                        throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
+                        sock.setown(acceptsock->accept(true));
+                        if (!sock||stopping)
+                            break;
+#ifdef _DEBUG
+                        SocketEndpoint eps;
+                        sock->getPeerEndpoint(eps);
+                        StringBuffer sb;
+                        eps.getUrlStr(sb);
+                        PROGLOG("Server accepting from %s", sb.str());
 #endif
                     }
-                    if (!sock||stopping)
+                    catch (IException *e)
+                    {
+                        EXCLOG(e,"CRemoteFileServer");
+                        e->Release();
                         break;
-                    runClient(sock.getClear());
+                    }
                 }
-                catch (IException *e)
+
+                if (securesockavail)
                 {
-                    EXCLOG(e,"CRemoteFileServer");
-                    e->Release();
-                    sock.clear();
-                    if (!QUERYINTERFACE(e, IJSOCK_Exception))
+                    try
+                    {
+                        sockSSL.setown(securesock->accept(true));
+                        if (!sockSSL||stopping)
+                            break;
+
+                        if ( (_useSSL == UnsecureFirst) && (!securitySettings.certificate || !securitySettings.privateKey) )
+                        {
+                            // for client secure_connect() to fail quickly ...
+                            sockSSL->shutdown();
+                            sockSSL->close();
+                            sockSSL.clear();
+                            securesockavail = false;
+                        }
+                        else
+                        {
+#ifdef _USE_OPENSSL
+                            Owned<ISecureSocket> ssock = createSecureSocket(sockSSL.getClear(), ServerSocket);
+                            int status = ssock->secure_accept();
+                            if (status < 0)
+                                throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
+                            sockSSL.setown(ssock.getLink());
+#else
+                            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
+#endif
+#ifdef _DEBUG
+                            SocketEndpoint eps;
+                            sockSSL->getPeerEndpoint(eps);
+                            StringBuffer sb;
+                            eps.getUrlStr(sb);
+                            PROGLOG("Server accepting SECURE from %s", sb.str());
+#endif
+                        }
+                    }
+                    catch (IException *e)
+                    {
+                        EXCLOG(e,"CRemoteFileServer (secure)");
+                        e->Release();
                         break;
+                    }
+
+                    if (sockavail)
+                        runClient(sock.getClear());
+
+                    if (securesockavail)
+                        runClient(sockSSL.getClear());
+
                 }
             }
             else
@@ -5890,8 +6046,8 @@ public:
             PROGLOG("CRemoteFileServer::stop");
         if (acceptsock)
             acceptsock->cancel_accept();
-        if (rejectsock)
-            rejectsock->cancel_accept();
+        if (securesock)
+            securesock->cancel_accept();
         threads->stopAll();
         threads->joinAll(true,60*1000);
     }
@@ -6135,7 +6291,8 @@ protected:
         // IThreaded
             virtual void main()
             {
-                server->run(socket, nullptr);
+                SSLCfg sslCfg = SSLNone;
+                server->run(sslCfg, socket, nullptr);
             }
         };
         enableDafsAuthentication(false);

common/remote/sockfile.hpp

@@ -53,14 +53,14 @@ enum ThrottleClass
 
 interface IRemoteFileServer : extends IInterface
 {
-    virtual void run(SocketEndpoint &listenep, bool useSSL = false) = 0;
+    virtual void run(SSLCfg useSSL, SocketEndpoint &listenep, unsigned sslPort=0) = 0;
     virtual void stop() = 0;
     virtual unsigned idleTime() = 0; // in ms
     virtual void setThrottle(ThrottleClass throttleClass, unsigned limit, unsigned delayMs=DEFAULT_STDCMD_THROTTLEDELAYMS, unsigned cpuThreshold=DEFAULT_STDCMD_THROTTLECPULIMIT, unsigned queueLimit=DEFAULT_STDCMD_THROTTLEQUEUELIMIT) = 0;
     virtual StringBuffer &getStats(StringBuffer &stats, bool reset) = 0;
 };
 
-#define FILESRV_VERSION 20 // don't forget VERSTRING in sockfile.cpp
+#define FILESRV_VERSION 21 // don't forget VERSTRING in sockfile.cpp
 
 interface IKeyManager;
 interface IDelayedFile;
@@ -78,6 +78,8 @@ extern void remoteExtractBlobElements(const SocketEndpoint &ep, const char * pre
 extern int getDafsInfo(ISocket * socket, unsigned level, StringBuffer &retstr);
 extern void setDafsEndpointPort(SocketEndpoint &ep);
 extern void setDafsLocalMountRedirect(const IpAddress &ip,const char *dir,const char *mountdir);
+extern REMOTE_API ISocket *connectDafs(SocketEndpoint &ep, unsigned timeoutms);
+extern REMOTE_API void checkSocketSecure(ISocket *socket);
 
 // client only
 extern void clientSetDaliServixSocketCaching(bool set);

dali/dafilesrv/dafilesrv.cpp

@@ -37,19 +37,21 @@
 void usage()
 {
     printf("dafilesrv usage:\n");
-    printf("    dafilesrv -T<n> <port> <-NOSSL> [<send-buff-size-kb> <recv-buff-size-kb>]\n");
+    printf("    dafilesrv [-T<n>] [...] [<port>] [<send-buff-size-kb> <recv-buff-size-kb>]\n");
     printf("                                                  -- run test local\n");
     printf("    dafilesrv -D [ -L <log-dir> ] [ -LOCAL ]      -- run as linux daemon\n");
     printf("    dafilesrv -R                                  -- run remote (linux daemon, windows standalone)\n");
     printf("    dafilesrv -install                            -- install windows service\n");
     printf("    dafilesrv -remove                             -- remove windows service\n\n");
-    
-    printf("add -A to enable authentication to the above \n\n");
-    printf("add -I <instance name>  to specify an instance name\n\n");
-    printf("add -NOSSL to disable SSL sockets, even when specified in configuration\n\n");
-    printf("Standard port is %d\n",DAFILESRV_PORT);
-    printf("Standard SSL port is %d (certificate specs required in environment.conf)\n",SECURE_DAFILESRV_PORT);
-    printf("Version:  %s\n\n",remoteServerVersionString());
+    printf("    add -A to enable authentication to the above\n");
+    printf("    add -I <instance name> to specify an instance name\n");
+    printf("    add -NOSSL to disable SSL sockets, even when specified in configuration\n\n");
+    printf("    additional optional args:\n");
+    printf("        [-p <port>] [-sslp <ssl-port>] [-sbsize <send-buff-size-kb>] [-rbsize <recv-buff-size-kb>]\n");
+    printf("        [-addr <ip>:<port>]\n\n");
+    printf("    Standard port is %d\n",DAFILESRV_PORT);
+    printf("    Standard SSL port is %d (certificate and key required in environment.conf)\n",SECURE_DAFILESRV_PORT);
+    printf("    Version:  %s\n\n",remoteServerVersionString());
 }
 
 static Owned<IRemoteFileServer> server;
@@ -349,11 +351,13 @@ int main(int argc,char **argv)
     StringBuffer logDir;
     StringBuffer instanceName;
 
-   //Get SSL Settings
+    // Get SSL Settings
+    SSLCfg          useSSL;
+    unsigned short  port;
+    unsigned short  sslport;
     const char *    sslCertFile;
-    bool            useSSL;
-    unsigned short  dafsPort;//DAFILESRV_PORT or SECURE_DAFILESRV_PORT
-    querySecuritySettings(&useSSL, &dafsPort, &sslCertFile, NULL);
+    const char *    sslKeyFile;
+    queryDafsSecSettings(&useSSL, &port, &sslport, &sslCertFile, &sslKeyFile, nullptr);
 
     unsigned maxThreads = DEFAULT_THREADLIMIT;
     unsigned maxThreadsDelayMs = DEFAULT_THREADLIMITDELAYMS;
@@ -417,6 +421,9 @@ int main(int argc,char **argv)
         }
     }
 
+    // these should really be in env, but currently they are not ...
+    listenep.port = port;
+
     while (argc>i) {
         if (stricmp(argv[i],"-D")==0) {
             i++;
@@ -448,26 +455,53 @@ int main(int argc,char **argv)
             i++;
             instanceName.clear().append(argv[i++]);
         }
+        else if ((argc>i+1)&&(stricmp(argv[i],"-p")==0)) {
+            i++;
+            listenep.port = atoi(argv[i++]);
+        }
+        else if ((argc>i+1)&&(stricmp(argv[i],"-addr")==0)) {
+            i++;
+            if (strchr(argv[i],'.')||!isdigit(argv[i][0]))
+                listenep.set(argv[i], listenep.port);
+            else
+                listenep.port = atoi(argv[i]);
+            i++;
+        }
+        else if ((argc>i+1)&&(stricmp(argv[i],"-sslp")==0)) {
+            i++;
+            sslport = atoi(argv[i++]);
+        }
+        else if ((argc>i+1)&&(stricmp(argv[i],"-sbsize")==0)) {
+            i++;
+            sendbufsize = atoi(argv[i++]);
+        }
+        else if ((argc>i+1)&&(stricmp(argv[i],"-rbsize")==0)) {
+            i++;
+            recvbufsize = atoi(argv[i++]);
+        }
+        else if (stricmp(argv[i],"-h")==0) {
+            usage();
+            exit(0);
+        }
         else if (stricmp(argv[i],"-LOCAL")==0) { 
             i++;
             locallisten = true;
         }
-        else if (stricmp(argv[i],"-NOSSL")==0) {//overrides config setting
+        else if (stricmp(argv[i],"-NOSSL")==0) { // overrides config setting
             i++;
             if (useSSL)
             {
                 PROGLOG("DaFileSrv SSL specified in config but overridden by -NOSSL in command line");
-                useSSL = false;
-                dafsPort = DAFILESRV_PORT;
+                useSSL = SSLNone;
             }
         }
         else
             break;
     }
 
-    if (useSSL && !sslCertFile)
+    if ( ((useSSL == SSLOnly) || (useSSL == SSLFirst)) && (!sslCertFile || !sslKeyFile) )
     {
-        ERRLOG("DaFileSrv SSL specified but certificate file information missing from environment.conf");
+        ERRLOG("DaFileSrv SSL specified but certificate and/or key file information missing from environment.conf");
         exit(-1);
     }
 
@@ -499,28 +533,42 @@ int main(int argc,char **argv)
         return 1;
     }
 #endif
-    if (argc == i)
-        listenep.port = dafsPort;
-    else {
+    if (argc > i) {
         if (strchr(argv[i],'.')||!isdigit(argv[i][0]))
-            listenep.set(argv[i], dafsPort);
+            listenep.set(argv[i], listenep.port);
         else
             listenep.port = atoi(argv[i]);
-        if (listenep.port==0) {
-            usage();
-            exit(-1);
-        }
         sendbufsize = (argc>i+1)?(atoi(argv[i+1])*1024):0;
         recvbufsize = (argc>i+2)?(atoi(argv[i+2])*1024):0;
     }
+
+    if ( (useSSL == SSLNone) && (listenep.port == 0) )
+    {
+        printf("\nError, port must not be 0\n");
+        usage();
+        exit(-1);
+    }
+    else if ( (useSSL == SSLOnly) && (sslport == 0) )
+    {
+        printf("\nError, secure port must not be 0\n");
+        usage();
+        exit(-1);
+    }
+    else if ( ((useSSL == SSLFirst) || (useSSL == UnsecureFirst)) && ((listenep.port == 0) || (sslport == 0)) )
+    {
+        printf("\nError, both port and secure port must not be 0\n");
+        usage();
+        exit(-1);
+    }
+
     if (isdaemon) {
 #ifdef _WIN32
         class cserv: public CService
         {
             bool stopped;
             bool started;
+            SSLCfg useSSL;
             SocketEndpoint listenep;
-            bool useSSL;
             bool requireauthenticate;
             unsigned maxThreads;
             unsigned maxThreadsDelayMs;
@@ -534,7 +582,6 @@ int main(int argc,char **argv)
 
             
             class cpollthread: public Thread
-                
             {
                 cserv *parent;
             public:
@@ -553,11 +600,11 @@ int main(int argc,char **argv)
 
         public:
 
-            cserv(SocketEndpoint _listenep, bool _useSSL,
+            cserv(SSLCfg _useSSL, SocketEndpoint _listenep,
                         unsigned _maxThreads, unsigned _maxThreadsDelayMs, unsigned _maxAsyncCopy,
                         unsigned _parallelRequestLimit, unsigned _throttleDelayMs, unsigned _throttleCPULimit,
                         unsigned _parallelSlowRequestLimit, unsigned _throttleSlowDelayMs, unsigned _throttleSlowCPULimit)
-            : listenep(_listenep),useSSL(_useSSL),pollthread(this),
+            : useSSL(_useSSL), listenep(_listenep), pollthread(this),
                   maxThreads(_maxThreads), maxThreadsDelayMs(_maxThreadsDelayMs), maxAsyncCopy(_maxAsyncCopy),
                   parallelRequestLimit(_parallelRequestLimit), throttleDelayMs(_throttleDelayMs), throttleCPULimit(_throttleCPULimit),
                   parallelSlowRequestLimit(_parallelSlowRequestLimit), throttleSlowDelayMs(_throttleSlowDelayMs), throttleSlowCPULimit(_throttleSlowCPULimit)
@@ -615,13 +662,40 @@ int main(int argc,char **argv)
                                     &dwSize);
                     RegCloseKey(hkey);
                 }
+
+                enableDafsAuthentication(requireauthenticate!=0);
+
                 StringBuffer eps;
                 if (listenep.isNull())
                     eps.append(listenep.port);
                 else
                     listenep.getUrlStr(eps);
-                enableDafsAuthentication(requireauthenticate!=0);
-                PROGLOG("Opening " DAFS_SERVICE_DISPLAY_NAME " on %s%s", useSSL?"SECURE ":"",eps.str());
+
+                if (useSSL != SSLOnly)
+                    PROGLOG("Opening " DAFS_SERVICE_DISPLAY_NAME " on %s", eps.str());
+                if (useSSL)
+                {
+                    SocketEndpoint sslep(listenep);
+                    sslep.port = sslport;
+                    eps.kill();
+                    if (sslep.isNull())
+                        eps.append(sslep.port);
+                    else
+                        sslep.getUrlStr(eps);
+                    PROGLOG("Opening " DAFS_SERVICE_DISPLAY_NAME " on SECURE %s", eps.str());
+                }
+
+                StringBuffer secMethod;
+                if (useSSL == SSLNone)
+                    secMethod.append("SSLNone");
+                else if (useSSL == SSLOnly)
+                    secMethod.append("SSLOnly");
+                else if (useSSL == SSLFirst)
+                    secMethod.append("SSLFirst");
+                else if (useSSL == UnsecureFirst)
+                    secMethod.append("UnsecureFirst");
+                PROGLOG("Dali File Server socket security model: %s", secMethod.str());
+
                 const char * verstring = remoteServerVersionString();
                 PROGLOG("Version: %s", verstring);
                 PROGLOG("Authentication:%s required",requireauthenticate?"":" not");
@@ -630,7 +704,7 @@ int main(int argc,char **argv)
                 server->setThrottle(ThrottleStd, parallelRequestLimit, throttleDelayMs, throttleCPULimit);
                 server->setThrottle(ThrottleSlow, parallelSlowRequestLimit, throttleSlowDelayMs, throttleSlowCPULimit);
                 try {
-                    server->run(listenep, useSSL);
+                    server->run(useSSL, listenep, sslport);
                 }
                 catch (IException *e) {
                     EXCLOG(e,DAFS_SERVICE_NAME);
@@ -639,7 +713,7 @@ int main(int argc,char **argv)
                 PROGLOG(DAFS_SERVICE_DISPLAY_NAME " Stopped");
                 stopped = true;
             }
-        } service(listenep, useSSL,
+        } service(useSSL, listenep,
                 maxThreads, maxThreadsDelayMs, maxAsyncCopy,
                 parallelRequestLimit, throttleDelayMs, throttleCPULimit,
                 parallelSlowRequestLimit, throttleSlowDelayMs, throttleSlowCPULimit);
@@ -662,13 +736,39 @@ int main(int argc,char **argv)
     PROGLOG("Parallel request limit = %d, throttleDelayMs = %d, throttleCPULimit = %d", parallelRequestLimit, throttleDelayMs, throttleCPULimit);
 
     const char * verstring = remoteServerVersionString();
+
+    enableDafsAuthentication(requireauthenticate);
+
     StringBuffer eps;
     if (listenep.isNull())
         eps.append(listenep.port);
     else
         listenep.getUrlStr(eps);
-    enableDafsAuthentication(requireauthenticate);
-    PROGLOG("Opening Dali File Server on %s%s", useSSL?"SECURE ":"",eps.str());
+    if (useSSL != SSLOnly)
+        PROGLOG("Opening Dali File Server on %s", eps.str());
+    if (useSSL)
+    {
+        SocketEndpoint sslep(listenep);
+        sslep.port = sslport;
+        eps.kill();
+        if (sslep.isNull())
+            eps.append(sslep.port);
+        else
+            sslep.getUrlStr(eps);
+        PROGLOG("Opening Dali File Server on SECURE %s", eps.str());
+    }
+
+    StringBuffer secMethod;
+    if (useSSL == SSLNone)
+        secMethod.append("SSLNone");
+    else if (useSSL == SSLOnly)
+        secMethod.append("SSLOnly");
+    else if (useSSL == SSLFirst)
+        secMethod.append("SSLFirst");
+    else if (useSSL == UnsecureFirst)
+        secMethod.append("UnsecureFirst");
+    PROGLOG("Dali File Server socket security model: %s", secMethod.str());
+
     PROGLOG("Version: %s", verstring);
     PROGLOG("Authentication:%s required",requireauthenticate?"":" not");
     server.setown(createRemoteFileServer(maxThreads, maxThreadsDelayMs, maxAsyncCopy));
@@ -693,7 +793,7 @@ int main(int argc,char **argv)
     writeSentinelFile(sentinelFile);
     try
     {
-        server->run(listenep, useSSL);
+        server->run(useSSL, listenep, sslport);
     }
     catch (IException *e)
     {

dali/dfuplus/dfuplus.cpp

@@ -36,15 +36,18 @@
 
 static class CSecuritySettings
 {
-    bool useSSL;
+    SSLCfg useSSL;
     unsigned short daliServixPort;
+    unsigned short daliServixSSLPort;
 public:
     CSecuritySettings()
     {
-        querySecuritySettings(&useSSL, &daliServixPort, nullptr, nullptr);
+        queryDafsSecSettings(&useSSL, &daliServixPort, &daliServixSSLPort, nullptr, nullptr, nullptr);
     }
 
+    SSLCfg querySSLCfg() { return useSSL; }
     unsigned short queryDaliServixPort() { return daliServixPort; }
+    unsigned short queryDaliServixSSLPort() { return daliServixSSLPort; }
 } securitySettings;
 
 class CDafsThread: public Thread
@@ -59,11 +62,13 @@ public:
     {
         if (listenep.port==0)
             listenep.port = securitySettings.queryDaliServixPort();
+#if 0
         StringBuffer eps;
         if (listenep.isNull())
             eps.append(listenep.port);
         else
             listenep.getUrlStr(eps);
+#endif
         enableDafsAuthentication(requireauthenticate);
         server.setown(createRemoteFileServer());
         server->setThrottle(ThrottleStd, 0); // disable throttling
@@ -73,7 +78,7 @@ public:
     int run()
     {
         try {
-            server->run(listenep);
+            server->run(securitySettings.querySSLCfg(), listenep);
         }
         catch (IException *e) {
             EXCLOG(e,"dfuplus(dafilesrv)");
@@ -110,12 +115,51 @@ bool CDfuPlusHelper::runLocalDaFileSvr(SocketEndpoint &listenep,bool requireauth
     Owned<CDafsThread> thr = new CDafsThread(listenep,requireauthenticate);
     if (!thr->ok())
         return false;
-    thr->start();
-    StringBuffer eps;
-    if (listenep.isNull())
-        progress("Started local Dali file server on port %d\n", listenep.port?listenep.port:securitySettings.queryDaliServixPort());
+
+    unsigned port = listenep.port;
+    if (!port)
+        port = securitySettings.queryDaliServixPort();
+
+    unsigned sslport = securitySettings.queryDaliServixSSLPort();
+
+    SSLCfg useSSL = securitySettings.querySSLCfg();
+
+    StringBuffer addlPort;
+    SocketEndpoint printep(listenep);
+    if (printep.isNull())
+    {
+        if (useSSL == SSLNone)
+            addlPort.appendf("%u", port);
+        else if (useSSL == SSLOnly)
+            addlPort.appendf("%u", sslport);
+        else if (useSSL == SSLFirst)
+            addlPort.appendf("%u:%u", sslport, port);
+        else
+            addlPort.appendf("%u:%u", port, sslport);
+        progress("Started local Dali file server on port %s\n", addlPort.str());
+    }
     else
-        progress("Started local Dali file server on %s\n", listenep.getUrlStr(eps).str());
+    {
+        if (useSSL == SSLNone)
+            printep.port = port;
+        else if (useSSL == SSLOnly)
+            printep.port = sslport;
+        else if (useSSL == SSLFirst)
+        {
+            printep.port = sslport;
+            addlPort.appendf(":%u", port);
+        }
+        else
+        {
+            printep.port = port;
+            addlPort.appendf(":%u", sslport);
+        }
+        StringBuffer eps;
+        progress("Started local Dali file server on %s%s\n", printep.getUrlStr(eps).str(), addlPort.str());
+    }
+
+    thr->start();
+
     if (timeout==0) {
         setDafsTrace(nullptr,0); // disable client tracing
         dafsthread.setown(thr.getClear());

initfiles/etc/DIR_NAME/environment.conf.in

@@ -28,8 +28,10 @@ mpStart=7101
 mpEnd=7500
 mpSoMaxConn=128
 mpTraceLevel=0
-#enable SSL for dafilesrv remote file access
-#dfsUseSSL=false
+# enable SSL for dafilesrv remote file access (SSLNone/false | SSLOnly/true | SSLFirst | UnsecureFirst)
+#dfsUseSSL=SSLNone
+# note: if passphrase specified it must be encrypted
+#dfsSSLPassPhrase=
 #dfsSSLCertFile=/certfilepath/certfile
 #dfsSSLPrivateKeyFile=/keyfilepath/keyfile
 

initfiles/etc/DIR_NAME/environment.xml.in

@@ -777,6 +777,7 @@
   <logfields>TIM+DAT+MLT+MID+PID+TID+COD+QUO+PFX</logfields>
   <use_epoll>true</use_epoll>
   <udp_stats>true</udp_stats>
+  <dfsUseSSL>SSLNone</dfsUseSSL>
   <runtime>${RUNTIME_PATH}</runtime>
   <lock>${LOCK_PATH}</lock>
   <configs>${CONFIG_DIR}</configs>

system/jlib/jlib.hpp

@@ -204,6 +204,8 @@ public:
     inline bool zap(TYPE * x)                   { return PointerArray::zap(x); }
 };
 
+enum SSLCfg { SSLNone = 0, SSLOnly, SSLFirst, UnsecureFirst };
+
 #include "jstring.hpp"
 #include "jarray.hpp"
 #include "jhash.hpp"

system/jlib/jutil.cpp

@@ -28,6 +28,7 @@
 #include "jfile.hpp"
 #include "jprop.hpp"
 #include "jerror.hpp"
+#include "jencrypt.hpp"
 #ifdef _WIN32
 #include <mmsystem.h> // for timeGetTime 
 #include <float.h> //for _isnan and _fpclass
@@ -2396,14 +2397,16 @@ jlib_decl const IProperties &queryEnvironmentConf()
 }
 
 static CriticalSection securitySettingsCrit;
-static bool useSSL = false;
+static SSLCfg useSSL = SSLNone;
 static StringAttr certificate;
 static StringAttr privateKey;
+static StringAttr passPhrase;
 static bool retrieved = false;
-jlib_decl bool querySecuritySettings(bool *          _useSSL,
+jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
                                      unsigned short *_port,
                                      const char * *  _certificate,
-                                     const char * *  _privateKey)
+                                     const char * *  _privateKey,
+                                     const char * *  _passPhrase)
 {
     if (!retrieved)
     {
@@ -2417,11 +2420,31 @@ jlib_decl bool querySecuritySettings(bool *          _useSSL,
                 configFileSpec.set(CONFIG_DIR).append(PATHSEPSTR).append("environment.conf");
 #endif
                 Owned<IProperties> conf = createProperties(configFileSpec.str(), true);
-                useSSL = conf->getPropBool("dfsUseSSL", false);
+                StringAttr sslMethod;
+                sslMethod.set(conf->queryProp("dfsUseSSL"));
+                if (sslMethod)
+                {
+                    // checking for true | false for backward compatibility
+                    if ( strieq(sslMethod.str(), "SSLOnly") || strieq(sslMethod.str(), "true") )
+                        useSSL = SSLOnly;
+                    else if ( strieq(sslMethod.str(), "SSLFirst") )
+                        useSSL = SSLFirst;
+                    else if ( strieq(sslMethod.str(), "UnsecureFirst") )
+                        useSSL = UnsecureFirst;
+                    else // SSLNone or false or ...
+                        useSSL = SSLNone;
+                }
                 if (useSSL)
                 {
                     certificate.set(conf->queryProp("dfsSSLCertFile"));
                     privateKey.set(conf->queryProp("dfsSSLPrivateKeyFile"));
+                    const char *passPhrasePtr = conf->queryProp("dfsSSLPassPhrase");
+                    if (!isEmptyString(passPhrasePtr))
+                    {
+                        StringBuffer passPhraseStr;
+                        decrypt(passPhraseStr, passPhrasePtr);
+                        passPhrase.set(passPhraseStr.str());
+                    }
                 }
                 retrieved = true;
             }
@@ -2437,22 +2460,46 @@ jlib_decl bool querySecuritySettings(bool *          _useSSL,
         if (_useSSL)
             *_useSSL = useSSL;
         if (_port)
-            *_port = useSSL ? SECURE_DAFILESRV_PORT : DAFILESRV_PORT;
+        {
+            // port to try first (or only) ...
+            if ( (useSSL == SSLNone) || (useSSL == UnsecureFirst) )
+                *_port = DAFILESRV_PORT;
+            else
+                *_port = SECURE_DAFILESRV_PORT;
+        }
         if (_certificate)
             *_certificate = certificate.get();
         if (_privateKey)
             *_privateKey = privateKey.get();
+        if (_passPhrase)
+            *_passPhrase = passPhrase.get();
     }
     else
     {
         if (_useSSL)
-            *_useSSL = false;
+            *_useSSL = SSLNone;
         if (_port)
             *_port = DAFILESRV_PORT;
     }
     return retrieved;
 }
 
+jlib_decl bool queryDafsSecSettings(SSLCfg *        _useSSL,
+                                    unsigned short *_port,
+                                    unsigned short *_sslport,
+                                    const char * *  _certificate,
+                                    const char * *  _privateKey,
+                                    const char * *  _passPhrase)
+{
+    bool ret = querySecuritySettings(_useSSL, nullptr, _certificate, _privateKey, _passPhrase);
+    // these should really be in env, but currently they are not ...
+    if (_port)
+        *_port = DAFILESRV_PORT;
+    if (_sslport)
+        *_sslport = SECURE_DAFILESRV_PORT;
+    return ret;
+}
+
 static IPropertyTree *getOSSdirTree()
 {
     Owned<IPropertyTree> envtree = getHPCCEnvironment();

system/jlib/jutil.hpp

@@ -360,10 +360,18 @@ extern jlib_decl bool getConfigurationDirectory(const IPropertyTree *dirtree, //
                                                 const char *instance, 
                                                 StringBuffer &dirout);
 
-extern jlib_decl bool querySecuritySettings(bool *          _useSSL,
+extern jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
                                             unsigned short *_port,
                                             const char * *  _certificate,
-                                            const char * *  _privateKey);
+                                            const char * *  _privateKey,
+                                            const char * *  _passPhrase);
+
+extern jlib_decl bool queryDafsSecSettings(SSLCfg *        _useSSL,
+                                           unsigned short *_port,
+                                           unsigned short *_sslport,
+                                           const char * *  _certificate,
+                                           const char * *  _privateKey,
+                                           const char * *  _passPhrase);
 
 extern jlib_decl const char * matchConfigurationDirectoryEntry(const char *path,const char *mask,StringBuffer &name, StringBuffer &component, StringBuffer &instance);
 extern jlib_decl bool replaceConfigurationDirectoryEntry(const char *path,const char *frommask,const char *tomask,StringBuffer &out);

testing/regress/environment.xml.in

@@ -764,6 +764,7 @@
   <logfields>TIM+DAT+MLT+MID+PID+TID+COD+QUO+PFX</logfields>
   <use_epoll>true</use_epoll>
   <udp_stats>true</udp_stats>
+  <dfsUseSSL>SSLNone</dfsUseSSL>
   <runtime>${RUNTIME_PATH}</runtime>
   <lock>${LOCK_PATH}</lock>
   <configs>${CONFIG_DIR}</configs>