Merge pull request #10121 from mckellyln/dafilesrv_ssl_refinements1

HPCC-17815 Dafilesrv ssl refinements1

Reviewed-By: Russ Whitehead <william.whitehead@lexisnexis.com>
Reviewed-By: Jake Smith <jake.smith@lexisnexis.com>
Reviewed-By: Richard Chapman <rchapman@hpccsystems.com>

common/remote/remoteerr.hpp

@@ -94,7 +94,9 @@ interface REMOTE_API IDAFS_Exception: extends IException
 enum DAFS_ERROR_CODES {
     DAFSERR_connection_failed               = -1,   
     DAFSERR_authenticate_failed             = -2,
-    DAFSERR_protocol_failure                = -3
+    DAFSERR_protocol_failure                = -3,
+    DAFSERR_serveraccept_failed             = -4,
+    DAFSERR_serverinit_failed               = -5
 };
 
 

common/remote/sockfile.cpp

@@ -179,7 +179,7 @@ static unsigned maxReceiveTime = 0;
 static class _securitySettings
 {
 public:
-    SSLCfg          useSSL;
+    DAFSConnectCfg  connectMethod;
     unsigned short  daFileSrvPort;
     unsigned short  daFileSrvSSLPort;
     const char *    certificate;
@@ -188,7 +188,7 @@ public:
 
     _securitySettings()
     {
-        queryDafsSecSettings(&useSSL, &daFileSrvPort, &daFileSrvSSLPort, &certificate, &privateKey, &passPhrase);
+        queryDafsSecSettings(&connectMethod, &daFileSrvPort, &daFileSrvSSLPort, &certificate, &privateKey, &passPhrase);
     }
 } securitySettings;
 
@@ -549,7 +549,7 @@ void setDafsEndpointPort(SocketEndpoint &ep)
     }
     if (ep.port==0)
     {
-        if ( (securitySettings.useSSL == SSLNone) || (securitySettings.useSSL == UnsecureFirst) )
+        if ( (securitySettings.connectMethod == SSLNone) || (securitySettings.connectMethod == UnsecureFirst) )
             ep.port = securitySettings.daFileSrvPort;
         else
             ep.port = securitySettings.daFileSrvSSLPort;
@@ -958,7 +958,7 @@ class CRemoteBase: public CInterface
     Owned<ISocket>          socket;
     static  SocketEndpoint  lastfailep;
     static unsigned         lastfailtime;
-    SSLCfg                  useSSL;
+    DAFSConnectCfg          connectMethod;
 
     void connectSocket(SocketEndpoint &ep, unsigned localConnectTime=0, unsigned localRetries=0)
     {
@@ -1159,7 +1159,7 @@ protected: friend class CRemoteFileIO;
             if (!socket)
             {
                 bool doConnect = true;
-                if (useSSL == SSLFirst || useSSL == UnsecureFirst)
+                if (connectMethod == SSLFirst || connectMethod == UnsecureFirst)
                 {
                     // MCK - could maintain a list of 100 or so previous endpoints and if connection failed
                     // then mark port down for a delay (like 15 min above) to avoid having to try every time ...
@@ -1329,7 +1329,7 @@ public:
         : filename(_filename)
     {
         ep = _ep;
-        useSSL = securitySettings.useSSL;
+        connectMethod = securitySettings.connectMethod;
     }
 
     void connect()
@@ -2638,7 +2638,7 @@ void CRemoteFile::copyTo(IFile *dest, size32_t buffersize, ICopyFileProgress *pr
 
 ISocket *checkSocketSecure(ISocket *socket)
 {
-    if (securitySettings.useSSL == SSLNone)
+    if (securitySettings.connectMethod == SSLNone)
         return LINK(socket);
 
     char pname[256];
@@ -2666,7 +2666,7 @@ ISocket *connectDafs(SocketEndpoint &ep, unsigned timeoutms)
 {
     Owned<ISocket> socket;
 
-    if ( (securitySettings.useSSL == SSLNone) || (securitySettings.useSSL == SSLOnly) )
+    if ( (securitySettings.connectMethod == SSLNone) || (securitySettings.connectMethod == SSLOnly) )
     {
         socket.setown(ISocket::connect_timeout(ep, timeoutms));
         return socket.getClear();
@@ -5721,7 +5721,29 @@ public:
         return new cCommandProcessor();
     }
 
-    void run(SSLCfg _useSSL, SocketEndpoint &listenep, unsigned sslPort)
+    void cleanupSocket(ISocket *sock)
+    {
+        if (!sock)
+            return;
+        try
+        {
+            sock->shutdown();
+        }
+        catch (IException *e)
+        {
+            e->Release();
+        }
+        try
+        {
+            sock->close();
+        }
+        catch (IException *e)
+        {
+            e->Release();
+        }
+    }
+
+    void run(DAFSConnectCfg _connectMethod, SocketEndpoint &listenep, unsigned sslPort)
     {
         SocketEndpoint sslep(listenep);
         if (sslPort)
@@ -5730,10 +5752,10 @@ public:
             sslep.port = securitySettings.daFileSrvSSLPort;
         Owned<ISocket> acceptSocket, acceptSSLSocket;
 
-        if (_useSSL != SSLOnly)
+        if (_connectMethod != SSLOnly)
         {
             if (listenep.port == 0)
-                throw createDafsException(DAFSERR_connection_failed, "dafilesrv port not specified");
+                throw createDafsException(DAFSERR_serverinit_failed, "dafilesrv port not specified");
 
             if (listenep.isNull())
                 acceptSocket.setown(ISocket::create(listenep.port));
@@ -5745,13 +5767,40 @@ public:
             }
         }
 
-        if (_useSSL)
+        if (_connectMethod == SSLOnly || _connectMethod == SSLFirst || _connectMethod == UnsecureFirst)
         {
             if (sslep.port == 0)
-                throw createDafsException(DAFSERR_connection_failed, "Secure dafilesrv port not specified");
+                throw createDafsException(DAFSERR_serverinit_failed, "Secure dafilesrv port not specified");
 
-            if ( (_useSSL != UnsecureFirst) && (!securitySettings.certificate || !securitySettings.privateKey) )
-                throw createDafsException(DAFSERR_connection_failed, "SSL Certificate and/or Key file information not found in environment.conf");
+            if (_connectMethod == UnsecureFirst)
+            {
+                // don't fail, but warn - this allows for fast SSL client rejections
+                if (!securitySettings.certificate)
+                    WARNLOG("SSL Certificate information not found in environment.conf, cannot accept SSL connections");
+                else if ( !checkFileExists(securitySettings.certificate) )
+                {
+                    WARNLOG("SSL Certificate File not found in environment.conf, cannot accept SSL connections");
+                    securitySettings.certificate = nullptr;
+                }
+                if (!securitySettings.privateKey)
+                    WARNLOG("SSL Key information not found in environment.conf, cannot accept SSL connections");
+                else if ( !checkFileExists(securitySettings.privateKey) )
+                {
+                    WARNLOG("SSL Key File not found in environment.conf, cannot accept SSL connections");
+                    securitySettings.privateKey = nullptr;
+                }
+            }
+            else
+            {
+                if (!securitySettings.certificate)
+                    throw createDafsException(DAFSERR_serverinit_failed, "SSL Certificate information not found in environment.conf");
+                if (!checkFileExists(securitySettings.certificate))
+                    throw createDafsException(DAFSERR_serverinit_failed, "SSL Certificate File not found in environment.conf");
+                if (!securitySettings.privateKey)
+                    throw createDafsException(DAFSERR_serverinit_failed, "SSL Key information not found in environment.conf");
+                if (!checkFileExists(securitySettings.privateKey))
+                    throw createDafsException(DAFSERR_serverinit_failed, "SSL Key File not found in environment.conf");
+            }
 
             if (sslep.isNull())
                 acceptSSLSocket.setown(ISocket::create(sslep.port));
@@ -5763,25 +5812,25 @@ public:
             }
         }
 
-        run(_useSSL, acceptSocket.getClear(), acceptSSLSocket.getClear());
+        run(_connectMethod, acceptSocket.getClear(), acceptSSLSocket.getClear());
     }
 
-    void run(SSLCfg _useSSL, ISocket *regSocket, ISocket *secureSocket)
+    void run(DAFSConnectCfg _connectMethod, ISocket *regSocket, ISocket *secureSocket)
     {
-        if (_useSSL != SSLOnly)
+        if (_connectMethod != SSLOnly)
         {
             if (regSocket)
                 acceptsock.setown(regSocket);
             else
-                throw createDafsException(DAFSERR_connection_failed, "Invalid non-secure socket");
+                throw createDafsException(DAFSERR_serverinit_failed, "Invalid non-secure socket");
         }
 
-        if (_useSSL)
+        if (_connectMethod == SSLOnly || _connectMethod == SSLFirst || _connectMethod == UnsecureFirst)
         {
             if (secureSocket)
                 securesock.setown(secureSocket);
             else
-                throw createDafsException(DAFSERR_connection_failed, "Invalid secure socket");
+                throw createDafsException(DAFSERR_serverinit_failed, "Invalid secure socket");
         }
 
         selecthandler->start();
@@ -5792,9 +5841,9 @@ public:
             Owned<ISocket> sockSSL;
             bool sockavail = false;
             bool securesockavail = false;
-            if (_useSSL == SSLNone)
+            if (_connectMethod == SSLNone)
                 sockavail = acceptsock->wait_read(1000*60*1)!=0;
-            else if (_useSSL == SSLOnly)
+            else if (_connectMethod == SSLOnly)
                 securesockavail = securesock->wait_read(1000*60*1)!=0;
             else
             {
@@ -5855,30 +5904,30 @@ public:
 
                 if (securesockavail)
                 {
+                    Owned<ISecureSocket> ssock;
                     try
                     {
                         sockSSL.setown(securesock->accept(true));
                         if (!sockSSL||stopping)
                             break;
 
-                        if ( (_useSSL == UnsecureFirst) && (!securitySettings.certificate || !securitySettings.privateKey) )
+                        if ( (_connectMethod == UnsecureFirst) && (!securitySettings.certificate || !securitySettings.privateKey) )
                         {
                             // for client secure_connect() to fail quickly ...
-                            sockSSL->shutdown();
-                            sockSSL->close();
+                            cleanupSocket(sockSSL);
                             sockSSL.clear();
                             securesockavail = false;
                         }
                         else
                         {
 #ifdef _USE_OPENSSL
-                            Owned<ISecureSocket> ssock = createSecureSocket(sockSSL.getClear(), ServerSocket);
+                            ssock.setown(createSecureSocket(sockSSL.getClear(), ServerSocket));
                             int status = ssock->secure_accept();
                             if (status < 0)
-                                throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection");
+                                throw createDafsException(DAFSERR_serveraccept_failed,"Failure to establish secure connection");
                             sockSSL.setown(ssock.getLink());
 #else
-                            throw createDafsException(DAFSERR_connection_failed,"Failure to establish secure connection: OpenSSL disabled in build");
+                            throw createDafsException(DAFSERR_serveraccept_failed,"Failure to establish secure connection: OpenSSL disabled in build");
 #endif
 #ifdef _DEBUG
                             SocketEndpoint eps;
@@ -5889,12 +5938,23 @@ public:
 #endif
                         }
                     }
-                    catch (IException *e)
+                    catch (IJSOCK_Exception *e)
                     {
+                        // accept failed ...
                         EXCLOG(e,"CRemoteFileServer (secure)");
                         e->Release();
                         break;
                     }
+                    catch (IException *e) // IDAFS_Exception also ...
+                    {
+                        EXCLOG(e,"CRemoteFileServer1 (secure)");
+                        e->Release();
+                        cleanupSocket(sockSSL);
+                        sockSSL.clear();
+                        cleanupSocket(ssock);
+                        ssock.clear();
+                        securesockavail = false;
+                    }
                 }
 
                 if (sockavail)
@@ -6270,7 +6330,7 @@ protected:
         // IThreaded
             virtual void main()
             {
-                SSLCfg sslCfg = SSLNone;
+                DAFSConnectCfg sslCfg = SSLNone;
                 server->run(sslCfg, socket, nullptr);
             }
         };

common/remote/sockfile.hpp

@@ -53,7 +53,7 @@ enum ThrottleClass
 
 interface IRemoteFileServer : extends IInterface
 {
-    virtual void run(SSLCfg useSSL, SocketEndpoint &listenep, unsigned sslPort=0) = 0;
+    virtual void run(DAFSConnectCfg connectMethod, SocketEndpoint &listenep, unsigned sslPort=0) = 0;
     virtual void stop() = 0;
     virtual unsigned idleTime() = 0; // in ms
     virtual void setThrottle(ThrottleClass throttleClass, unsigned limit, unsigned delayMs=DEFAULT_STDCMD_THROTTLEDELAYMS, unsigned cpuThreshold=DEFAULT_STDCMD_THROTTLECPULIMIT, unsigned queueLimit=DEFAULT_STDCMD_THROTTLEQUEUELIMIT) = 0;

dali/dafilesrv/dafilesrv.cpp

@@ -32,6 +32,7 @@
 #endif
 
 
+#include "remoteerr.hpp"
 #include "sockfile.hpp"
 
 void usage()
@@ -352,12 +353,12 @@ int main(int argc,char **argv)
     StringBuffer instanceName;
 
     // Get SSL Settings
-    SSLCfg          useSSL;
+    DAFSConnectCfg  connectMethod;
     unsigned short  port;
     unsigned short  sslport;
     const char *    sslCertFile;
     const char *    sslKeyFile;
-    queryDafsSecSettings(&useSSL, &port, &sslport, &sslCertFile, &sslKeyFile, nullptr);
+    queryDafsSecSettings(&connectMethod, &port, &sslport, &sslCertFile, &sslKeyFile, nullptr);
 
     unsigned maxThreads = DEFAULT_THREADLIMIT;
     unsigned maxThreadsDelayMs = DEFAULT_THREADLIMITDELAYMS;
@@ -489,35 +490,16 @@ int main(int argc,char **argv)
         }
         else if (stricmp(argv[i],"-NOSSL")==0) { // overrides config setting
             i++;
-            if (useSSL)
+            if (connectMethod == SSLOnly || connectMethod == SSLFirst || connectMethod == UnsecureFirst)
             {
                 PROGLOG("DaFileSrv SSL specified in config but overridden by -NOSSL in command line");
-                useSSL = SSLNone;
+                connectMethod = SSLNone;
             }
         }
         else
             break;
     }
 
-    if ( (useSSL == SSLOnly) || (useSSL == SSLFirst) )
-    {
-        if ( !sslCertFile || !sslKeyFile )
-        {
-            ERRLOG("DaFileSrv SSL specified but certificate and/or key file information missing from environment.conf");
-            exit(-1);
-        }
-        if ( !checkFileExists(sslCertFile) )
-        {
-            ERRLOG("DaFileSrv SSL specified but certificate file (%s) not found", sslCertFile);
-            exit(-1);
-        }
-        if ( !checkFileExists(sslKeyFile) )
-        {
-            ERRLOG("DaFileSrv SSL specified but key file (%s) not found", sslKeyFile);
-            exit(-1);
-        }
-    }
-
     if (0 == logDir.length())
     {
         getConfigurationDirectory(NULL,"log","dafilesrv",instanceName.str(),logDir);
@@ -555,32 +537,42 @@ int main(int argc,char **argv)
         recvbufsize = (argc>i+2)?(atoi(argv[i+2])*1024):0;
     }
 
-    if ( (useSSL == SSLNone) && (listenep.port == 0) )
+    if ( (connectMethod == SSLNone) && (listenep.port == 0) )
     {
         printf("\nError, port must not be 0\n");
         usage();
         exit(-1);
     }
-    else if ( (useSSL == SSLOnly) && (sslport == 0) )
+    else if ( (connectMethod == SSLOnly) && (sslport == 0) )
     {
         printf("\nError, secure port must not be 0\n");
         usage();
         exit(-1);
     }
-    else if ( ((useSSL == SSLFirst) || (useSSL == UnsecureFirst)) && ((listenep.port == 0) || (sslport == 0)) )
+    else if ( ((connectMethod == SSLFirst) || (connectMethod == UnsecureFirst)) && ((listenep.port == 0) || (sslport == 0)) )
     {
         printf("\nError, both port and secure port must not be 0\n");
         usage();
         exit(-1);
     }
 
+    StringBuffer secMethod;
+    if (connectMethod == SSLNone)
+        secMethod.append("SSLNone");
+    else if (connectMethod == SSLOnly)
+        secMethod.append("SSLOnly");
+    else if (connectMethod == SSLFirst)
+        secMethod.append("SSLFirst");
+    else if (connectMethod == UnsecureFirst)
+        secMethod.append("UnsecureFirst");
+
     if (isdaemon) {
 #ifdef _WIN32
         class cserv: public CService
         {
             bool stopped;
             bool started;
-            SSLCfg useSSL;
+            DAFSConnectCfg connectMethod;
             SocketEndpoint listenep;
             bool requireauthenticate;
             unsigned maxThreads;
@@ -613,12 +605,12 @@ int main(int argc,char **argv)
 
         public:
 
-            cserv(SSLCfg _useSSL, SocketEndpoint _listenep,
+            cserv(DAFSConnectCfg _connectMethod, SocketEndpoint _listenep,
                         unsigned _maxThreads, unsigned _maxThreadsDelayMs, unsigned _maxAsyncCopy,
                         unsigned _parallelRequestLimit, unsigned _throttleDelayMs, unsigned _throttleCPULimit,
                         unsigned _parallelSlowRequestLimit, unsigned _throttleSlowDelayMs, unsigned _throttleSlowCPULimit,
                         unsigned _sslport)
-            : useSSL(_useSSL), listenep(_listenep), pollthread(this),
+            : connectMethod(_connectMethod), listenep(_listenep), pollthread(this),
                   maxThreads(_maxThreads), maxThreadsDelayMs(_maxThreadsDelayMs), maxAsyncCopy(_maxAsyncCopy),
                   parallelRequestLimit(_parallelRequestLimit), throttleDelayMs(_throttleDelayMs), throttleCPULimit(_throttleCPULimit),
                   parallelSlowRequestLimit(_parallelSlowRequestLimit), throttleSlowDelayMs(_throttleSlowDelayMs), throttleSlowCPULimit(_throttleSlowCPULimit),
@@ -686,9 +678,9 @@ int main(int argc,char **argv)
                 else
                     listenep.getUrlStr(eps);
 
-                if (useSSL != SSLOnly)
+                if (connectMethod != SSLOnly)
                     PROGLOG("Opening " DAFS_SERVICE_DISPLAY_NAME " on %s", eps.str());
-                if (useSSL)
+                if (connectMethod == SSLOnly || connectMethod == SSLFirst || connectMethod == UnsecureFirst)
                 {
                     SocketEndpoint sslep(listenep);
                     sslep.port = sslport;
@@ -700,15 +692,6 @@ int main(int argc,char **argv)
                     PROGLOG("Opening " DAFS_SERVICE_DISPLAY_NAME " on SECURE %s", eps.str());
                 }
 
-                StringBuffer secMethod;
-                if (useSSL == SSLNone)
-                    secMethod.append("SSLNone");
-                else if (useSSL == SSLOnly)
-                    secMethod.append("SSLOnly");
-                else if (useSSL == SSLFirst)
-                    secMethod.append("SSLFirst");
-                else if (useSSL == UnsecureFirst)
-                    secMethod.append("UnsecureFirst");
                 PROGLOG("Dali File Server socket security model: %s", secMethod.str());
 
                 const char * verstring = remoteServerVersionString();
@@ -719,7 +702,7 @@ int main(int argc,char **argv)
                 server->setThrottle(ThrottleStd, parallelRequestLimit, throttleDelayMs, throttleCPULimit);
                 server->setThrottle(ThrottleSlow, parallelSlowRequestLimit, throttleSlowDelayMs, throttleSlowCPULimit);
                 try {
-                    server->run(useSSL, listenep, sslport);
+                    server->run(connectMethod, listenep, sslport);
                 }
                 catch (IException *e) {
                     EXCLOG(e,DAFS_SERVICE_NAME);
@@ -728,7 +711,7 @@ int main(int argc,char **argv)
                 PROGLOG(DAFS_SERVICE_DISPLAY_NAME " Stopped");
                 stopped = true;
             }
-        } service(useSSL, listenep,
+        } service(connectMethod, listenep,
                 maxThreads, maxThreadsDelayMs, maxAsyncCopy,
                 parallelRequestLimit, throttleDelayMs, throttleCPULimit,
                 parallelSlowRequestLimit, throttleSlowDelayMs, throttleSlowCPULimit, sslport);
@@ -759,9 +742,9 @@ int main(int argc,char **argv)
         eps.append(listenep.port);
     else
         listenep.getUrlStr(eps);
-    if (useSSL != SSLOnly)
+    if (connectMethod != SSLOnly)
         PROGLOG("Opening Dali File Server on %s", eps.str());
-    if (useSSL)
+    if (connectMethod == SSLOnly || connectMethod == SSLFirst || connectMethod == UnsecureFirst)
     {
         SocketEndpoint sslep(listenep);
         sslep.port = sslport;
@@ -773,15 +756,6 @@ int main(int argc,char **argv)
         PROGLOG("Opening Dali File Server on SECURE %s", eps.str());
     }
 
-    StringBuffer secMethod;
-    if (useSSL == SSLNone)
-        secMethod.append("SSLNone");
-    else if (useSSL == SSLOnly)
-        secMethod.append("SSLOnly");
-    else if (useSSL == SSLFirst)
-        secMethod.append("SSLFirst");
-    else if (useSSL == UnsecureFirst)
-        secMethod.append("UnsecureFirst");
     PROGLOG("Dali File Server socket security model: %s", secMethod.str());
 
     PROGLOG("Version: %s", verstring);
@@ -808,11 +782,13 @@ int main(int argc,char **argv)
     writeSentinelFile(sentinelFile);
     try
     {
-        server->run(useSSL, listenep, sslport);
+        server->run(connectMethod, listenep, sslport);
     }
     catch (IException *e)
     {
         EXCLOG(e,"DAFILESRV");
+        if (e->errorCode() == DAFSERR_serverinit_failed)
+            removeSentinelFile(sentinelFile); // so init does not keep trying to start it ...
         e->Release();
     }
     stopPerformanceMonitor();

dali/dfuplus/dfuplus.cpp

@@ -36,16 +36,16 @@
 
 static class CSecuritySettings
 {
-    SSLCfg useSSL;
+    DAFSConnectCfg connectMethod;
     unsigned short daliServixPort;
     unsigned short daliServixSSLPort;
 public:
     CSecuritySettings()
     {
-        queryDafsSecSettings(&useSSL, &daliServixPort, &daliServixSSLPort, nullptr, nullptr, nullptr);
+        queryDafsSecSettings(&connectMethod, &daliServixPort, &daliServixSSLPort, nullptr, nullptr, nullptr);
     }
 
-    SSLCfg querySSLCfg() { return useSSL; }
+    DAFSConnectCfg queryDAFSConnectCfg() { return connectMethod; }
     unsigned short queryDaliServixPort() { return daliServixPort; }
     unsigned short queryDaliServixSSLPort() { return daliServixSSLPort; }
 } securitySettings;
@@ -78,7 +78,7 @@ public:
     int run()
     {
         try {
-            server->run(securitySettings.querySSLCfg(), listenep);
+            server->run(securitySettings.queryDAFSConnectCfg(), listenep);
         }
         catch (IException *e) {
             EXCLOG(e,"dfuplus(dafilesrv)");
@@ -122,17 +122,17 @@ bool CDfuPlusHelper::runLocalDaFileSvr(SocketEndpoint &listenep,bool requireauth
 
     unsigned sslport = securitySettings.queryDaliServixSSLPort();
 
-    SSLCfg useSSL = securitySettings.querySSLCfg();
+    DAFSConnectCfg connectMethod = securitySettings.queryDAFSConnectCfg();
 
     StringBuffer addlPort;
     SocketEndpoint printep(listenep);
     if (printep.isNull())
     {
-        if (useSSL == SSLNone)
+        if (connectMethod == SSLNone)
             addlPort.appendf("%u", port);
-        else if (useSSL == SSLOnly)
+        else if (connectMethod == SSLOnly)
             addlPort.appendf("%u", sslport);
-        else if (useSSL == SSLFirst)
+        else if (connectMethod == SSLFirst)
             addlPort.appendf("%u:%u", sslport, port);
         else
             addlPort.appendf("%u:%u", port, sslport);
@@ -140,11 +140,11 @@ bool CDfuPlusHelper::runLocalDaFileSvr(SocketEndpoint &listenep,bool requireauth
     }
     else
     {
-        if (useSSL == SSLNone)
+        if (connectMethod == SSLNone)
             printep.port = port;
-        else if (useSSL == SSLOnly)
+        else if (connectMethod == SSLOnly)
             printep.port = sslport;
-        else if (useSSL == SSLFirst)
+        else if (connectMethod == SSLFirst)
         {
             printep.port = sslport;
             addlPort.appendf(":%u", port);

system/jlib/jlib.hpp

@@ -204,7 +204,7 @@ public:
     inline bool zap(TYPE * x)                   { return PointerArray::zap(x); }
 };
 
-enum SSLCfg { SSLNone = 0, SSLOnly, SSLFirst, UnsecureFirst };
+enum DAFSConnectCfg { SSLNone = 0, SSLOnly, SSLFirst, UnsecureFirst };
 
 #include "jstring.hpp"
 #include "jarray.hpp"

system/jlib/jutil.cpp

@@ -2397,12 +2397,12 @@ jlib_decl const IProperties &queryEnvironmentConf()
 }
 
 static CriticalSection securitySettingsCrit;
-static SSLCfg useSSL = SSLNone;
+static DAFSConnectCfg connectMethod = SSLNone;
 static StringAttr certificate;
 static StringAttr privateKey;
 static StringAttr passPhrase;
 static bool retrieved = false;
-jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
+jlib_decl bool querySecuritySettings(DAFSConnectCfg *_connectMethod,
                                      unsigned short *_port,
                                      const char * *  _certificate,
                                      const char * *  _privateKey,
@@ -2426,15 +2426,15 @@ jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
                 {
                     // checking for true | false for backward compatibility
                     if ( strieq(sslMethod.str(), "SSLOnly") || strieq(sslMethod.str(), "true") )
-                        useSSL = SSLOnly;
+                        connectMethod = SSLOnly;
                     else if ( strieq(sslMethod.str(), "SSLFirst") )
-                        useSSL = SSLFirst;
+                        connectMethod = SSLFirst;
                     else if ( strieq(sslMethod.str(), "UnsecureFirst") )
-                        useSSL = UnsecureFirst;
+                        connectMethod = UnsecureFirst;
                     else // SSLNone or false or ...
-                        useSSL = SSLNone;
+                        connectMethod = SSLNone;
                 }
-                if (useSSL)
+                if (connectMethod == SSLOnly || connectMethod == SSLFirst || connectMethod == UnsecureFirst)
                 {
                     certificate.set(conf->queryProp("dfsSSLCertFile"));
                     privateKey.set(conf->queryProp("dfsSSLPrivateKeyFile"));
@@ -2457,12 +2457,12 @@ jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
     }
     if (retrieved)
     {
-        if (_useSSL)
-            *_useSSL = useSSL;
+        if (_connectMethod)
+            *_connectMethod = connectMethod;
         if (_port)
         {
             // port to try first (or only) ...
-            if ( (useSSL == SSLNone) || (useSSL == UnsecureFirst) )
+            if ( (connectMethod == SSLNone) || (connectMethod == UnsecureFirst) )
                 *_port = DAFILESRV_PORT;
             else
                 *_port = SECURE_DAFILESRV_PORT;
@@ -2476,22 +2476,22 @@ jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
     }
     else
     {
-        if (_useSSL)
-            *_useSSL = SSLNone;
+        if (_connectMethod)
+            *_connectMethod = SSLNone;
         if (_port)
             *_port = DAFILESRV_PORT;
     }
     return retrieved;
 }
 
-jlib_decl bool queryDafsSecSettings(SSLCfg *        _useSSL,
+jlib_decl bool queryDafsSecSettings(DAFSConnectCfg *_connectMethod,
                                     unsigned short *_port,
                                     unsigned short *_sslport,
                                     const char * *  _certificate,
                                     const char * *  _privateKey,
                                     const char * *  _passPhrase)
 {
-    bool ret = querySecuritySettings(_useSSL, nullptr, _certificate, _privateKey, _passPhrase);
+    bool ret = querySecuritySettings(_connectMethod, nullptr, _certificate, _privateKey, _passPhrase);
     // these should really be in env, but currently they are not ...
     if (_port)
         *_port = DAFILESRV_PORT;

system/jlib/jutil.hpp

@@ -360,13 +360,13 @@ extern jlib_decl bool getConfigurationDirectory(const IPropertyTree *dirtree, //
                                                 const char *instance, 
                                                 StringBuffer &dirout);
 
-extern jlib_decl bool querySecuritySettings(SSLCfg *        _useSSL,
+extern jlib_decl bool querySecuritySettings(DAFSConnectCfg *_connectMethod,
                                             unsigned short *_port,
                                             const char * *  _certificate,
                                             const char * *  _privateKey,
                                             const char * *  _passPhrase);
 
-extern jlib_decl bool queryDafsSecSettings(SSLCfg *        _useSSL,
+extern jlib_decl bool queryDafsSecSettings(DAFSConnectCfg *_connectMethod,
                                            unsigned short *_port,
                                            unsigned short *_sslport,
                                            const char * *  _certificate,