Separate SSL and SRVSSL options for client and server connections

This commit introduces a clear separation between SSL options for client
connections (SSL) and server connections (SRVSSL) to prevent accidental
HTTPS server activation and improve module clarity.

Changes:
- Add SRVSSL option in SocketServer mixin (default: false)
- Remove SSL option from TcpServer (now uses SRVSSL from SocketServer)
- Update HttpServer.start_service to accept opts['Ssl'] as override
- Update all modules to use SRVSSL for server-side SSL configuration
- Update modules that used 'ssl' => false to use 'Ssl' => false
- Update documentation to reflect SRVSSL usage
- Update msftidy to recognize SRVSSL as universal option

This ensures that server and client SSL configurations are independent,
preventing unintended HTTPS server activation when SSL is enabled for
client connections.

Author: Chocapikk

documentation/modules/auxiliary/server/capture/ftp.md

@@ -19,10 +19,11 @@ This module creates a mock FTP server which accepts credentials before throwing
   * `Serv-U FTP Server v15.0 ready...`
   * `ProFTPD 1.3.4a Server (FTP-Server)`
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used, making this FTPS.  FTPS is typically run on port 990.  If `SSLCert` is not set, a certificate
-  will be automatically generated.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server, making this FTPS.  FTPS is typically run on port 990.  If `SSLCert` is not set,
+  a certificate will be automatically generated.  Default is `False`. Note: This option is separate from the `SSL` option which
+  controls client connections.
 
 ### SSLCert
 
@@ -147,8 +148,8 @@ mVuIIRbrDW/sOgu2Viis
 msf > use auxiliary/server/capture/ftp
 msf auxiliary(server/capture/ftp) > set srvport 990
 srvport => 990
-msf auxiliary(server/capture/ftp) > set ssl true
-ssl => true
+msf auxiliary(server/capture/ftp) > set srvssl true
+srvssl => true
 msf auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem
 sslcert => /root/metasploit-framework/selfsigned.pem
 msf auxiliary(server/capture/ftp) > run

documentation/modules/auxiliary/server/capture/http_basic.md

@@ -23,10 +23,11 @@ This module creates a mock web server which, utilizing a HTTP 401 response, prom
 
   After the user enters a set of credentials, their browser will be redirected to this address.  Default is ``.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used, making this HTTPS.  HTTPS is typically run on port 443.  If `SSLCert` is not set, a certificate
-  will be automatically generated.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server, making this HTTPS.  HTTPS is typically run on port 443.  If `SSLCert` is not set,
+  a certificate will be automatically generated.  Default is `False`. Note: This option is separate from the `SSL` option which
+  controls client connections.
 
 ### SSLCert
 
@@ -156,8 +157,8 @@ Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24
 WdNCCmA8APA1qf2BYVqs
 -----END CERTIFICATE-----
 msf > use auxiliary/server/capture/http_basic 
-msf auxiliary(server/capture/http_basic) > set ssl true
-ssl => true
+msf auxiliary(server/capture/http_basic) > set srvssl true
+srvssl => true
 msf auxiliary(server/capture/http_basic) > set srvport 443
 srvport => 443
 msf auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem

documentation/modules/auxiliary/server/capture/imap.md

@@ -20,10 +20,11 @@ This module creates a mock IMAP server which accepts credentials.
   * `The Microsoft Exchange IMAP4 service is ready.`
   * `Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.`
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used, making this Secure IMAP.  Secure IMAP is typically run on port 993.  If `SSLCert` is not set, a certificate
-  will be automatically generated.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server, making this Secure IMAP.  Secure IMAP is typically run on port 993.
+  If `SSLCert` is not set, a certificate will be automatically generated.  Default is `False`. Note: This option is separate
+  from the `SSL` option which controls client connections.
 
 ### SSLCert
 
@@ -144,8 +145,8 @@ l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK
 uBVlsY6F7EjTfWpxwyVP
 -----END CERTIFICATE-----
 msf > use auxiliary/server/capture/imap 
-msf auxiliary(server/capture/imap) > set ssl true
-ssl => true
+msf auxiliary(server/capture/imap) > set srvssl true
+srvssl => true
 msf auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem
 sslcert => /root/metasploit-framework/selfsigned.pem
 msf auxiliary(server/capture/imap) > set srvport 993

documentation/modules/auxiliary/server/capture/mysql.md

@@ -24,9 +24,9 @@ This module creates a mock MySQL server which accepts credentials.  Upon receivi
 
   The MySQL version to print in the login banner.  Default is `5.5.16`.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

documentation/modules/auxiliary/server/capture/postgresql.md

@@ -9,9 +9,9 @@ This module creates a mock PostgreSQL server which accepts credentials.  Upon re
 
 ## Options
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

documentation/modules/auxiliary/server/capture/telnet.md

@@ -12,9 +12,9 @@ This module creates a mock telnet server which accepts credentials.  Upon receiv
 
   The Banner which should be displayed.  Default is empty, which will display `Welcome`.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

documentation/modules/auxiliary/server/capture/vnc.md

@@ -16,9 +16,9 @@ This module creates a mock VNC server which accepts credentials.  Upon receiving
 
   Write a file containing a John the Ripper format for cracking the credentials.  Default is ``.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

lib/msf/core/exploit/remote/http_server.rb

@@ -111,22 +111,23 @@ def check_dependencies
   #   ServerPort => Override the server port to listen on (default to SRVPORT).
   #   Uri        => The URI to handle and the associated procedure to call.
   #
-  #
-  # TODO: This must be able to take an SSL parameter and not rely
-  # completely on the datastore. (See dlink_upnp_exec_noauth)
+  # SSL configuration for the server is controlled by the SRVSSL datastore option
+  # (separate from SSL which is used for client connections). The ssl() method
+  # returns the SRVSSL value, ensuring server and client SSL are independent.
+  # If opts['Ssl'] is provided, it will override the SRVSSL datastore option.
   def start_service(opts = {})
 
-    # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead.
-    opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl']
-
     check_dependencies
 
+    # Use opts['Ssl'] if provided, otherwise use the SRVSSL datastore option
+    server_ssl = opts.has_key?('Ssl') ? opts['Ssl'] : ssl
+
     # Start a new HTTP server service.
     self.service = Rex::ServiceManager.start(
       Rex::Proto::Http::Server,
       (opts['ServerPort'] || bindport).to_i,
       opts['ServerHost'] || bindhost,
-      opts['ssl'],
+      server_ssl,
       {
         'Msf'        => framework,
         'MsfExploit' => self,
@@ -152,7 +153,7 @@ def start_service(opts = {})
       'Path' => opts['Path'] || resource_uri
     }.update(opts['Uri'] || {})
 
-    proto = (opts['ssl'] ? "https" : "http")
+    proto = (server_ssl ? "https" : "http")
 
     # SSLCompression may or may not actually be available. For example, on
     # Ubuntu, it's disabled by default, unless the correct environment
@@ -437,7 +438,8 @@ def get_uri(cli=self.cli)
     # The resource won't exist until the server is started
     return unless resource
 
-    ssl = !!(datastore["SSL"])
+    # Use ssl() method which returns SRVSSL (separate from SSL for client connections)
+    ssl = !!ssl()
     proto = (ssl ? "https://" : "http://")
     if datastore['URIHOST']
       host = datastore['URIHOST']

lib/msf/core/exploit/remote/socket_server.rb

@@ -20,6 +20,7 @@ def initialize(info = {})
       [
         OptAddressLocal.new('SRVHOST', [ true, 'The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.', '0.0.0.0' ]),
         OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 8080 ]),
+        OptBool.new('SRVSSL', [ false, 'Negotiate SSL/TLS for the server (overrides SSL option for server-side connections)', false])
 
       ], Msf::Exploit::Remote::SocketServer
     )

lib/msf/core/exploit/remote/tcp_server.rb

@@ -18,7 +18,6 @@ def initialize(info = {})
 
     register_options(
       [
-        OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
         # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
         OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
       ], Msf::Exploit::Remote::TcpServer
@@ -111,10 +110,11 @@ def start_service(opts = {})
   end
 
   #
-  # Returns the SSL option
+  # Returns the SSL option for the server
+  # Uses SRVSSL which is separate from the SSL option (for client connections)
   #
   def ssl
-    datastore['SSL']
+    datastore['SRVSSL']
   end
 
   #