rapid7 · Chocapikk · Nov 28, 2025 · Nov 28, 2025
diff --git a/documentation/modules/auxiliary/server/capture/ftp.md b/documentation/modules/auxiliary/server/capture/ftp.md
@@ -19,10 +19,11 @@ This module creates a mock FTP server which accepts credentials before throwing
   * `Serv-U FTP Server v15.0 ready...`
   * `ProFTPD 1.3.4a Server (FTP-Server)`
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used, making this FTPS.  FTPS is typically run on port 990.  If `SSLCert` is not set, a certificate
-  will be automatically generated.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server, making this FTPS.  FTPS is typically run on port 990.  If `SSLCert` is not set,
+  a certificate will be automatically generated.  Default is `False`. Note: This option is separate from the `SSL` option which
+  controls client connections.
 
 ### SSLCert
 
@@ -147,8 +148,8 @@ mVuIIRbrDW/sOgu2Viis
 msf > use auxiliary/server/capture/ftp
 msf auxiliary(server/capture/ftp) > set srvport 990
 srvport => 990
-msf auxiliary(server/capture/ftp) > set ssl true
-ssl => true
+msf auxiliary(server/capture/ftp) > set srvssl true
+srvssl => true
 msf auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem
 sslcert => /root/metasploit-framework/selfsigned.pem
 msf auxiliary(server/capture/ftp) > run

diff --git a/documentation/modules/auxiliary/server/capture/http_basic.md b/documentation/modules/auxiliary/server/capture/http_basic.md
@@ -23,10 +23,11 @@ This module creates a mock web server which, utilizing a HTTP 401 response, prom
 
   After the user enters a set of credentials, their browser will be redirected to this address.  Default is ``.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used, making this HTTPS.  HTTPS is typically run on port 443.  If `SSLCert` is not set, a certificate
-  will be automatically generated.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server, making this HTTPS.  HTTPS is typically run on port 443.  If `SSLCert` is not set,
+  a certificate will be automatically generated.  Default is `False`. Note: This option is separate from the `SSL` option which
+  controls client connections.
 
 ### SSLCert
 
@@ -156,8 +157,8 @@ Oj6N43ld9EONST6BhP3v1buoWHi1FMouocrUkUDuahiHoLlK4ERSUrb4uNnwko24
 WdNCCmA8APA1qf2BYVqs
 -----END CERTIFICATE-----
 msf > use auxiliary/server/capture/http_basic 
-msf auxiliary(server/capture/http_basic) > set ssl true
-ssl => true
+msf auxiliary(server/capture/http_basic) > set srvssl true
+srvssl => true
 msf auxiliary(server/capture/http_basic) > set srvport 443
 srvport => 443
 msf auxiliary(server/capture/http_basic) > set sslcert /root/metasploit-framework/selfsigned.pem

diff --git a/documentation/modules/auxiliary/server/capture/imap.md b/documentation/modules/auxiliary/server/capture/imap.md
@@ -20,10 +20,11 @@ This module creates a mock IMAP server which accepts credentials.
   * `The Microsoft Exchange IMAP4 service is ready.`
   * `Microsoft Exchange Server 2003 IMAP4rev1 server versino 6.5.7638.1 (domain.local) ready.`
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used, making this Secure IMAP.  Secure IMAP is typically run on port 993.  If `SSLCert` is not set, a certificate
-  will be automatically generated.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server, making this Secure IMAP.  Secure IMAP is typically run on port 993.
+  If `SSLCert` is not set, a certificate will be automatically generated.  Default is `False`. Note: This option is separate
+  from the `SSL` option which controls client connections.
 
 ### SSLCert
 
@@ -144,8 +145,8 @@ l/m7Kka0n7lXnKo+IFSJ0dTooBvwaV7+4tEGuHxWJsNO+2aex9qFCuDUdBFxyWyK
 uBVlsY6F7EjTfWpxwyVP
 -----END CERTIFICATE-----
 msf > use auxiliary/server/capture/imap 
-msf auxiliary(server/capture/imap) > set ssl true
-ssl => true
+msf auxiliary(server/capture/imap) > set srvssl true
+srvssl => true
 msf auxiliary(server/capture/imap) > set sslcert /root/metasploit-framework/selfsigned.pem
 sslcert => /root/metasploit-framework/selfsigned.pem
 msf auxiliary(server/capture/imap) > set srvport 993

diff --git a/documentation/modules/auxiliary/server/capture/mysql.md b/documentation/modules/auxiliary/server/capture/mysql.md
@@ -24,9 +24,9 @@ This module creates a mock MySQL server which accepts credentials.  Upon receivi
 
   The MySQL version to print in the login banner.  Default is `5.5.16`.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

diff --git a/documentation/modules/auxiliary/server/capture/postgresql.md b/documentation/modules/auxiliary/server/capture/postgresql.md
@@ -9,9 +9,9 @@ This module creates a mock PostgreSQL server which accepts credentials.  Upon re
 
 ## Options
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

diff --git a/documentation/modules/auxiliary/server/capture/telnet.md b/documentation/modules/auxiliary/server/capture/telnet.md
@@ -12,9 +12,9 @@ This module creates a mock telnet server which accepts credentials.  Upon receiv
 
   The Banner which should be displayed.  Default is empty, which will display `Welcome`.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

diff --git a/documentation/modules/auxiliary/server/capture/vnc.md b/documentation/modules/auxiliary/server/capture/vnc.md
@@ -16,9 +16,9 @@ This module creates a mock VNC server which accepts credentials.  Upon receiving
 
   Write a file containing a John the Ripper format for cracking the credentials.  Default is ``.
 
-### SSL
+### SRVSSL
 
-  Boolean if SSL should be used.  Default is `False`.
+  Boolean if SSL/TLS should be used for the server.  Default is `False`. Note: This option is separate from the `SSL` option which controls client connections.
 
 ### SSLCert
 

diff --git a/lib/msf/core/exploit/remote/http_server.rb b/lib/msf/core/exploit/remote/http_server.rb
@@ -111,22 +111,23 @@ def check_dependencies
   #   ServerPort => Override the server port to listen on (default to SRVPORT).
   #   Uri        => The URI to handle and the associated procedure to call.
   #
-  #
-  # TODO: This must be able to take an SSL parameter and not rely
-  # completely on the datastore. (See dlink_upnp_exec_noauth)
+  # SSL configuration for the server is controlled by the SRVSSL datastore option
+  # (separate from SSL which is used for client connections). The ssl() method
+  # returns the SRVSSL value, ensuring server and client SSL are independent.
+  # If opts['Ssl'] is provided, it will override the SRVSSL datastore option.
   def start_service(opts = {})
 
-    # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead.
-    opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl']
-
     check_dependencies
 
+    # Use opts['Ssl'] if provided, otherwise use the SRVSSL datastore option
+    server_ssl = opts.has_key?('Ssl') ? opts['Ssl'] : ssl
+
     # Start a new HTTP server service.
     self.service = Rex::ServiceManager.start(
       Rex::Proto::Http::Server,
       (opts['ServerPort'] || bindport).to_i,
       opts['ServerHost'] || bindhost,
-      opts['ssl'],
+      server_ssl,
       {
         'Msf'        => framework,
         'MsfExploit' => self,
@@ -152,7 +153,7 @@ def start_service(opts = {})
       'Path' => opts['Path'] || resource_uri
     }.update(opts['Uri'] || {})
 
-    proto = (opts['ssl'] ? "https" : "http")
+    proto = (server_ssl ? "https" : "http")
 
     # SSLCompression may or may not actually be available. For example, on
     # Ubuntu, it's disabled by default, unless the correct environment
@@ -437,7 +438,8 @@ def get_uri(cli=self.cli)
     # The resource won't exist until the server is started
     return unless resource
 
-    ssl = !!(datastore["SSL"])
+    # Use ssl() method which returns SRVSSL (separate from SSL for client connections)
+    ssl = !!ssl()
     proto = (ssl ? "https://" : "http://")
     if datastore['URIHOST']
       host = datastore['URIHOST']

diff --git a/lib/msf/core/exploit/remote/socket_server.rb b/lib/msf/core/exploit/remote/socket_server.rb
@@ -20,6 +20,7 @@ def initialize(info = {})
       [
         OptAddressLocal.new('SRVHOST', [ true, 'The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.', '0.0.0.0' ]),
         OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 8080 ]),
+        OptBool.new('SRVSSL', [ false, 'Negotiate SSL/TLS for the server (overrides SSL option for server-side connections)', false])
 
       ], Msf::Exploit::Remote::SocketServer
     )

diff --git a/lib/msf/core/exploit/remote/tcp_server.rb b/lib/msf/core/exploit/remote/tcp_server.rb
@@ -18,7 +18,6 @@ def initialize(info = {})
 
     register_options(
       [
-        OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
         # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
         OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
       ], Msf::Exploit::Remote::TcpServer
@@ -111,10 +110,11 @@ def start_service(opts = {})
   end
 
   #
-  # Returns the SSL option
+  # Returns the SSL option for the server
+  # Uses SRVSSL which is separate from the SSL option (for client connections)
   #
   def ssl
-    datastore['SSL']
+    datastore['SRVSSL']
   end
 
   #

diff --git a/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb b/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb
@@ -176,7 +176,7 @@ def hidden_css
   end
 
   def backend_url
-    proto = (datastore['SSL'] ? 'https' : 'http')
+    proto = (datastore['SRVSSL'] ? 'https' : 'http')
     myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
     "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"

diff --git a/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb b/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
@@ -87,7 +87,7 @@ def start_http(opts = {})
       Rex::Proto::Http::Server,
       opts['ServerPort'].to_i,
       opts['ServerHost'],
-      datastore['SSL'],
+      datastore['SRVSSL'],
       {
         'Msf' => framework,
         'MsfExploit' => self,
@@ -107,7 +107,7 @@ def start_http(opts = {})
       'Path' => resource_uri
     }.update(opts['Uri'] || {})
 
-    proto = (datastore['SSL'] ? 'https' : 'http')
+    proto = (datastore['SRVSSL'] ? 'https' : 'http')
     print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
 
     if opts['ServerHost'] == '0.0.0.0'

diff --git a/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb b/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
@@ -92,7 +92,7 @@ def html
   end
 
   def backend_url
-    proto = (datastore['SSL'] ? 'https' : 'http')
+    proto = (datastore['SRVSSL'] ? 'https' : 'http')
     my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
     resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource

diff --git a/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb b/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb
@@ -161,7 +161,7 @@ def run
         end,
         'Path' => '/'
       },
-      'ssl' => false
+      'Ssl' => false
     })
 
     xxe_request

diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -241,7 +241,7 @@ def start_http(opts = {})
       Rex::Proto::Http::Server,
       opts['ServerPort'].to_i,
       opts['ServerHost'],
-      datastore['SSL'],
+      datastore['SRVSSL'],
       {
         'Msf' => framework,
         'MsfExploit' => self,

diff --git a/modules/auxiliary/server/android_mercury_parseuri.rb b/modules/auxiliary/server/android_mercury_parseuri.rb
@@ -71,7 +71,7 @@ def get_html
   end
 
   def backend_url
-    proto = (datastore['SSL'] ? 'https' : 'http')
+    proto = (datastore['SRVSSL'] ? 'https' : 'http')
     my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
     port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
     resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource

diff --git a/modules/auxiliary/server/capture/http_javascript_keylogger.rb b/modules/auxiliary/server/capture/http_javascript_keylogger.rb
@@ -123,7 +123,7 @@ def generate_base_url(cli, req)
       port = datastore['SRVPORT'].to_i
     end
 
-    prot = !datastore['SSL'].nil? ? 'https://' : 'http://'
+    prot = datastore['SRVSSL'] ? 'https://' : 'http://'
     if Rex::Socket.is_ipv6?(host)
       host = "[#{host}]"
     end

diff --git a/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb b/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb
@@ -282,7 +282,7 @@ def start_http_service(opts = {})
       Rex::Proto::Http::Server,
       (opts['ServerPort'] || bindport).to_i,
       opts['ServerHost'] || bindhost,
-      datastore['SSL'],
+      datastore['SRVSSL'],
       {
         'Msf' => framework,
         'MsfExploit' => self
@@ -300,7 +300,7 @@ def start_http_service(opts = {})
       'Proc' => method(:on_request_uri),
       'Path' => resource_uri
     }.update(opts['Uri'] || {})
-    proto = (datastore['SSL'] ? 'https' : 'http')
+    proto = (datastore['SRVSSL'] ? 'https' : 'http')
 
     netloc = opts['ServerHost'] || bindhost
     http_srvport = (opts['ServerPort'] || bindport).to_i

diff --git a/modules/exploits/linux/http/craftcms_ftp_template.rb b/modules/exploits/linux/http/craftcms_ftp_template.rb
@@ -201,14 +201,7 @@ def trigger_http_request
   end
 
   def start_ftp_service
-    if datastore['SSL'] == true
-      reset_ssl = true
-      datastore['SSL'] = false
-    end
     start_service
-    if reset_ssl
-      datastore['SSL'] = true
-    end
   end
 
   def exploit

diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
@@ -147,7 +147,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
     end

diff --git a/modules/exploits/linux/http/dlink_dir615_up_exec.rb b/modules/exploits/linux/http/dlink_dir615_up_exec.rb
@@ -178,7 +178,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
     end

diff --git a/modules/exploits/linux/http/dlink_hnap_login_bof.rb b/modules/exploits/linux/http/dlink_hnap_login_bof.rb
@@ -277,7 +277,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
       print_status("#{peer} - Asking the device to download and execute #{service_url}")

diff --git a/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb b/modules/exploits/linux/http/ibm_qradar_unauth_rce.rb
@@ -152,7 +152,7 @@ def exploit
       srv_host = datastore['SRVHOST']
     end
 
-    http_service = (datastore['SSL'] ? 'https://' : 'http://') + srv_host + ':' + datastore['SRVPORT'].to_s
+    http_service = (datastore['SRVSSL'] ? 'https://' : 'http://') + srv_host + ':' + datastore['SRVPORT'].to_s
     service_uri = http_service + '/' + @payload_name
 
     print_status("#{peer} - Starting up our web service on #{http_service} ...")

diff --git a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb
@@ -176,7 +176,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
     end

diff --git a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb
@@ -327,7 +327,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
     end

diff --git a/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb b/modules/exploits/linux/http/magento_xxe_to_glibc_buf_overflow.rb
@@ -571,7 +571,7 @@ def setup_module
         end,
         'Path' => '/'
       },
-      'ssl' => false
+      'Ssl' => false
     })
     print_status('Server started')
   end

diff --git a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb
@@ -181,7 +181,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
     end

diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
@@ -296,7 +296,7 @@ def exploit
           },
           'Path' => resource_uri
         },
-        'ssl' => false # do not use SSL
+        'Ssl' => false
       })
 
     end
-Original file line number
+Diff line change
@@ Expand Up / @@ -147,7 +147,7 @@ def exploit @@
               },
               'Path' => resource_uri
             },
-            'ssl' => false # do not use SSL
+            'Ssl' => false
           })
         end
@@ Expand Down @@