Enable SSL only after processing CLI options

Re ECFLOW-1985

libs/client/src/ecflow/client/ClientEnvironment.cpp

@@ -169,12 +169,13 @@ void ClientEnvironment::set_host_port(const std::string& the_host, const std::st
     // When there is only one host:port in host_vec_, calling get_next_host() will always return host_vec_[0]
     host_file_read_ = true;
 
-#ifdef ECF_OPENSSL
-    // Must be done *AFTER* host and port set
-    // Avoid enabling SSL for the GUI, via environment, this must be done explicitly by the GUI
-    if (!gui_)
-        enable_ssl_if_defined();
-#endif
+    // Caution:
+    //
+    //   We don't (re)enable SSL immediatelly after setting host/port, as this might happen multiple times
+    //   during the execution (e.g. when loading environment variables, and later processing command line options).
+    //
+    //   It is up to the user of this class to enable SSL if needed.
+    //
 }
 
 bool ClientEnvironment::checkTaskPathAndPassword(std::string& errorMsg) const {
@@ -311,15 +312,6 @@ void ClientEnvironment::read_environment_variables() {
         host_vec_.clear(); // remove previous setting if any
         host_vec_.emplace_back(host, port);
     }
-
-#ifdef ECF_OPENSSL
-    // Note: This must be placed here for child commands, where we we typically only use environment variables
-    // Must be done last *AFTER* host and port set
-    // Can't use enable_sll(), since that calls host()/port() which use host_vec_, which may be empty
-    // Avoid enabling SSL for the GUI, via environment, this must be done explicitly by the GUI
-    if (!gui_)
-        ssl_.enable_if_defined(host, port);
-#endif
 }
 
 bool ClientEnvironment::parseHostsFile(std::string& errorMsg) {

libs/client/src/ecflow/client/ClientEnvironment.hpp

@@ -98,9 +98,6 @@ class ClientEnvironment final : public AbstractClientEnv {
         ssl_.enable_if_defined(host(), port());
     }                                                  // IF ECF_SSL=1,search server.crt, ELSE search <host>.<port>.crt
     void enable_ssl() { ssl_.enable(host(), port()); } // search server.crt first, then <host>.<port>.crt
-    bool enable_ssl_no_throw() {
-        return ssl_.enable_no_throw(host(), port());
-    }                                      // search server.crt first, then <host>.<port>.crt
     void disable_ssl() { ssl_.disable(); } // override environment setting for ECF_SSL
 #endif
 

libs/client/src/ecflow/client/ClientInvoker.hpp

@@ -69,7 +69,6 @@ class ClientInvoker {
 #ifdef ECF_OPENSSL
     /// Override any ssl read from environment(ECF_SSL) or command line args(-ssl)
     void enable_ssl() { clientEnv_.enable_ssl(); }
-    bool enable_ssl_no_throw() { return clientEnv_.enable_ssl_no_throw(); }
     void disable_ssl() { clientEnv_.disable_ssl(); } // override environment setting for ECF_SSL
 #endif
 

libs/client/src/ecflow/client/ClientOptions.cpp

@@ -178,10 +178,22 @@ Cmd_ptr ClientOptions::parse(const CommandLine& cl, ClientEnvironment* env) cons
     }
 
 #ifdef ECF_OPENSSL
-    if (vm.count("ssl")) {
-        if (env->debug())
-            std::cout << "  ssl set via command line\n";
+    if (auto ecf_ssl = getenv("ECF_SSL"); vm.count("ssl") || ecf_ssl) {
+        if (env->debug()) {
+            if (!vm.count("ssl") && ecf_ssl) {
+                std::cout << "  ssl enabled via environment variable\n";
+            }
+            else if (!vm.count("ssl") && ecf_ssl) {
+                std::cout << "  ssl explicitly enabled via command line\n";
+            }
+            else {
+                std::cout << "  ssl explicitly enabled via command line, but also enabled via environment variable\n";
+            }
+        }
         env->enable_ssl();
+        if (env->debug()) {
+            std::cout << "  ssl certificate: '" << env->openssl().info() << "' \n";
+        }
     }
 #endif