Add build-time option for TCP+TLS support

ENABLE_SSL did two things: * Enable the built-in plugins (if ENABLE_SECURITY) * Enable TCP+TLS support TCP support is rarely used and has some problems, TCP+TLS support is even more rarely used and we recommend using DDS Security instead. If TCP+TLS is not recommended, it makes sense to support builds that do leave it out. This also has the advantage of being able to include support for DDS Security with the built-in plugins but without introducing a dependency on OpenSSL for the core library. Signed-off-by: Erik Boasson <eb@ilities.com>
eclipse-cyclonedds · Mar 26, 2024 · 93b632a · 93b632a
1 parent 6f5ce86
commit 93b632a
Show file tree

Hide file tree

Showing 15 changed files with 62 additions and 52 deletions.
diff --git a/docs/manual/config/config_file_reference.rst b/docs/manual/config/config_file_reference.rst
@@ -2699,10 +2699,10 @@ The categorisation of tracing output is incomplete and hence most of the verbosi
 The default value is: ``none``
 
 ..
-   generated from ddsi_config.h[9f834d377bdea61bea6507feed2fc4a8924dc02e] 
+   generated from ddsi_config.h[eaf2059de5eccc422ae9ebd9bb3c40fd1d7545d3] 
    generated from ddsi__cfgunits.h[bd22f0c0ed210501d0ecd3b07c992eca549ef5aa] 
-   generated from ddsi__cfgelems.h[f10059d775cf2e4961a2e9520bb1a4da6a124778] 
-   generated from ddsi_config.c[0a59324bd889637ea7d04765da9b76bbe74997c1] 
+   generated from ddsi__cfgelems.h[fc5746cc2e55b4ab9daf9bd51bc263cf30ece564] 
+   generated from ddsi_config.c[2d3406ce4db09358597689d7382f80185634eb69] 
    generated from _confgen.h[e32eabfc35e9f3a7dcb63b19ed148c0d17c6e5fc] 
    generated from _confgen.c[237308acd53897a34e8c643e16e05a61d73ffd65] 
    generated from generate_rnc.c[b50e4b7ab1d04b2bc1d361a0811247c337b74934] 

diff --git a/docs/manual/options.md b/docs/manual/options.md
@@ -1889,10 +1889,10 @@ While none prevents any message from being written to a DDSI2 log file.
 The categorisation of tracing output is incomplete and hence most of the verbosity levels and categories are not of much use in the current release. This is an ongoing process and here we describe the target situation rather than the current situation. Currently, the most useful verbosity levels are config, fine and finest.
 
 The default value is: `none`
-<!--- generated from ddsi_config.h[9f834d377bdea61bea6507feed2fc4a8924dc02e] -->
+<!--- generated from ddsi_config.h[eaf2059de5eccc422ae9ebd9bb3c40fd1d7545d3] -->
 <!--- generated from ddsi__cfgunits.h[bd22f0c0ed210501d0ecd3b07c992eca549ef5aa] -->
-<!--- generated from ddsi__cfgelems.h[f10059d775cf2e4961a2e9520bb1a4da6a124778] -->
-<!--- generated from ddsi_config.c[0a59324bd889637ea7d04765da9b76bbe74997c1] -->
+<!--- generated from ddsi__cfgelems.h[fc5746cc2e55b4ab9daf9bd51bc263cf30ece564] -->
+<!--- generated from ddsi_config.c[2d3406ce4db09358597689d7382f80185634eb69] -->
 <!--- generated from _confgen.h[e32eabfc35e9f3a7dcb63b19ed148c0d17c6e5fc] -->
 <!--- generated from _confgen.c[237308acd53897a34e8c643e16e05a61d73ffd65] -->
 <!--- generated from generate_rnc.c[b50e4b7ab1d04b2bc1d361a0811247c337b74934] -->

diff --git a/etc/cyclonedds.rnc b/etc/cyclonedds.rnc
@@ -1310,10 +1310,10 @@ MIIEpAIBAAKCAQEA3HIh...AOBaaqSV37XBUJg==<br>
   duration_inf = xsd:token { pattern = "inf|0|(\d+(\.\d*)?([Ee][\-+]?\d+)?|\.\d+([Ee][\-+]?\d+)?) *([num]?s|min|hr|day)" }
   memsize = xsd:token { pattern = "0|(\d+(\.\d*)?([Ee][\-+]?\d+)?|\.\d+([Ee][\-+]?\d+)?) *([kMG]i?)?B" }
 }
-# generated from ddsi_config.h[9f834d377bdea61bea6507feed2fc4a8924dc02e] 
+# generated from ddsi_config.h[eaf2059de5eccc422ae9ebd9bb3c40fd1d7545d3] 
 # generated from ddsi__cfgunits.h[bd22f0c0ed210501d0ecd3b07c992eca549ef5aa] 
-# generated from ddsi__cfgelems.h[f10059d775cf2e4961a2e9520bb1a4da6a124778] 
-# generated from ddsi_config.c[0a59324bd889637ea7d04765da9b76bbe74997c1] 
+# generated from ddsi__cfgelems.h[fc5746cc2e55b4ab9daf9bd51bc263cf30ece564] 
+# generated from ddsi_config.c[2d3406ce4db09358597689d7382f80185634eb69] 
 # generated from _confgen.h[e32eabfc35e9f3a7dcb63b19ed148c0d17c6e5fc] 
 # generated from _confgen.c[237308acd53897a34e8c643e16e05a61d73ffd65] 
 # generated from generate_rnc.c[b50e4b7ab1d04b2bc1d361a0811247c337b74934] 

diff --git a/etc/cyclonedds.xsd b/etc/cyclonedds.xsd
@@ -1970,10 +1970,10 @@ MIIEpAIBAAKCAQEA3HIh...AOBaaqSV37XBUJg==&lt;br&gt;
     </xs:restriction>
   </xs:simpleType>
 </xs:schema>
-<!--- generated from ddsi_config.h[9f834d377bdea61bea6507feed2fc4a8924dc02e] -->
+<!--- generated from ddsi_config.h[eaf2059de5eccc422ae9ebd9bb3c40fd1d7545d3] -->
 <!--- generated from ddsi__cfgunits.h[bd22f0c0ed210501d0ecd3b07c992eca549ef5aa] -->
-<!--- generated from ddsi__cfgelems.h[f10059d775cf2e4961a2e9520bb1a4da6a124778] -->
-<!--- generated from ddsi_config.c[0a59324bd889637ea7d04765da9b76bbe74997c1] -->
+<!--- generated from ddsi__cfgelems.h[fc5746cc2e55b4ab9daf9bd51bc263cf30ece564] -->
+<!--- generated from ddsi_config.c[2d3406ce4db09358597689d7382f80185634eb69] -->
 <!--- generated from _confgen.h[e32eabfc35e9f3a7dcb63b19ed148c0d17c6e5fc] -->
 <!--- generated from _confgen.c[237308acd53897a34e8c643e16e05a61d73ffd65] -->
 <!--- generated from generate_rnc.c[b50e4b7ab1d04b2bc1d361a0811247c337b74934] -->

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -70,6 +70,16 @@ if(ENABLE_SSL)
   endif()
 endif()
 
+set(ENABLE_TCP_TLS "AUTO" CACHE STRING "Enable TCP+TLS support (depends on ENABLE_SSL)")
+set_property(CACHE ENABLE_TCP_TLS PROPERTY STRINGS ON OFF AUTO)
+if(ENABLE_TCP_TLS)
+  if(ENABLE_TCP_TLS STREQUAL "AUTO")
+    set(ENABLE_TCP_TLS "${ENABLE_SSL}")
+  elseif(ENABLE_TCP_TLS AND NOT ENABLE_SSL)
+    message(FATAL "ENABLE_TCP_TLS requires ENABLE_SSL")
+  endif()
+endif()
+
 if(NOT ENABLE_SECURITY)
   message(STATUS "Building without OMG DDS Security support")
 endif()

diff --git a/src/core/CMakeLists.txt b/src/core/CMakeLists.txt
@@ -23,7 +23,7 @@ if("${CMAKE_C_COMPILER_ID}" STREQUAL "MSVC")
   target_link_libraries(ddsc PRIVATE dbghelp)
 endif()
 
-if(ENABLE_SSL AND OPENSSL_FOUND)
+if(ENABLE_TCP_TLS AND OPENSSL_FOUND)
   target_link_libraries(ddsc PRIVATE OpenSSL::SSL)
   if(CMAKE_GENERATOR MATCHES "Visual Studio")
     set_target_properties(ddsc PROPERTIES LINK_FLAGS "/ignore:4099")

diff --git a/src/core/ddsi/defconfig.c b/src/core/ddsi/defconfig.c
@@ -89,7 +89,7 @@ void ddsi_config_init_default (struct ddsi_config *cfg)
   cfg->tcp_port = INT32_C (-1);
   cfg->tcp_read_timeout = INT64_C (2000000000);
   cfg->tcp_write_timeout = INT64_C (2000000000);
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   cfg->ssl_verify = INT32_C (1);
   cfg->ssl_verify_client = INT32_C (1);
   cfg->ssl_keystore = "keystore";
@@ -98,12 +98,12 @@ void ddsi_config_init_default (struct ddsi_config *cfg)
   cfg->ssl_rand_file = "";
   cfg->ssl_min_version.major = 1;
   cfg->ssl_min_version.minor = 3;
-#endif /* DDS_HAS_SSL */
+#endif /* DDS_HAS_TCP_TLS */
 }
-/* generated from ddsi_config.h[9f834d377bdea61bea6507feed2fc4a8924dc02e] */
+/* generated from ddsi_config.h[eaf2059de5eccc422ae9ebd9bb3c40fd1d7545d3] */
 /* generated from ddsi__cfgunits.h[bd22f0c0ed210501d0ecd3b07c992eca549ef5aa] */
-/* generated from ddsi__cfgelems.h[f10059d775cf2e4961a2e9520bb1a4da6a124778] */
-/* generated from ddsi_config.c[0a59324bd889637ea7d04765da9b76bbe74997c1] */
+/* generated from ddsi__cfgelems.h[fc5746cc2e55b4ab9daf9bd51bc263cf30ece564] */
+/* generated from ddsi_config.c[2d3406ce4db09358597689d7382f80185634eb69] */
 /* generated from _confgen.h[e32eabfc35e9f3a7dcb63b19ed148c0d17c6e5fc] */
 /* generated from _confgen.c[237308acd53897a34e8c643e16e05a61d73ffd65] */
 /* generated from generate_rnc.c[b50e4b7ab1d04b2bc1d361a0811247c337b74934] */

diff --git a/src/core/ddsi/include/dds/ddsi/ddsi_config.h b/src/core/ddsi/include/dds/ddsi/ddsi_config.h
@@ -205,7 +205,7 @@ struct ddsi_config_omg_security_listelem {
 };
 #endif /* DDS_HAS_SECURITY */
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 struct ddsi_config_ssl_min_version {
   int major;
   int minor;
@@ -340,7 +340,7 @@ struct ddsi_config
   int64_t tcp_write_timeout;
   int tcp_use_peeraddr_for_unicast;
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   /* SSL support for TCP */
   int ssl_enable;
   int ssl_verify;

diff --git a/src/core/ddsi/src/ddsi__cfgelems.h b/src/core/ddsi/src/ddsi__cfgelems.h
@@ -1737,7 +1737,7 @@ static struct cfgelem tcp_cfgelems[] = {
   END_MARKER
 };
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 static struct cfgelem ssl_cfgelems[] = {
   BOOL("Enable", NULL, 1, "false",
     MEMBER(ssl_enable),
@@ -2189,15 +2189,15 @@ static struct cfgelem domain_cfgelems[] = {
       "<p>The TCP element allows you to specify various parameters related to "
       "running DDSI over TCP.</p>"
     )),
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   GROUP("SSL", ssl_cfgelems, NULL, 1,
     NOMEMBER,
     NOFUNCTIONS,
     DESCRIPTION(
       "<p>The SSL element allows specifying various parameters related to "
       "using SSL/TLS for DDSI over TCP.</p>"
     ),
-    BEHIND_FLAG("DDS_HAS_SSL")
+    BEHIND_FLAG("DDS_HAS_TCP_TLS")
   ),
 #endif
   GROUP("SharedMemory", shmem_cfgelems, NULL, 1,
@@ -2232,7 +2232,7 @@ static struct cfgelem root_cfgelems[] = {
   MOVED("DDSSecurity", "CycloneDDS/Domain/Security"),
 #endif
   MOVED("SharedMemory", "CycloneDDS/Domain/SharedMemory"),
-#if DDS_HAS_SSL
+#if DDS_HAS_TCP_TLS
   MOVED("SSL", "CycloneDDS/Domain/SSL"),
 #endif
   MOVED("DDSI2E|DDSI2", "CycloneDDS/Domain"),

diff --git a/src/core/ddsi/src/ddsi__ssl.h b/src/core/ddsi/src/ddsi__ssl.h
@@ -13,7 +13,7 @@
 
 #include "dds/features.h"
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 
 #ifdef _WIN32
 /* supposedly WinSock2 must be included before openssl headers otherwise winsock will be used */
@@ -45,5 +45,5 @@ void ddsi_ssl_config_plugin (struct ddsi_ssl_plugins *plugin);
 }
 #endif
 
-#endif /* DDS_HAS_SSL */
+#endif /* DDS_HAS_TCP_TLS */
 #endif /* DDSI__SSL_H */
diff --git a/src/core/ddsi/src/ddsi_config.c b/src/core/ddsi/src/ddsi_config.c
@@ -188,7 +188,7 @@ DUPF(domainId);
 DUPF(transport_selector);
 DUPF(many_sockets_mode);
 DU(deaf_mute);
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 DUPF(min_tls_version);
 #endif
 DUPF(shm_loglevel);
@@ -1073,7 +1073,7 @@ static void pf_xcheck (struct ddsi_cfgst *cfgst, void *parent, struct cfgelem co
   do_print_uint32_bitset (cfgst, *p, sizeof (xcheck_codes) / sizeof (*xcheck_codes), xcheck_names, xcheck_codes, sources, suffix);
 }
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 static enum update_result uf_min_tls_version (struct ddsi_cfgst *cfgst, UNUSED_ARG (void *parent), UNUSED_ARG (struct cfgelem const * const cfgelem), UNUSED_ARG (int first), const char *value)
 {
   static const char *vs[] = {

diff --git a/src/core/ddsi/src/ddsi_ssl.c b/src/core/ddsi/src/ddsi_ssl.c
@@ -13,7 +13,7 @@
 #include "ddsi__tcp.h"
 #include "ddsi__ssl.h"
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 
 #include <assert.h>
 #include <string.h>
@@ -339,4 +339,4 @@ void ddsi_ssl_config_plugin (struct ddsi_ssl_plugins *plugin)
   plugin->accept = ddsi_ssl_accept;
 }
 
-#endif /* DDS_HAS_SSL */
+#endif /* DDS_HAS_TCP_TLS */
diff --git a/src/core/ddsi/src/ddsi_tcp.c b/src/core/ddsi/src/ddsi_tcp.c
@@ -56,15 +56,15 @@ typedef struct ddsi_tcp_conn {
   uint32_t m_peer_port;
   ddsrt_mutex_t m_mutex;
   ddsrt_socket_t m_sock;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   SSL * m_ssl;
 #endif
 } *ddsi_tcp_conn_t;
 
 typedef struct ddsi_tcp_listener {
   struct ddsi_tran_listener m_base;
   ddsrt_socket_t m_sock;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   BIO * m_bio;
 #endif
 } *ddsi_tcp_listener_t;
@@ -75,7 +75,7 @@ struct ddsi_tran_factory_tcp {
   ddsrt_mutex_t ddsi_tcp_cache_lock_g;
   ddsrt_avl_tree_t ddsi_tcp_cache_g;
   struct ddsi_tcp_conn ddsi_tcp_conn_client;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   struct ddsi_ssl_plugins ddsi_tcp_ssl_plugin;
 #endif
 };
@@ -280,7 +280,7 @@ static void ddsi_tcp_conn_connect (ddsi_tcp_conn_t conn, const ddsrt_msghdr_t *
     goto fail_w_socket;
 
   ddsi_tcp_conn_set_socket (conn, sock);
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if (fact->ddsi_tcp_ssl_plugin.connect)
   {
     conn->m_ssl = (fact->ddsi_tcp_ssl_plugin.connect) (conn->m_base.m_base.gv, sock);
@@ -420,7 +420,7 @@ static ssize_t ddsi_tcp_conn_read_plain (ddsi_tcp_conn_t tcp, void * buf, size_t
   return (*rc == DDS_RETCODE_OK ? rcvd : -1);
 }
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 static ssize_t ddsi_tcp_conn_read_ssl (ddsi_tcp_conn_t tcp, void * buf, size_t len, dds_return_t *rc)
 {
   struct ddsi_tran_factory_tcp * const fact = (struct ddsi_tran_factory_tcp *) tcp->m_base.m_factory;
@@ -474,7 +474,7 @@ static ssize_t ddsi_tcp_conn_read (struct ddsi_tran_conn * conn, unsigned char *
   size_t pos = 0;
   ssize_t n;
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if (fact->ddsi_tcp_ssl_plugin.read)
   {
     rd = ddsi_tcp_conn_read_ssl;
@@ -542,7 +542,7 @@ static ssize_t ddsi_tcp_conn_write_plain (ddsi_tcp_conn_t conn, const void * buf
   return (*rc == DDS_RETCODE_OK ? sent : -1);
 }
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
 static ssize_t ddsi_tcp_conn_write_ssl (ddsi_tcp_conn_t conn, const void * buf, size_t len, dds_return_t *rc)
 {
   struct ddsi_tran_factory_tcp * const fact = (struct ddsi_tran_factory_tcp *) conn->m_base.m_factory;
@@ -608,7 +608,7 @@ static ssize_t ddsi_tcp_conn_write (struct ddsi_tran_conn * base, const ddsi_loc
 {
   struct ddsi_tran_factory_tcp * const fact = (struct ddsi_tran_factory_tcp *) base->m_factory;
   struct ddsi_domaingv const * const gv = fact->fact.gv;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   char msgbuf[4096]; /* stack buffer for merging smallish writes without requiring allocations */
   ddsrt_iovec_t iovec; /* iovec used for msgbuf */
 #endif
@@ -665,7 +665,7 @@ static ssize_t ddsi_tcp_conn_write (struct ddsi_tran_conn * base, const ddsi_loc
     return (ssize_t) len;
   }
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if (gv->config.ssl_enable)
   {
     /* SSL doesn't have sendmsg, ret = 0 so writing starts at first byte.
@@ -742,7 +742,7 @@ static ssize_t ddsi_tcp_conn_write (struct ddsi_tran_conn * base, const ddsi_loc
   {
     ssize_t (*wr) (ddsi_tcp_conn_t, const void *, size_t, dds_return_t *) = ddsi_tcp_conn_write_plain;
     int i = 0;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
     if (fact->ddsi_tcp_ssl_plugin.write)
     {
       wr = ddsi_tcp_conn_write_ssl;
@@ -762,7 +762,7 @@ static ssize_t ddsi_tcp_conn_write (struct ddsi_tran_conn * base, const ddsi_loc
     }
   }
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   /* If allocated memory for merging original fragments into a single buffer, free it */
   DDSRT_WARNING_MSVC_OFF(28199)
   if (msg.msg_iov == &iovec && iovec.iov_base != msgbuf)
@@ -818,13 +818,13 @@ static dds_return_t ddsi_tcp_create_conn (struct ddsi_tran_conn **conn_out, stru
 
 static int ddsi_tcp_listen (struct ddsi_tran_listener * listener)
 {
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   struct ddsi_tran_factory_tcp * const fact = (struct ddsi_tran_factory_tcp *) listener->m_factory;
 #endif
   ddsi_tcp_listener_t tl = (ddsi_tcp_listener_t) listener;
   int ret = listen (tl->m_sock, 4);
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if ((ret == 0) && fact->ddsi_tcp_ssl_plugin.listen)
   {
     tl->m_bio = (fact->ddsi_tcp_ssl_plugin.listen) (tl->m_sock);
@@ -845,13 +845,13 @@ static struct ddsi_tran_conn * ddsi_tcp_accept (struct ddsi_tran_listener * list
   socklen_t addrlen = sizeof (addr);
   char buff[DDSI_LOCSTRLEN];
   dds_return_t rc = DDS_RETCODE_OK;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   SSL * ssl = NULL;
 #endif
 
   memset (&addr, 0, sizeof(addr));
   do {
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
     if (fact->ddsi_tcp_ssl_plugin.accept)
     {
       ssl = (fact->ddsi_tcp_ssl_plugin.accept) (listener->m_base.gv, tl->m_bio, &sock);
@@ -890,7 +890,7 @@ static struct ddsi_tran_conn * ddsi_tcp_accept (struct ddsi_tran_listener * list
 
     (void)ddsrt_setsocknonblocking (sock, true);
     tcp = ddsi_tcp_new_conn (fact, NULL, sock, true, &addr.a);
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
     tcp->m_ssl = ssl;
 #endif
     tcp->m_base.m_listener = listener;
@@ -1011,7 +1011,7 @@ static void ddsi_tcp_conn_delete (ddsi_tcp_conn_t conn)
   sockaddr_to_string_with_port(buff, sizeof(buff), &conn->m_peer_addr.a);
   GVLOG (DDS_LC_TCP, "tcp free %s connection on socket %"PRIdSOCK" to %s\n", conn->m_base.m_server ? "server" : "client", conn->m_sock, buff);
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if (fact->ddsi_tcp_ssl_plugin.ssl_free)
   {
     (fact->ddsi_tcp_ssl_plugin.ssl_free) (conn->m_ssl);
@@ -1106,7 +1106,7 @@ static void ddsi_tcp_release_listener (struct ddsi_tran_listener * listener)
 {
   ddsi_tcp_listener_t tl = (ddsi_tcp_listener_t) listener;
   struct ddsi_domaingv const * const gv = tl->m_base.m_base.gv;
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   struct ddsi_tran_factory_tcp * const fact = (struct ddsi_tran_factory_tcp *) listener->m_factory;
   if (fact->ddsi_tcp_ssl_plugin.bio_vfree)
   {
@@ -1123,7 +1123,7 @@ static void ddsi_tcp_release_factory (struct ddsi_tran_factory *fact_cmn)
   struct ddsi_domaingv const * const gv = fact->fact.gv;
   ddsrt_avl_free (&ddsi_tcp_treedef, &fact->ddsi_tcp_cache_g, ddsi_tcp_node_free);
   ddsrt_mutex_destroy (&fact->ddsi_tcp_cache_lock_g);
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if (fact->ddsi_tcp_ssl_plugin.fini)
   {
     (fact->ddsi_tcp_ssl_plugin.fini) ();
@@ -1258,7 +1258,7 @@ int ddsi_tcp_init (struct ddsi_domaingv *gv)
   memset (&fact->ddsi_tcp_conn_client, 0, sizeof (fact->ddsi_tcp_conn_client));
   ddsi_tcp_base_init (fact, NULL, &fact->ddsi_tcp_conn_client.m_base);
 
-#ifdef DDS_HAS_SSL
+#ifdef DDS_HAS_TCP_TLS
   if (gv->config.ssl_enable)
   {
     ddsi_ssl_config_plugin (&fact->ddsi_tcp_ssl_plugin);

diff --git a/src/ddsrt/CMakeLists.txt b/src/ddsrt/CMakeLists.txt
@@ -310,7 +310,7 @@ endif()
 set(DDSRT_WITH_LWIP ${WITH_LWIP})
 set(DDSRT_WITH_FREERTOS ${WITH_FREERTOS})
 
-foreach(feature SSL SECURITY LIFESPAN DEADLINE_MISSED NETWORK_PARTITIONS
+foreach(feature TCP_TLS SECURITY LIFESPAN DEADLINE_MISSED NETWORK_PARTITIONS
                 SSM TYPELIB TYPE_DISCOVERY TOPIC_DISCOVERY)
   set(DDS_HAS_${feature} ${ENABLE_${feature}})
 endforeach()