{{Quickfixn}} Using SSL from Initiator

James Riehl pete.riehl at gmail.com
Wed Nov 16 06:32:18 PST 2016 

Here is an email I wrote a couple of years ago. I believe it is still applicable.  You can route your traffic through stunnel to achieve this ssl connectivity.

Begin old message...

We’re able to use stunnel to connect to ice.  Unfortunately there is not a lot of documentation for stunnel, and the info I’ve gained has been hard won via wireshark probes.  
 
You should not have “lost” your logs, they’re still written to the same location your quickfix config points to.  As far as quick fix is concerned, it’s just connecting to something, possibly on the same computer, possibly on another computer.  Stunnel is then ssl’ing that traffic and passing it along to ice (and vice versa).  It should be transparent to quickfix\n.
 
Onto the configs.
 
This is my stunnel config
 
; **************************************************************************
; * Global options                                                         *
; **************************************************************************
 
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = stunnel.log
 
; Disable FIPS mode to allow non-approved protocols and algorithms
fips = no
 
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
 
; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
 
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
 
sslVersion = SSLv3
 
; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************
 
[ICE]
accept = 42424
connect = fixtc1.theice.com:443
client = yes
 
[ICE2]
accept = 43434
connect = fixtc1.theice.com:443
client = yes
;*************************************************end….
 
We maintain 2 connections to ice for redundancy/staging. That is why we have 2 service definitions defined.
 
Onto the part of the quickfix config file that matters.
 
SocketConnectHost=127.0.0.1
SocketConnectPort=42424
 
 
We define localhost (127.0.0.1) as our outgoing address, and setting our port to correspond to the port in our [ICE] service definition from the stunnel config (42424). 
 
That’s the gist of it.   If you run into further problems check the stunnel.log that we enabled in the stunnel config.  It can be found in the location where stunnel is installed c:\program files(x86)\stunnel\stunnel.log  by default.
 
Good luck!

Sent from my iPhone

> On Nov 16, 2016, at 02:09, Rao, Masthan <Masthan.Rao at abglobal.com> wrote:
> 
> Andrew,
>             Sorry if I created any confusion but our counterparty says that they don’t need any client certificate to be set for SSL connection. They are expecting a simple SSL handshake before FIX logon which I am not a able to achieve. I tried using stunnel and it worked like charm. First I connected to our counterparty using stunnel and then pointed by Fix connection host to localhost and it worked. But I am not able to achieve this SSL handshake using this QuickFixn. Any help would be greatly appreciated.
> Masthan
>  
> From: Quickfixn [mailto:quickfixn-bounces at lists.quickfixn.com] On Behalf Of Andrew Teets
> Sent: Tuesday, November 15, 2016 11:17 AM
> To: 'Mailing list for QuickFIX/n' <quickfixn at lists.quickfixn.com>
> Subject: Re: {{Quickfixn}} Using SSL from Initiator
>  
> Hi Masthan –
>  
> Been a while since we had ours, but we just used some powershell to create a client cert file and reference it by the engine.
> Here’s some links I had in my list:
> -          http://windowsitpro.com/blog/creating-self-signed-certificates-powershell
> -          https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6
>  
> Hope that helps.
>  
> Comment Driven Development at it’s finest
> -Andrew
>  
> From: Quickfixn [mailto:quickfixn-bounces at lists.quickfixn.com] On Behalf Of Rao, Masthan
> Sent: Tuesday, November 15, 2016 02:14
> To: quickfixn at lists.quickfixn.com
> Subject: {{Quickfixn}} Using SSL from Initiator
>  
> Hi,
>             Could anyone send the sample Initiator configuration file for using SSL using QuickFix n. Our counterparty says that they are not providing any client certificate for SSL connection.
>  
> Currently I have the following settings
> SSLEnable=Y
> SSLServerName=ServerName
> SSLProtocols=Default
>  
> But giving me the following exception.
> 12:52:28,144 [14] DEBUG Fix - [OutGoing] 8=FIXT.1.19=8635=A34=149=xxxxx52=20161111-17:52:28.13656=xxxxxx98=0108=30141=Y1137=910=002
> 12:52:28,146 [14] INFO  Fix - Event: Initiated logon request
> 12:52:28,166 [14] INFO  Fix - Event: Session FIXT.1.1:UATABALFA->UATTRUMID disconnecting: System.Net.Sockets.SocketException (0x80004005): An existing connection was forcibly closed by the remote host
>    at QuickFix.SocketInitiatorThread.Read()
>  
>  
> Any help would be appreciated.
>  
> Masthan
> ............................................................................
> 
> For further important information about AllianceBernstein please click here
> http://www.abglobal.com/disclaimer/email/disclaimer.html
> 
> _______________________________________________
> Quickfixn mailing list
> Quickfixn at lists.quickfixn.com
> http://lists.quickfixn.com/listinfo.cgi/quickfixn-quickfixn.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.quickfixn.com/pipermail/quickfixn-quickfixn.com/attachments/20161116/e81ab08e/attachment-0002.htm>

More information about the Quickfixn mailing list