{{Quickfixn}} Using Tls 1.2 with QuickFix/n [External]

Mike Gatny mgatny at connamara.com
Fri May 31 16:39:43 PDT 2019 

Ahhh yes, if turning off validation works, that is the solution. It sounds
dangerous but it isn't, really. It's going to skip the EKU check and chain
check (which is precisely how qf/j operates, by the way).

On Fri, May 31, 2019, 17:13 Somanathannair, Sujith <
Sujith.Somanathannair at blackstone.com> wrote:

> Bloomberg said it should be Tls 1.2 and we are not sending that.
>
> But I also tried Tls 1.3 with no success
>
>
>
> .cfg file
>
> ----------------
>
> [DEFAULT]
>
> ConnectionType=initiator
>
> ReconnectInterval=2
>
> FileStorePath=store
>
> FileLogPath=log
>
> StartTime=12:00:00
>
> EndTime=23:00:00
>
> UseDataDictionary=N
>
> DataDictionary=../../spec/fix/FIX44.xml
>
> SocketConnectHost=<ipaddress>
>
> SocketConnectPort=<port>
>
> LogoutTimeout=5
>
>
>
> [SESSION]
>
> BeginString=FIX.4.4
>
> SenderCompID=MAP_<MYCOMP>_BETA
>
> TargetCompID=MAP_BLP_BETA
>
> HeartBtInt=30
>
> SSLEnable=Y
>
> SSLProtocols=Tls12
>
> SSLCertificate=<localpath>/cert/pkcs12/cert.pfx
>
> SSLCertificatePassword=******
>
> -------------
>
> Also,
>
> The error I see is
>
> <event> Remote certificate was not recognized as a valid certificate:
> RemoteCertificateNameMismatch, RemoteCertificateChainErrors
>
> <event> Unable to perform authentication against server: The remote
> certificate is invalid according to the validation procedure.
>
> <event> Connection failed (AuthenticationException): The remote
> certificate is invalid according to the validation procedure.
>
> Tls 1.2 was mentioned by a Bloomberg support person.
>
>
>
> If I provide
>
> SSLValidateCertificates=N
>
> it’s connecting.
>
> But the documentation says it’s a security risk. Is it ok to do if I am
> connecting as the initiator?
>
>
>
> Thanks,
>
> Sujith
>
>
>
> *From:* Quickfixn [mailto:quickfixn-bounces at lists.quickfixn.com] *On
> Behalf Of *Mike Gatny
> *Sent:* Friday, May 31, 2019 4:43 PM
> *To:* Mailing list for QuickFIX/n
> *Subject:* Re: {{Quickfixn}} Using Tls 1.2 with QuickFix/n [External]
>
>
>
> Are you sure Bloomberg wants you to set SSLProtocols=Tls12?  Some parts
> of Bloomberg (e.g. EMSX) explicitly no longer allow Tls12 and require at
> least Tls13.
>
>
>
> I have used the SSLProtocols setting with Bloomberg (again, EMSX) and it
> definitely works with qf/n v1.8.  Can you post your (redacted as needed)
> config file, messages log, and event log?  Also, which version of qf/n are
> you on?
>
>
> --
>
> Mike Gatny
>
> Connamara Systems
>
>
>
>
>
> On Fri, May 31, 2019 at 3:11 PM Somanathannair, Sujith <
> Sujith.Somanathannair at blackstone.com> wrote:
>
> I am trying to use QuickFix/N with Bloomberg and our Certs validation
> fails. Bloomberg says we are NOT using Tls 1.2 but I have
> ‘SSLProtocols=tls12’ under [SESSION]
>
> Do you know what else is needed.
>
>
>
> Do you use ServicePointManager.SecurityProtocol? When I check this value
> under IApplication:OnCreate(), I see the value as SystemDefault. Overriding
> this didn’t help though.
>
>
>
> Thanks,
>
> Sujith
>
>
> ------------------------------
>
> This e-mail communication is intended only for the addressee(s) named
> above and any others who have been specifically authorized to receive it
> and may contain information that is privileged, confidential or otherwise
> protected from disclosure. Please refer to
> www.blackstone.com/email-disclaimer for important disclosures regarding
> this electronic communication, including information if you are not the
> intended recipient of this communication.
>
> _______________________________________________
> Quickfixn mailing list
> Quickfixn at lists.quickfixn.com
> http://lists.quickfixn.com/listinfo.cgi/quickfixn-quickfixn.com
>
>
>
> ------------------------------
>
> This e-mail communication is intended only for the addressee(s) named
> above and any others who have been specifically authorized to receive it
> and may contain information that is privileged, confidential or otherwise
> protected from disclosure. Please refer to
> www.blackstone.com/email-disclaimer for important disclosures regarding
> this electronic communication, including information if you are not the
> intended recipient of this communication.
> _______________________________________________
> Quickfixn mailing list
> Quickfixn at lists.quickfixn.com
> http://lists.quickfixn.com/listinfo.cgi/quickfixn-quickfixn.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.quickfixn.com/pipermail/quickfixn-quickfixn.com/attachments/20190531/5bf13d20/attachment.htm>

More information about the Quickfixn mailing list