{{Quickfixn}} TLS 1.2 authentication
Campbell Wild
Campbell.Wild at ihsmarkit.com
Wed Aug 14 07:01:12 PDT 2019
Good afternoon.
As far as I can tell, when QuickFIX/n attempts to authenticate using TLS, the clientCertificates it passes as a parameter in SSLStreamFactory.CreateClientStreamAndAuthenticate will only ever pass a single certificate.
SSLStreamFactory.GetClientCertificates adds a single certificate to the collection from StreamFactory.LoadCertificate, which loads the first valid certificate from the store, or loads a certificate from file.
The IETC RFC for TLS1.2 specifies (in https://tools.ietf.org/html/rfc5246#section-7.4.6) that "This message conveys the client's certificate chain to the server"
This seems to suggest that QuickFIX/n is not TLS1.2 compliant.
Whilst the current approach works for some connections, others (such as MarketAxess) are rejecting the connection as they require the full certificate chain to be present, as per the RFC.
Is this a known issue, and are there any plans to address?
Thanks,
Campbell
________________________________
This e-mail, including accompanying communications and attachments, is strictly confidential and only for the intended recipient. Any retention, use or disclosure not expressly authorised by IHSMarkit is prohibited. This email is subject to all waivers and other terms at the following link: https://ihsmarkit.com/Legal/EmailDisclaimer.html
Please visit www.ihsmarkit.com/about/contact-us.html for contact information on our offices worldwide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.quickfixn.com/pipermail/quickfixn-quickfixn.com/attachments/20190814/604507c4/attachment.html>
More information about the Quickfixn
mailing list