Menu
▾
▴
Re: [Quickfixj-users] Working with SSL and non SSL session on 1.1.0
|
From: Jeronimo G. <jj...@pr...> - 2007-04-24 16:00:28
|
Here I captured some logging using the -Djavax.net.debug=all option. This is when the acceptor starts. At first it seems only port 6002 is encrypted: .... 2007-04-24 10:09:39,912 INFO [STDOUT] <20070424-13:09:39, FIX.4.4:ACCEPTOR_SRVR->USR01, event> (Created session: FIX.4.4:ACCEPTOR_SRVS->USR01) 2007-04-24 10:09:41,391 ERROR [STDERR] Apr 24, 2007 10:09:41 AM quickfix.mina.acceptor.AbstractSocketAcceptor startAcceptingConnections INFO: Listening for connections at /192.168.7.155:6001 2007-04-24 10:09:41,392 ERROR [STDERR] Apr 24, 2007 10:09:41 AM quickfix.mina.acceptor.AbstractSocketAcceptor installSSL INFO: Installing SSL filter for /192.168.7.155:6002 2007-04-24 10:09:41,403 INFO [STDOUT] *** 2007-04-24 10:09:41,403 INFO [STDOUT] found key for : quickfixj 2007-04-24 10:09:41,409 INFO [STDOUT] chain [0] = [ [ Version: V1 Subject: CN=Unknown, OU=Unknown, O=quickfixj.org, L=Unknown, ST=Unknown, C=Unknown Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 1024 bits modulus: 167014424978718849083682512472548136665771932766421206120108091006526399797236666149037026897517362065492504809626 84376135443482787898056544530393683382655680702905790239929573279074718292007045113123868822222799801633983472131745850902504 3369441889539067680355042642408726080001910723962949367819186427933811 public exponent: 65537 Validity: [From: Thu Sep 28 12:01:10 ART 2006, To: Wed Dec 27 12:01:10 ART 2006] Issuer: CN=Unknown, OU=Unknown, O=quickfixj.org, L=Unknown, ST=Unknown, C=Unknown SerialNumber: [ 451be3b6] ] Algorithm: [MD5withRSA] Signature: 0000: BF 50 5B FE 11 5A FD 6A A0 7F B7 57 DB F8 82 6D .P[..Z.j...W...m 0010: A5 26 A7 56 06 DA 72 23 F4 F2 08 B7 6F 8C CF 99 .&.V..r#....o... 0020: 87 6F 89 19 62 36 46 E5 B8 2B 94 D8 8E EB 78 2E .o..b6F..+....x. 0030: C2 A2 EC 59 1C 32 B2 9B 44 0E AF C4 2C 8A 0E CE ...Y.2..D...,... 0040: 0A B2 45 3B 85 41 3D 12 AD D8 E1 9D 36 69 DA 54 ..E;.A=.....6i.T 0050: 49 7A 7E 27 72 A4 43 AB CF 77 30 FF C4 05 44 11 Iz.'r.C..w0...D. 0060: AD A4 66 09 0A 61 99 1E 50 84 67 0C 73 B2 2C 71 ..f..a..P.g.s.,q 0070: D2 F1 D0 A9 C0 3A 3E 20 2E 52 C0 F4 95 66 CB 3B .....:> .R...f.; ] 2007-04-24 10:09:41,409 INFO [STDOUT] *** 2007-04-24 10:09:41,414 INFO [STDOUT] trigger seeding of SecureRandom 2007-04-24 10:09:41,414 INFO [STDOUT] done seeding SecureRandom 2007-04-24 10:09:41,425 ERROR [STDERR] Apr 24, 2007 10:09:41 AM quickfix.mina.acceptor.AbstractSocketAcceptor startAcceptingConnections INFO: Listening for connections at /192.168.7.155:6002 But, when I tried to connect an iniciator (implemented with QuickFIXJ 1.0.5) and with the following configuration: [default] ConnectionType=initiator .... BeginString=FIX.4.4 TargetCompID=ACCEPTOR_SRVR StartTime=00:00:00 EndTime=00:00:00 HeartBtInt=30 SocketConnectHost=192.168.7.155 SocketConnectPort=6001 DataDictionary=FIX44.xml CheckLatency=N ReconnectTries=3 ReconnectAuto=Y ResetOnDisconnect=Y [session] SenderCompID=USR01 this is what happened on the acceptor side: 2007-04-24 10:14:57,952 INFO [STDOUT] Using SSLEngineImpl. 2007-04-24 10:14:58,363 ERROR [STDERR] Apr 24, 2007 10:14:58 AM quickfix.mina.acceptor.AcceptorIoHandler sessionCreated INFO: MINA session created: /192.168.7.156:50001 2007-04-24 10:14:58,365 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, fatal error: 80: problem unwrapping net record javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? 2007-04-24 10:14:58,365 INFO [STDOUT] SocketAcceptorIoProcessor-0.0 2007-04-24 10:14:58,365 INFO [STDOUT] , SEND TLSv1 ALERT: 2007-04-24 10:14:58,365 INFO [STDOUT] fatal, 2007-04-24 10:14:58,366 INFO [STDOUT] description = internal_error 2007-04-24 10:14:58,366 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, WRITE: TLSv1 Alert, length = 2 2007-04-24 10:14:58,367 ERROR [STDERR] Apr 24, 2007 10:14:58 AM quickfix.mina.AbstractIoHandler exceptionCaught SEVERE: socket exception (/192.168.7.156:50001): Initial SSL handshake failed. 2007-04-24 10:14:58,367 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, called closeOutbound() 2007-04-24 10:14:58,367 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, closeOutboundInternal() 2007-04-24 10:14:58,367 INFO [STDOUT] [Raw write]: length = 7 2007-04-24 10:14:58,367 INFO [STDOUT] : 2007-04-24 10:14:58,368 INFO [STDOUT] 2007-04-24 10:14:58,368 INFO [STDOUT] .... .... 2007-04-24 10:14:58,369 INFO [STDOUT] 2007-04-24 10:14:58,369 INFO [STDOUT] . 2007-04-24 10:14:58,370 INFO [STDOUT] . 2007-04-24 10:14:58,370 INFO [STDOUT] . 2007-04-24 10:14:58,370 INFO [STDOUT] . 2007-04-24 10:14:58,370 INFO [STDOUT] . 2007-04-24 10:14:58,370 INFO [STDOUT] . 2007-04-24 10:14:58,373 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, called closeInbound() 2007-04-24 10:14:58,374 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 2007-04-24 10:14:58,374 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, called closeOutbound() 2007-04-24 10:14:58,374 INFO [STDOUT] SocketAcceptorIoProcessor-0.0, closeOutboundInternal() And this is what I captured with netstat: tcp 0 0 192.168.7.155:6001 0.0.0.0:* LISTEN 19897/java tcp 0 0 192.168.7.155:6002 0.0.0.0:* LISTEN 19897/java tcp 0 0 192.168.7.155:6001 192.168.7.156:50001 TIME_WAIT - SSL connections to 6002 are accepted OK. I hope it helps. Thanks again, Jeronimo Joerg Thoennes wrote: >QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ >QuickFIX/J Support: http://www.quickfixj.org/support/ >On 04/23/07 21:41, Jeronimo Ginzburg wrote: > > >>Is it possible to have an Acceptor with some sessions with SSL and >>others without SSL in 1.1.0, in different ports? >>I've tried to use the following configuration but both 6001 and 6002 >>ports were encrypted: >> >> > >Hmm, looking at the QF/J code, this should work for both initiators and acceptors. >The MINA SSL filter is installed for every accept socket depending on isUseSSL: > >quickfix.mina.acceptor.AbstractSocketAcceptor.java:111 > > if (socketDescriptor.isUseSSL()) { > installSSL(socketDescriptor, ioFilterChainBuilder); > } > >Could you provide some logging which indicates that both ports are using SSL? > >Cheers, Jörg > > > >>[session] >>TargetCompID=CLN1 >>BeginString=FIX.4.4 >>DataDictionary=FIX44.xml >>SocketAcceptPort=6002 >>SocketUseSSL=Y >>[session] >>TargetCompID=CLN2 >>BeginString=FIX.4.4 >>DataDictionary=FIX44.xml >>SocketUseSSL=N >>SocketAcceptPort=6001 >> >>Thanks in advance, >>Jeronimo >> >> >> >> >> >>------------------------------------------------------------------------- >>This SF.net email is sponsored by DB2 Express >>Download DB2 Express C - the FREE version of DB2 express and take >>control of your XML. No limits. Just data. Click to get it now. >>http://sourceforge.net/powerbar/db2/ >>_______________________________________________ >>Quickfixj-users mailing list >>Qui...@li... >>https://lists.sourceforge.net/lists/listinfo/quickfixj-users >> >> >> > > > > |
