Re: [Quickfixj-users] SSL with QuickFIX/J 1.1.0

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

> I wanted to follow-up on this - did you ever manage to successfully
> get QFJ and SSL to work together?
>
> I'm writing an app that connects to a broker that requires SSL, and
> I'm having issues with QFJ working out-of-the-box.
>
> I'm not very familiar with how SSL works, but if I understand it
> correctly, there are 3 ways SSL authenticates:
> 1. client authenticates just the server
> 2. server authenticates just the client
> 3. both client and server need to authenticate each other.

> I think QFJ may only be covering case 2: it looks at trust stores only
> in the Acceptor mode (AbstractSocketAcceptor), while for case 3 to
> work I believe the initiator needs to have an SSL context as well.

I'm not an SSL expert either, but I think QFJ is implementing case
1 rather than case 2. The primary purpose of SSL in QFJ is for encryption
rather than authentication. However, the server sends credentials to
to the client and the client must decide whether to trust them or not.
In that sense, the client is authenticating the server. Currently, the
client trusts all servers and this behavior needs to be more configurable.

> Just wanted to run this past people to see if my understanding is
> correct, and whether or not QFJ currently handles specifying certs for
> outgoing connections.

No, it doesn't support two way transport-level authentication. Isn't it
more common to handle client authentication at the application level
rather than at the transport level?

Steve