Menu
▾
▴
Re: [Quickfixj-users] How to use SSL with quickfixj
|
From: Chavez, J. <cha...@eo...> - 2015-07-07 13:21:55
|
The script was improperly formatted. Here is the script with proper line endings :) Also the links describe generating a self signed certificate and importing into JKS. -----START SCRIPT----- #!/bin/bash # Generate private key and certificate # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 cat key.pem cert.pem > stunnel.pem # Translate PEM to PKCS12 and import to JKS # http://www.webfarmr.eu/2010/04/export-pkcs12-files-to-pem-format-using-openssl/ openssl pkcs12 -export -out cert.pfx -in stunnel.pem -nodes keytool -v -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12 -destkeystore x509cert.jks -------END SCRIPT----- - Jose -----Original Message----- From: Chavez, Jose Sent: Tuesday, July 07, 2015 8:17 AM To: qui...@li... Subject: RE: [Quickfixj-users] How to use SSL with quickfixj Hi Chris, I recently implemented SSL on our sell-side FIX gateway. Here is the self-signed CERT scripts I ran. Only the acceptor needs the keystore; client will just accept the certificate. I imagine if it has CA, will authorize, but haven't tested that yet. -----START SCRIPT----- #!/bin/bash # Generate private key and certificate # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 cat key.pem cert.pem > stunnel.pem # Translate PEM to PKCS12 and import to JKS # http://www.webfarmr.eu/2010/04/export-pkcs12-files-to-pem-format-using-openssl/ openssl pkcs12 -export -out cert.pfx -in stunnel.pem -nodes keytool -v -importkeystore -srckeystore cert.pfx -srcstoretype PKCS12 -destkeystore x509cert.jks -------END SCRIPT----- I hope this helps. - Jose -----Original Message----- From: Kimpton, C (Chris) [mailto:Chr...@ra...] Sent: Tuesday, July 07, 2015 4:55 AM To: qui...@li... Subject: Re: [Quickfixj-users] How to use SSL with quickfixj QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ QuickFIX/J Support: http://www.quickfixj.org/support/ Thanks Chris, but I don't think so - that seems to relate to the use of client certificates, which I (hope) we are not using. -----Original Message----- From: Christoph John [mailto:chr...@ma...] Sent: 07 July 2015 10:50 To: qui...@li... Subject: Re: [Quickfixj-users] How to use SSL with quickfixj QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ QuickFIX/J Support: http://www.quickfixj.org/support/ Hi Chris, just a question: could this be related to http://www.quickfixj.org/jira/browse/QFJ-821 ?? Cheers On 18/06/15 10:21, Christoph John wrote: > I think the only way to check if they are communicating via SSL is to > check with Wireshark or similar. > But actually I would not expect them to communicate at all if the SSL > handshake fails. Sounds strange. > > Chris. > > On 16/06/15 14:59, Kimpton, C (Chris) wrote: >> QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ >> QuickFIX/J Support: http://www.quickfixj.org/support/ >> >> >> >> >> Hi, >> >> The quick question is how do I only allow SSL connections? The >> fallback seems to be to not used them, if that works. >> >> This is what I have tried: >> >> I saw the manual page - >> http://www.quickfixj.org/quickfixj/usermanual/1.5.3/usage/secure_comm >> unications.html >> >> I am testing with my own initiator and acceptor, both configured with >> >> SocketUseSSL=Y >> >> They talk to each other ok - but since I have not specified a >> keystore, I presume they are not actually encrypting the comms. >> >> I have then generated my own self signed cert and loaded it into a keystore (cacerts), like so: >> >> openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem >> -days 10000 -nodes >> >> openssl x509 -outform der -in cert.pem -out cert.der >> >> keytool -import -alias ssc -keystore cacerts -file cert.der >> >> This cacerts file has been used as the keystore file for both acceptor and initiator. I expect >> this to fail, as the acceptor needs the key file and only has the cert (right?). >> >> It gives me an SSL handshake error - but they still communicate - so >> I guess they fallback to insecure comms. Is it possible to disable this fallback? >> >> What I need is to get/reformat the key.pem into a keystore for use by the acceptor. >> >> So I did this: >> >> openssl pkcs12 -export -in cert.pem -inkey key.pem > host.p12 >> >> keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks >> -srcstoretype pkcs12 >> >> Then used the host.jks for the acceptor and the cacerts file for the initiator. >> >> And that seems to have worked - no exceptions at least. >> >> But given the fallback mentioned above, I am not 100% sure. >> >> I don't see an option to require the SSL connection - perhaps it's a Mina option? >> >> Cheers, >> >> Chris >> >> --------------------------------------------------------------------- >> ------------------------------- This email (including any attachments >> to it) is confidential, legally privileged, subject to copyright and >> is sent for the personal attention of the intended recipient only. If >> you have received this email in error, please advise us immediately >> and delete it. You are notified that disclosing, copying, >> distributing or taking any action in reliance on the contents of this >> information is strictly prohibited. Although we have taken reasonable >> precautions to ensure no viruses are present in this email, we cannot >> accept responsibility for any loss or damage arising from the viruses >> in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. >> --------------------------------------------------------------------- >> ------------------------------- >> >> >> --------------------------------------------------------------------- >> --------- >> >> >> _______________________________________________ >> Quickfixj-users mailing list >> Qui...@li... >> https://lists.sourceforge.net/lists/listinfo/quickfixj-users > -- Christoph John Development & Support Direct: +49 241 557080-28 Mailto:Chr...@ma... http://www.macd.com <http://www.macd.com/> ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- MACD GmbH Oppenhoffallee 103 D-52066 Aachen Tel: +49 241 557080-0 | Fax: +49 241 557080-10 Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663 Geschäftsführer: George Macdonald ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- take care of the environment - print only if necessary ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Quickfixj-users mailing list Qui...@li... https://lists.sourceforge.net/lists/listinfo/quickfixj-users ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Quickfixj-users mailing list Qui...@li... https://lists.sourceforge.net/lists/listinfo/quickfixj-users |
