Menu
▾
▴
Re: [Quickfixj-users] SSL Configuration
|
From: Øyvind M. W. <oyv...@om...> - 2018-06-20 07:20:56
|
Hi Eric, If you control both the acceptor and initiator, make sure both run the same version of Java. Also check that the ciphers and MAC used in your certificate are supported in that version of Java. If you only control one side, check your counterpart’s TLS requirements, and upgrade or configure Java as needed. Weaker ciphers may be disabled in newer version of Java, while stronger ciphers are not supported in older versions. The following is a good resource for finding supported TLS versions and ciphers: https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https -Øyvind > 19. jun. 2018 kl. 23:00 skrev <eri...@th...> <eri...@th...>: > > QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ > QuickFIX/J Support: http://www.quickfixj.org/support/ > > > I’m on 1.6.4. (Mainly because I am waiting for 2.1, which should have my PR) and Java 8. > > I have looked at the same page for 1.6.4. > > When you say the counterparty provided a certificate, do you mean a certificate that you put in the trusted store? > > I want to accept connection and force them to be encrypted. Nothing more complicated than that. > > >> On Jun 19, 2018, at 16:56, Christoph John <chr...@ma...> wrote: >> >> Hi, >> >> I assume you have already checked the following page: https://urldefense.proofpoint.com/v2/url?u=https-3A__quickfixj.org_usermanual_2.0.0__usage_secure-5Fcommunications.html&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=sSTe4DlDhQjgPuMO6k1XaWyj_YJaVQNxr23Nq_KlCy4&e= >> >> There also is a test SSLCertificateTest in the repo that has some examples. >> >> IIRC I only configured the Initiator side of a FIX connection for SSL and used a keystore. The counterparty provided the certificate. >> >> I also assume that you use a current Java version on both sides of the connection? Older versions might not support some ciphers. >> >> Cheers, >> Chris. >> >> Am 19. Juni 2018 20:39:30 MESZ schrieb eri...@th...: >>> QuickFIX/J Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.quickfixj.org_documentation_&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=t3i5fJeH8OU0DExXAnJs9PdrGsSq3SXfroHRSfEOPEY&e= >>> QuickFIX/J Support: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.quickfixj.org_support_&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=bn2FO12yz_pzSSVMVK3cBu_Z2a7WbEu-Dl3FqIivpU0&e= >>> >>> >>> I’m having a hard time getting SSL working on Linux. >>> >>> I’m trying to use a self-signed certificate on a Acceptor. >>> >>> I generated a keystore with: >>> >>> keytool -genkey -keyalg RSA -alias foobar -keystore foobar.jks >>> -storepass foobar -validity 360 -keysize 2048 >>> >>> And I am configuring the acceptor to use it with: >>> >>> SocketUseSSL=Y >>> SocketKeyStore=foobar.jks >>> SocketKeyStorePassword=foobar >>> >>> It seems to be opening the keystore ok, but regardless of what I try I >>> end up with: >>> >>> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in >>> common >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>> >>> When I try to accept a session. >>> >>> 1) Do I need to configure CipherSuites? Which ones? I am having trouble >>> figuring out how to figure that out. >>> >>> 2) Does the client need a keystore? I’m only trying to encrypt, not >>> authenticate. I’ve tried it with and without, same result. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=Fk532B4FE9KmFkWCh_DwlzbuM70u46buQAy50WlI5sE&e= >>> _______________________________________________ >>> Quickfixj-users mailing list >>> Qui...@li... >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_quickfixj-2Dusers&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=q6T7mJGRH34yJiwvNAP2vP6_7UHrAgiLFg3eV_n9_-k&e= > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Quickfixj-users mailing list > Qui...@li... > https://lists.sourceforge.net/lists/listinfo/quickfixj-users |
