Menu
▾
▴
Re: [Quickfixj-users] SSL Configuration
|
From: Colin D. <co...@ma...> - 2018-06-20 14:10:08
|
FWIW, I've found that counters more often than not are running old versions of everything. The problem may be that they're requiring an out-of-date cipher or version. We've gotten past this by running a separate stunnel process to create the encrypted connection, which has a great deal of flexibility. On 06/20/2018 12:20 AM, Øyvind Matheson Wergeland wrote: > QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ > QuickFIX/J Support: http://www.quickfixj.org/support/ > > > > > Hi Eric, > > If you control both the acceptor and initiator, make sure both run the > same version of Java. Also check that the ciphers and MAC used in your > certificate are supported in that version of Java. > > If you only control one side, check your counterpart’s TLS > requirements, and upgrade or configure Java as needed. Weaker ciphers > may be disabled in newer version of Java, while stronger ciphers are > not supported in older versions. > > The following is a good resource for finding supported TLS versions > and ciphers: > > https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https > > -Øyvind > > 19. jun. 2018 kl. 23:00 skrev <eri...@th... > <mailto:eri...@th...>> > <eri...@th... > <mailto:eri...@th...>>: > >> QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ >> QuickFIX/J Support: http://www.quickfixj.org/support/ >> >> >> I’m on 1.6.4. (Mainly because I am waiting for 2.1, which should have >> my PR) and Java 8. >> >> I have looked at the same page for 1.6.4. >> >> When you say the counterparty provided a certificate, do you mean a >> certificate that you put in the trusted store? >> >> I want to accept connection and force them to be encrypted. Nothing >> more complicated than that. >> >> >>> On Jun 19, 2018, at 16:56, Christoph John <chr...@ma... >>> <mailto:chr...@ma...>> wrote: >>> >>> Hi, >>> >>> I assume you have already checked the following page: >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__quickfixj.org_usermanual_2.0.0__usage_secure-5Fcommunications.html&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=sSTe4DlDhQjgPuMO6k1XaWyj_YJaVQNxr23Nq_KlCy4&e= >>> >>> >>> There also is a test SSLCertificateTest in the repo that has some >>> examples. >>> >>> IIRC I only configured the Initiator side of a FIX connection for >>> SSL and used a keystore. The counterparty provided the certificate. >>> >>> I also assume that you use a current Java version on both sides of >>> the connection? Older versions might not support some ciphers. >>> >>> Cheers, >>> Chris. >>> >>> Am 19. Juni 2018 20:39:30 MESZ schrieb >>> eri...@th... >>> <mailto:eri...@th...>: >>>> QuickFIX/J Documentation: >>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.quickfixj.org_documentation_&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=t3i5fJeH8OU0DExXAnJs9PdrGsSq3SXfroHRSfEOPEY&e= >>>> >>>> QuickFIX/J Support: >>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.quickfixj.org_support_&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=bn2FO12yz_pzSSVMVK3cBu_Z2a7WbEu-Dl3FqIivpU0&e= >>>> >>>> >>>> >>>> I’m having a hard time getting SSL working on Linux. >>>> >>>> I’m trying to use a self-signed certificate on a Acceptor. >>>> >>>> I generated a keystore with: >>>> >>>> keytool -genkey -keyalg RSA -alias foobar -keystore foobar.jks >>>> -storepass foobar -validity 360 -keysize 2048 >>>> >>>> And I am configuring the acceptor to use it with: >>>> >>>> SocketUseSSL=Y >>>> SocketKeyStore=foobar.jks >>>> SocketKeyStorePassword=foobar >>>> >>>> It seems to be opening the keystore ok, but regardless of what I try I >>>> end up with: >>>> >>>> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in >>>> common >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) >>>> >>>> When I try to accept a session. >>>> >>>> 1) Do I need to configure CipherSuites? Which ones? I am having trouble >>>> figuring out how to figure that out. >>>> >>>> 2) Does the client need a keystore? I’m only trying to encrypt, not >>>> authenticate. I’ve tried it with and without, same result. >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org <http://Slashdot.org>! >>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=Fk532B4FE9KmFkWCh_DwlzbuM70u46buQAy50WlI5sE&e= >>>> >>>> _______________________________________________ >>>> Quickfixj-users mailing list >>>> Qui...@li... >>>> <mailto:Qui...@li...> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_quickfixj-2Dusers&d=DwIFaQ&c=4ZIZThykDLcoWk-GVjSLmy8-1Cr1I4FWIvbLFebwKgY&r=o7YI_4EZ5O7Q26HQ0aGkeNUy9E1BdEn0Yexsn39zMH1c1bf_uqj8xspuBPRHBi8O&m=3HYYWXGXrELFp0n0n6F73-FIYlJqp8jYN8qFwrCjnlw&s=q6T7mJGRH34yJiwvNAP2vP6_7UHrAgiLFg3eV_n9_-k&e= >>>> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org <http://Slashdot.org>! >> http://sdm.link/slashdot >> _______________________________________________ >> Quickfixj-users mailing list >> Qui...@li... >> <mailto:Qui...@li...> >> https://lists.sourceforge.net/lists/listinfo/quickfixj-users > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > Quickfixj-users mailing list > Qui...@li... > https://lists.sourceforge.net/lists/listinfo/quickfixj-users |
